tcs ig guidance mar 11 v1.0 13 april 2011

8/6/2019 TCS IG Guidance Mar 11 v1.0 13 April 2011

1/24

Transforming Community Services

Some Key Issues in Information Governance

Introduction

The Transforming Community Services (TCS) programme includes changes in organisational

arrangements and developing the usage of information and the associated infrastructure tofocus and improve services.

The interaction of the organisational arrangements and the use of, and access to, patient dataand records through different models of information management facilities leads to the need tobe clear about the associated Information Governance (IG) arrangements. These allow forprotecting and enabling effective use of the data of patients or service users or clients (mainlyreferred to as patients for simplicity throughout the rest of this paper, but is intended to implyservice users and clients).

A range of organisational models1 are emerging including Community Foundation Trust; SocialEnterprise; Vertical Integration i.e. to support different parts of the patient pathway, e.g. withNHS Provider Trust via Joint Venture, Community Interest Company or S75 Agreement;

Horizontal integration i.e. to cover same part of pathway, e.g. with similar providers and/orLocal Authorities (LA) via S75 partnership agreement and mixtures of the above to provide thefull range of services.

Patient records and data (in paper or electronic form) have to be included in the formalarrangements and agreements involved in transferring services from Primary Care Trusts(PCTs) to Receiving Organisations in order that the Receiving organisation can perform itsfunctions. It is crucial that the IG aspects of transferring records and data are also consideredin such agreements. This paper sets out some of the key IG issues to be considered to enablethe informatics aspect of TCS to be undertaken successfully.

The legal status of some Receiving Organisations will change during the period that thecommunity services transformation is taking place. The legal status is material in the transfer

of responsibility of records and data and should not occur until the Receiving Organisation is alegal entity, which also brings the need to implement the associated IG obligations.

Provision of information management capability

The staff working in the various organisation models will be expected to access patient recordsand use IT equipment to collect, store, organise and manage data about patients. Suchcapability can be provided in a variety of ways including

In-house

NHS based shared services

External contracted services e.g. Local Service Provider (LSP) supplied

PCT owned and licensed software, including NHS enterprise wide agreements(effectively free software whilst existing contracts operate).

The first three are common arrangements in the NHS for providing such services. Theorganisational models appearing through TCS indicate that the existing pattern of supply ofcapability and services will be challenged to meet the needs of the new organisations.

The fourth way offers the opportunity for a PCT to 'own and license' and thereby providesoftware (that has already been paid for by the NHS or is free) to providers without suchfacilities or from outside the NHS, who may not have access to Enterprise Wide Agreementsetc. This potentially enables a variety of the emerging organisational models to be supportedand has several advantages, such as enabling multiple small service providers simultaneouslyor a single external supplier, of changing service suppliers and keeping costs down. This also

1Transforming Community Services: enabling new patterns of provision; seehttp://www.dh.gov.uk/prod_consum_dh/groups/dh_digitalassets/documents/digitalasset/dh_093196.pdf

64941549.doc Author: Wally Gowing Page 1
http://www.dh.gov.uk/prod_consum_dh/groups/dh_digitalassets/documents/digitalasset/dh_093196.pdfhttp://www.dh.gov.uk/prod_consum_dh/groups/dh_digitalassets/documents/digitalasset/dh_093196.pdf


2/24

means that the information and the system capability may be retained for the local healtheconomy irrespective of the community service provider arrangements.



3/24


4/24


5/24

in capacity and capability, where the commissioners contracts for services should retain theright to transfer records and data to successor organisations. In such cases, it may be sensibleto transfer recent records and data relating to recent activity (e.g. last 2 years) and not totransfer archive data to add to the burdens of the new organisation. Such archive data wouldcontinue to be the responsibility of the PCT as Data Controller.

However, in general, records and data about individuals whose services are being transferredshould not be orphaned, i.e. some part left behind at the PCT or the PCTs Data Processor, asthey are clearly the responsibility of the Receiving organisations - see Section 1.7.

1.3 System ownership

The issue of Who owns the system supporting delivery of community services? should not berelevant or have impact for TCS as long as ownership does not assume the right of access todata or data controller rights, for example LSPs are systems owners for much data processedfor the NHS.

There is an issue with existing community systems where these have been operated by PCTsutilising software made available volume licence agreements with organisations such asMicrosoft through Connecting for Health (CFH). It is possible to move forward with the model

of the PCT/Commissioner 'owning' or 'licensing' software and systems for use by a newcommunity service provider; this is legitimate from an IG viewpoint as long as relevant IG'rules'/constraints are met in which the PCT/Commissioner does not have access to the data atindividual patient level.

CFH can provide copies of the licensing arrangements and forms for any required transfers.

1.4 Data Controller

There must be clarity about who/which organisation is the Data Controller for the transferredrecords and data in order to exercise the responsibility on which personal data can beprocessed and how see Appendix 1 for definitions. In effect the Data Controller must be theorganisation which determines the purposes for which and the manner in which any personal

data are, or are to be, processed4

; in this case in support of provision of care or undertakinganalysis etc. This means for instance that a PCT can own a system, but the Receiving Trusthaving the responsibility for patients and their information must be the Data Controller.

Any organisation registering with the Information Commissioner as a data controller mustassume full responsibility for managing patient information held on relevant systems (e.g. RiOin London), some of which will be in active use and some a historic record of care.

Organisations can be data controllers jointly if organisations act together to decide the purposeand manner of any data processing. This can occur within the NHS and may be pertinent insome instances arising from changes associated with TCS.

1.5 Data Processing

There must be clarity about whom/which organisation acts as Data Processors for/on behalf ofthe Data Controller for data transferred as part of TCS; this may be the same organisation, ashared service or an external contractor (e.g. LSP); there may be more than one DataProcessor. A Data Processor must be part of a legal entity as liability for failing to meet thelegal obligations of the DPA must be accepted and indemnified against.

If the Data Processor is in an organisation separate from the Data Controller, then formalcontracts (with schedules for specific services, performance etc) must be used.

If a Data Processor is providing services to a consortium of NHS organisations hosted by oneof the NHS organisations, contracts must be held with each of the NHS organisations for therelevant Data Processing, for which each NHS organisation is the Data Controller.

4as defined in Data Protection Act 1998, see footnote 2



6/24

1.6 Notification to the Information Commissioner

PCTs and the Receiving organisations consequent on TCS must notify the ICO annually of itsprocessing of personal data. The notifications for 2011 will need to include any additional orreduced data processing to be carried out by relevant organisations for the changes occurringbecause of TCS.

1.7 Orphaned records and dataTransfer of records and data arising from TCS should be included as and be regarded as, atransfer of assets in much the same way as staff or hardware, and such records and datacannot be orphaned this applies to both electronic and paper records. When PCTs transferresponsibility for their services and the legal liability for the care provided, the data and recordscontrolled by the PCTs and the related responsibility also has to be transferred to the new bodyresponsible for delivering the services.

If the Receiving Organisation does not want to take all of the historical data then, if the relevantretention period for the type of record has been reached, such data can be securely destroyedprior to transfer or archived if the data remains relevant. If the data are archived, thenresponsibility for the datas continued existence must be clarified at the point of archiving and

must reside with a suitable legal entity.For data which have not reached the retention period expiry date, responsibility for the datashould be transferred to the Receiving Organisation along with the other responsibilities passedover by the PCT. If such data were to be destroyed inappropriately it would leave the receivingorganisation defenceless in terms of having evidence mitigating its liability. A court could viewsuch destruction as evidence of the body seeking to shirk its responsibilities.

If a new body does not want historical data in its records then the data does not need to movebut there would need to be a new data processing contract with the current data processor toretain the data as an archive for the prescribed retention period and then either public recordsarchiving or destruction.

If orphaned records are to be archived, then there needs to be agreement and clarity betweenorganisations on the specific responsibilities in meeting the various legal obligations that mayarise. These responsibilities include the situation where a patient moves from inactive toactive through supply of community services; subject access requests under the DPA; wherelitigation arises or where records are requested by Courts or the police. A sample agreement isattached as Appendix 2 based on an agreement developed in the Liverpool/Sefton area. Thisfollowed from the splitting of a PCTs community services between 2 Receiving Organisationsand the decision to not transfer inactive records.

1.8 Information Sharing

1.8.1 Information Sharing Protocols

Information sharing is necessary to support patient care across organisations and where single

instances of software are used by multiple providers. Many NHS organisations have staffemployed by other organisations using their patient information systems. The usual ways tomanage this relationship are through any one of the following:

Acceptable Use Policy signed when a user starts to access the system

Honorary contracts and or third party agreement when the staff member does not workfor the organisation that is the Data Controller

Information Sharing Protocols or Data Sharing Agreements including Subject SpecificInformation Sharing Agreements.

Information Sharing Protocols (ISP) enable organisations to share data and information aboutpatients and are typically used for to support care pathways (e.g. Greater Manchester ISP5,Surrey Multi Agency ISP6, and Pan Birmingham Cancer Network ISP7). Sharing information

about individuals between public authorities is often essential in order to keep people safe, or

5 http://www.penninecare.nhs.uk/legal/gmigg/

http://www.penninecare.nhs.uk/legal/gmigg/http://www.penninecare.nhs.uk/legal/gmigg/


7/24

ensure they get the best services. This sharing must only happen when it is legal andnecessary to do so to provide services to the patients and when adequate safeguards are inplace to protect the security of the information. This means that the same rules and restrictionsapply to access to identifiable data by an ISP organisation as in the originating organisation.As ISPs can enable access to identifiable data, such ISPs must be signed off by relevantCaldicott Guardians on behalf of the Data Controller organisations.

A generic sample ISP for sharing information with other organisations is shown in Appendix 3.

1.8.2 Information Sharing for TCS

The implementation of the records and information aspects of TCS should be supportedthrough the use of relevant ISPs and confidentiality agreements. These can be split into 3areas:

Pre Transfer ISP

Post Transfer ISP

Staff Confidentiality Agreement (to be used during the TCS change project)

Sample documents are shown in Appendix 4. These documents have been developed byManchester PCT and reflect the fact that Manchester PCT will continue to operate theCommunity system for use by a variety of provider Trusts. Whilst this may not be a typicalsituation, the purpose and principles of the ISPs and confidentiality agreement, especially thePre-Transfer ISP are relevant wherever data and record transfers are due to take place andwhatever organisational change arrangements are planned. The documents provide templatesfor development of local ISPs and agreements as required.

In addition to the ISPs above, there may be Subject Specific Information Sharing Agreements(SSISA) to supplement any overarching ISPs by giving the details of sharing of specific sets ofdata for specific purposes

A particular example of this is that future versions of RIO (used for community and mental

health services in London) will include a function for a user of one organisations RIO system tosee data held for a patient held on another organisations RIO application (RiO2RiO) as long asthe patient has given consent. This will be supported by a SSISA for trusts that use thisfunction, and the SSISA document will spell out the obligations for use of this form ofintegration.

1.9 Primary use versus secondary use

Systems that support the delivery of care and record, for example, clinical data as part of thepatient record, will largely operate for these primary purposes. The use of data to supportanalysis of activity or commissioning processes is regarded as for secondary purposes, as arethe associated systems. For primary use purposes, data can be accessed in identifiable form.

However, secondary use should utilise de-identified data and currently most NHS organisations

and systems are unable to meet this basic DPA and Common Law of Confidentialityrequirement in respect of secondary use. The NHS currently utilises a Section 251 approval toallow use of identifiable data. This approval is reviewed on an annual basis, but will bewithdrawn as the NHS implements de-identification facilities and capabilities, which is IGTRequirement 8-324.

Guidance and further information on implementation of de-identification for secondary use isavailable from CFH and IC websites8.

6http://www.surreycc.gov.uk/sccwebsite/sccwspages.nsf/LookupWebPagesByTITLE_RTF/Information+sharing+prot

ocol+for+multi+agency+staff?opendocument7http://birminghamcancer.co.uk/viewdoc.ashx?id=4Zi5qNWy9bMrNbFeKqwo6A%3D%3D8http://www.connectingforhealth.nhs.uk/systemsandservices/sus/delivery/pseudo

http://www.surreycc.gov.uk/sccwebsite/sccwspages.nsf/LookupWebPagesByTITLE_RTF/Information+sharing+protocol+for+multi+agency+staff?opendocumenthttp://www.surreycc.gov.uk/sccwebsite/sccwspages.nsf/LookupWebPagesByTITLE_RTF/Information+sharing+protocol+for+multi+agency+staff?opendocumenthttp://www.surreycc.gov.uk/sccwebsite/sccwspages.nsf/LookupWebPagesByTITLE_RTF/Information+sharing+protocol+for+multi+agency+staff?opendocumenthttp://birminghamcancer.co.uk/viewdoc.ashx?id=4Zi5qNWy9bMrNbFeKqwo6A%3D%3Dhttp://www.connectingforhealth.nhs.uk/systemsandservices/sus/delivery/pseudohttp://www.surreycc.gov.uk/sccwebsite/sccwspages.nsf/LookupWebPagesByTITLE_RTF/Information+sharing+protocol+for+multi+agency+staff?opendocumenthttp://www.surreycc.gov.uk/sccwebsite/sccwspages.nsf/LookupWebPagesByTITLE_RTF/Information+sharing+protocol+for+multi+agency+staff?opendocumenthttp://birminghamcancer.co.uk/viewdoc.ashx?id=4Zi5qNWy9bMrNbFeKqwo6A%3D%3Dhttp://www.connectingforhealth.nhs.uk/systemsandservices/sus/delivery/pseudo


8/24

1.10 Health data and Social Services systems

Some Receiving organisations may determine to use systems utilised by Social Services fordata processing. Organisations need to be aware of the differences between the basis onwhich health related data and social services related data are obtained, stored and processed.The major difference is that Social Services departments obtain consent of the serviceuser/client prior to collection of personal data beyond demographic data, whereas explicit

consent is not obtained for personal data collected through health service provision.

This means that a range of Social Services staff is therefore able to access data within theirsystems on the basis that explicit consent has been obtained. If NHS health sourced data areadded to the social services system, then access to the data should be restricted to thoseoperating within the NHS, i.e. based on legitimate relationships of clinicians and related staff. Ifwider use of the data is to be made through the system, then explicit consent must be obtainedfor such use.

1.11 Who accesses the transferred records and data

Identifiable data - Access to identifiable patients health records and identifiable data onsystems should be restricted to members of

clinical teams in the delivery of the patients care these should operate againstprofessional standards with retrospective monitoring and audit

services that support provision of care services, such as patient administration

services that support systems holding identifiable data

safe haven users, responsible for data quality and the provision/receipt of data withother bodies.

Secondary usage of data should be undertaken with de-identified data to meet IGT 8-324.Wherever possible, data should be provided in aggregate or tabulated form to avoid use atindividual patient level. Access at patient level for secondary use should be restricted to staffwho have legitimate reasons for such use.

1.12 Access Controls and User RegistrationSystems containing community services data should have access controls in line with meetingthe NHS Code of Confidentiality; this can be assessed by the level of conformance with the IGToolkit. Typically, access control will involve fine-grained access control to compartmentaliseusers, the data and views of data that they should have access to. Such access controlsshould operate

at an organisational level as modified by any inter-organisational information sharingprotocols (i.e. only see data relevant to patients within the users organisation)

at a user role level e.g. clinician sees their patients only to support care provision;support staff can see all relevant data for all patients; safe haven user can see allpatients for data quality purposes; secondary use users can only see secondary use

views.User registration will depend on the types of system being used, for example whether local orLSP supplied, and should be pursued with those responsible for user registration within thereceiving organisation. CFH have issued guidance on smart card migration for Spine systems9.

1.13 Avoiding inadvertent unauthorised data access

It is possible to conceive of situations resulting from TCS where issues will arise from notarchiving data or where information-sharing arrangements are not accompanied by adequateaccess control regimes. Such a scenario might be where PCT Trust A's community servicesdata is processed by a Data Processor, say a LSP. Trust As services may be transferred toTrusts B and C and some services may cease to be provided. The resulting data managementshould lead to archiving of the data relating to the discontinued services and separate

9http://www.connectingforhealth.nhs.uk/systemsandservices/data/sds/user-migration/OMS Process for UserMigration FINAL ISSUED V 1.0.docx/view?searchterm=OMS Process for User Migration

http://www.connectingforhealth.nhs.uk/systemsandservices/data/sds/user-migration/OMS%20Process%20for%20User%20Migration%20FINAL%20ISSUED%20V%201.0.docx/view?searchterm=OMS%20Process%20for%20User%20Migrationhttp://www.connectingforhealth.nhs.uk/systemsandservices/data/sds/user-migration/OMS%20Process%20for%20User%20Migration%20FINAL%20ISSUED%20V%201.0.docx/view?searchterm=OMS%20Process%20for%20User%20Migrationhttp://www.connectingforhealth.nhs.uk/systemsandservices/data/sds/user-migration/OMS%20Process%20for%20User%20Migration%20FINAL%20ISSUED%20V%201.0.docx/view?searchterm=OMS%20Process%20for%20User%20Migrationhttp://www.connectingforhealth.nhs.uk/systemsandservices/data/sds/user-migration/OMS%20Process%20for%20User%20Migration%20FINAL%20ISSUED%20V%201.0.docx/view?searchterm=OMS%20Process%20for%20User%20Migration


9/24


10/24

For new patients/service users/clients of affected community services a Fair Processing noticecan be used. Usually this takes the form of a leaflet entitled How we use your information.The Notices in place at each organisation will need to be reviewed and any gaps identified for anew leaflet that would need to be in place when the services are taken over by the ReceivingTrust. The leaflet should be sent out with all first appointments and should be distributed atservice points throughout the organisation.

In addition, all current patients/service users/clients of affected community services must beinformed of relevant changes. Consideration should be given to do this effectively and in acoordinated manner so that the client is not receiving several communications from e.g. thePCT and the Receiving Trust. It is probable that there will be a wider local communicationsprocess to inform about changes to services associated with TCS and it would be helpful if therecords, data and IG aspects were an integral part of that process.



11/24

Implementing change

1.18 Introduction & Implementation Examples

There appear to be a myriad of different possible combinations of organisational arrangementsthat could arise in TCS. It is not feasible to work through all the combinations. Some common

issues are examined in the two scenarios below.The examples are intended to illustrate some of the issues that may arise and what IG stepsneed to be taken for organisations to remain legal in their use of patient data or risk breakingthe law and potential fines from the Information Commissioners Office (ICO). Some relevantanecdotal evidence is provided to illustrate the issues.

1.19 Sharing systems organisational issues

Scenario - Multiple units in different organisations share an operational/clinical system (suchas SystmOne operated across practices and community service providers)IG requirements - an individual organisation and their staff should only have access to therecords/data that relate to patients they deal with, based on the equivalent to legitimaterelationships - so such a system needs to be capable of providing sufficient levels of access

control; providing staff from:Practice access to their patients only; differential access to records dependent on role withinpractice, e.g. differences between GP and receptionPCT Provider/Community Provider- access to their patients only and others via InformationSharing Protocol; differential access to records dependent on role within provider, e.g.differences between clinician and receptionPCT Commissioner(assuming that they have access to the system) should only have accessto de-identified (pseudonymised) versions of the data for secondary use purposes (EMIS Weboperates in this way, practices can see data about their patients in identifiable form, but staff inPCTs see the same data in pseudonymised form). A PCT Commissioner may need access tothe system for Data Quality reasons as part of their safe haven function in support of their wider

secondary use of data in their own data warehouse for contract & performance managementetc - but this only applies if the system (SystmOne in this instance) is in effect the main patientregister at PCT level for the PCT Commissioner (previously undertaken through the Exetersystem).System requirements to meet DPA & NHS Policy fine-grained access controls todistinguish between different organisations and different user types and the categories of datathat can be accessed, plus audit facilities to check on who has accessed what records.

1.20 Sharing systems inappropriate data access issues

Scenario - Extend the use of existing clinical/service delivery systems into other organisationsin order to provide services e.g. Community Trust system used by LA or another CommunityTrust.

IG requirements - an individual organisation and their staff should only have access to therecords/data that relate to patients they deal with, based on the equivalent to legitimaterelationships; providing staff from:PCT Provider/Community Providers - data access should still be restricted on basis of DPA& Caldicott to content i.e. patients for that provider only unless Information Sharing Protocolsare in place and only allow all of record to be seen by relevant authorised staff. Anecdotalevidence indicates that inappropriate access to records by administrative staff does occur10.PCT Commissioner(assuming that they have access to the system) - In this case, staff of thePCT should not have access to person level data; it may be suitable for instance for PCT staffto have access to the system for performance indicators and similar high level reporting.System requirements to meet DPA & NHS Policy fine-grained access controls todistinguish between different organisations and different user types and the categories of data

that can be accessed, plus audit facilities to check on who has accessed what records.

10http://www.computerweekly.com/blogs/tony_collins/2010/05/tell-your-gp-a-secret---and-90.html

http://www.computerweekly.com/blogs/tony_collins/2010/05/tell-your-gp-a-secret---and-90.htmlhttp://www.computerweekly.com/blogs/tony_collins/2010/05/tell-your-gp-a-secret---and-90.html


12/24

1.21 Offsetting potential inappropriate data access issues

If the system requirements identified to meet DPA and NHS policy are not available in the shortterm, then steps must be taken to ameliorate the potential breaking of policy and laws. Thefollowing steps are likely to be required

Ensuring that clinical staff that they may have access to records for patients with whomthey have no legitimate relationship and that professional ethics require them to not lookat such records and that such access can be audited (assuming that these basicfacilities exist)

Sign off by the Caldicott Guardian on behalf of the organisation that the organisation isaware that such access may occur

Informing patients that for a limited period their records may be seen by clinicians whodo not have responsibility for their care.

Informing the ICO that such a situation exists

NB - The above assumes that non-clinical staff cannot access clinical records.



13/24

Key questions

The issues set out above can be restated as a set of key questions and actions that apply toPCTs and Receiving organisations. The impact that these questions and issues have will varydepending on the particular set of organisational changes being implemented, e.g. a SocialEnterprise being created with new systems compared with a PCT with Community servicesmoving to an existing Receiving Trust.

The questions need answering in the affirmative for the IG aspects of the organisationalarrangement and associated systems to be potentially considered as being suitable. Theremay be other detailed points that prevent the IG arrangements being immediately sufficient andeffective, but these should be soluble in the long term.

Q1. Are the organisations to which records and data (and responsible for it as DataController) being transferred to existing legal entities? (See section 1.2)

Q2. Are the datasets included in the formal statements on transfer of assets betweenorganisations? There may be issues on timing about this, but reference to the need to transferdatasets and records should be made in the formal statements with details clearly statedsubsequently in related formal schedules. (See section 1.2)

Q3. Which organisation owns the system in terms of hardware and software and relevantlicences? this organisation is the System Owner. The System Owner for data fromtransferred PCT provider arms may, for example, be a PCT, a LSP or Trust. (See section 1.2)

Q4. Which organisation(s) determines the purposes for which the personal data in thesystem are used (e.g. what data is held on and what reports and analyses are required tocheck what is happening to Mrs Smith)? - this organisation is the Data Controller (which mayalso be the System Owner); there may be more than one Data Controller acting jointly. TheData Controllers for data from transferred PCT provider arms are expected to be the ReceivingOrganisations. (See section 1.4)

Q5. Which organisation is responsible for safeguarding and processing the data? Thisorganisation is the Data Processor (which may also be the Data Controller). The DataProcessors for data from transferred PCT provider arms will the organisations undertaking dataprocessing for the Receiving Organisations, such as the Receiving Trusts themselves, sharedhealth informatics services (HIS) or LSPs. (See section 1.5)

Q6. Have Privacy Impact Assessments been undertaken for records, data and systemsbeen undertaken? In particular, have PIAs been undertaken in relation to sensitive services?(See section 1.14)

Q7. If different organisations are identified in Q1, Q2 and Q3, then are there suitablestatements and service level agreements between the organisations to define roles etc? (Seesection 1.5)

Q8. Have the PCT and the receiving organisations notified the ICO of changes to their datacontroller and data processing responsibilities? (See section 1.6& 1.16)

Q9. Are any data orphaned as a result of the data transfer? If yes, are there appropriatedata processing agreements in place? (See section 1.7)

Q10. If data and information are shared between organisations or accessed acrossorganisations, are relevant Information Sharing Protocols or Acceptable Use Policies and staffconfidentiality agreements in place? Where necessary are these supported by Subject SpecificInformation Sharing Agreements? (See section 1.8)

Q11 Where there is orphaned data and information-sharing protocols are in place, havechecks been made that inadvertent unauthorised access cannot be made to orphaned data orto records for patients for which the service provider does not have responsibility? If suchaccess can be made, relevant remedial steps are required. (See section 1.13)

Q12. If a social services system is to be used to process health sourced personal data, arethere appropriate safeguards on data access in place? If not, has explicit consent for the wider



14/24

use of the data been obtained from the Data Subjects? (See section 1.10)

Q13. Does the system fully support DPA requirements, Caldicott Principles and the NHSCode of Confidentiality? In particular, can user access be restricted to only those patients thatthe user should see, either on the basis of organisational responsibility or their care serviceprovision responsibility? (See section 1.11 & 1.12)

Q14. If the answer to Q13 is no, then are steps being taken to offset potential inappropriatedata access e.g. only nominated social services staff can access health records and viceversa? (See section 1.13 & 1.10)

Q15. Are relevant RA and user registration mechanisms in place? (See section 1.12)

Q16. Can the receiving organisation meet the DPA requirements of Subject Access requestsand DPA S10 enquiries? (See section 1.15)

Q17. Have patients been informed that their data has been transferred and (whereappropriate) that additional staff may now access their records? Have Fair Processing noticesbeen modified to reflect TCS induced changes? (See section 1.17)

Q18. Have the organisations IG policies and procedures been created/amended to reflectthe new responsibilities resulting from implementing TCS? (See section 1.16and for a checklist

of policies and procedures see Appendix 5).Q19. Is additional IG training required for staff as part of TCS implementation? (See section1.16)



15/24

Appendix 1

Key IG concepts and Examples

Data controller - A data controller is a person (recognised in law, thus can be individuals,organisations or other corporate and unincorporated bodies of persons) who (either alone or

jointly or in common with other persons) determines the purposes for which and the manner inwhich any personal data are, or are to be, processed.

In effect the data controller has full authority to decide how and why personal data is to beprocessed (this includes using, storing and deleting the data). When a body decides that itwishes to pass the personal data it holds to another organisation, the body is acting as a datacontroller as it has the authority to take this decision.

Whether or not the receiving organisation is also a data controller will depend on whether or notthe receiving organisation will have the authority to decide how and why the data will be stored,used and deleted. If the receiving organisation has considerable discretion in this area, it is adata controller.

In relation to data controllers, the term jointly is used where two or more persons (usuallyorganisations) act together to decide the purpose and manner of any data processing. Theterm in common applies where two or more persons share a pool of personal data that theyprocess independently of each other.

Data processor- A data processor is an organisation that processes personal data on behalfof another organisation. Processing includes reading, amending, storing and deleting.

If a body passes personal data to an organisation, but retains the right to specify what shouldbe done with that data, then the receiving organisation is a data processor. The original body islegally responsible for any breaches of the Data Protection Act committed by any dataprocessor acting on its behalf.

Examples An Acute Trust running in-house IT and information services is both a Data

Controller and a Data Processor; whilst a similar Trust using services from a LSP is the DataController whilst the LSP is a Data Processor.

Caldicott Principles1. Justify the purpose(s)

2. Do not use patient identifiable information unless it is absolutely necessary

3. Use the minimum necessary patient-identifiable information

4. Access to patient identifiable information should be on a strict need-to-know basis

5. Everyone with access to patient identifiable information should be aware of theirresponsibilities

6. Understand and comply with the law

Caldicott Guardian - is a senior person responsible for protecting the confidentiality of patientand service-user information and enabling appropriate information sharing. Each NHSorganisation is required to have a Caldicott Guardian; this was mandated for the NHS byHealth Service Circular HSC 1999/012 and covers all organisations that have access to patientrecords.

Information Asset Owner(IAO) - will be a senior member of staff who is the nominated ownerfor one or more identified information assets of the organisation. It is a core IG objective that allInformation Assets of the organisation are identified and that the business importance of thoseassets is established.

The Senior Information Risk Owner (SIRO) - will be an Executive Director or SeniorManagement Board Member who will take overall ownership of the Organisations Information

Risk Policy, act as champion for information risk on the Board and provide written advice to theAccounting Officer on the content of the Organisations Statement of Internal Control in regardto information risk.



16/24

Appendix 2

Sample -Records Management Procedure for accessing recordsfollowing the Transfer of Community Services

Active & Inactive records

All records for active patients who at the time of transfer (e.g. 1 st April 2011) are receivingtreatment by a service that was formerly provided by NHS AA Community Health services andare transferring to eitherBB NHS Trust or CC Community Health services will transfer to theseReceiving Organisations. Responsibility for the transferred records is also transferred to theReceiving Organisation.

All records that are inactive (for example if the patient has been discharged from the service orhas died prior to the 1st April 2011) have been stored in an off-site document storage facility.These archived records and responsibility associated with them remain with NHS AACommissioners.

Records required when a patient is re-admitted to a transferred service

If after the transfer date a patient, who had been previously discharged from a service, is re-referred to the community service, the receiving organisation may wish to access the patientsrecords from their previous treatment. Under these circumstances, a request for the recordsmust be made to the responsible departmentat NHS AA Commissioners who will locate therecords in the archive and transfer them securely to the Receiving Organisation. The time limitfor this process will be no longer than 14 working days.

Records requested under Subject Access

Records that have been transferred to receiving organisations

If a request for records is received by NHS AA Commissioners for records which have beentransferred to the Receiving Organisations (as per the service destination list) then the request

will be forwarded on to the Receiving Organisation and the requester will be advised that theirrequest has been transferred to eitherBB NHS Trust or CC Community Health Services.

Records that remain with NHS AA Commissioners

If a request for records is received by NHS AA Commissioners for a record that they retain intheir archive, they will be responsible for responding and processing that request.

Requests for records received by Receiving Organisation that contain NHS AAinformation

If a request for a records is received by a Receiving Organisation and the records contain NHSAA information e.g. podiatry record that contains information from when the service wasprovided by NHS AA Community Health Services information (i.e. prior April 2011) and now

also contains records from service provided by the Receiving Organisation, then the ReceivingOrganisation must ensure that any information in the record that:

falls within any of the exemptions set out by the Data Protection Act is removed prior torelease

could lead to litigation is identified to NHS AA Commissioners for their approval prior torelease

contains any contentious statements are identified to NHS AA Commissioners for theirapproval prior to release.

Information must not be released without the consent of the patient or their representativeunless instructed by the courts.

Records requested for LitigationRecords that have been transferred to Receiving Organisations



17/24

If a letter of claim is received by NHS AA commissioners and relates to treatment provided tothe patient whilst the service was provided by NHS AA Community Health services but therecords have been transferred to one of the Receiving Organisations then the ReceivingOrganisation must make the original records available to NHS AA Commissioners within 14working days of request.

Requests should be directed to: BB NHS Trust: , (e.g. Senior Risk Manager) or CCCommunity Health Services: .., (e.g. IG & Records Manager)

Records that are retained by NHS AA Commissioners

If a letter of claim is received by one of the Receiving Organisations and the historic recordshad not been transferred to the receiving origination or subsequently requested when thepatient is re-admitted into the service but are required for litigation then NHS AACommissionerswill make the original records available to the Receiving Organisation within 14working days of the request:

Requests should be directed to at NHS AA Commissioners.

Records requested by Court or Police

Records that have been transferred to a Receiving OrganisationIf records are held by a Receiving Organisation, which contains both NHS AA and the receivingorganisation information, then the Receiving Organisation is responsible for complying with theorder/request and must release historic NHS AA information that is also retained in records.

Request received by NHS AA Commissioners for records held by ReceivingOrganisations

When a request is received by NHS AA Commissioners that relates to records that have beentransferred to a Receiving Organisation, then NHS AA Commissioners are responsible forensuring the Court Order/ Police request is forwarded to the Receiving Organisation within twoworking days and the requester is advised on where the information is held and that their

request has been forwarded to the appropriate organisation.Requests should be directed to: BB NHS Trust: , (e.g. Medical Records Manager) orCC Community Health Services: .., (e.g. IG & Records Manager)

Request for records received by Receiving Organisations for records retained by NHS AACommissioners

When a request is received by a Receiving Organisation for records that are retained by NHSAA Commissioners, then the Receiving Organisation is responsible for ensuring the CourtOrder/ Police request is forwarded to NHS AA Commissioners within two working days and therequester is advised on where the information is held and that their request has beenforwarded to the appropriate organisation.

Requests should be directed to at NHS AA Commissioners

Arrangements after abolition of PCTs 2013

After 2013 when the PCTs are abolished responsibility for the arrangements as listed abovewill continue to be carried out by the successor body that has inherited and continues thestatutory functions previously carried out by PCTs.

Signed in agreement by:

Organisation Print Name Signature Date

NHS AA Commissioners

BB NHS Trust

CC Community Health Services



18/24

Appendix 3

External Information Sharing Protocol

Introduction

This overarching protocol comprises of a set of rules that organisations agree to comply withwhen sharing personal data. It covers all manual, electronic and oral information.

This protocol is not a licence to share information but a guide that must be followed by all staff.

This overarching document is a Tier 1 document of the 3 Tier health and social care model asapproved by the Department of Health. An agreed approach to information sharing betweenorganisations should reduce uncertainty amongst staff, allay suspicion from the public andlessen the frustration felt by those attempting to provide seamless services.

Purpose

The overarching information sharing protocol is the highest level in the protocol structure (tier1) and applies generally to the sharing of personal data. The protocol will set out a framework

for the sharing of information to ensure that the confidentiality and integrity of personalidentifiable information is not compromised.

The importance of information sharing

Information sharing must be in the best interests of service users, their carers and families orthe wider public interest.

The purpose of information sharing will either relate to the provision of care, including thequality assurance of that care, for the individual concerned or will be related to non-care, orsecondary, services e.g. service evaluation, research finance or public health work.

Caldicott and Data Protection

When sharing personal identifiable information, NHS organisations must comply with theCaldicott principles:

1: Justify the purpose for using personally identifiable information.

2: Only use personally identifiable information if absolutely necessary.

3: Use only the minimum data needed for the specific purpose.

4: Restrict access to information only to those who need to know.

5: Individuals should be aware of their responsibilities to keep data confidential.

6: Data should be used and processed in compliance with the law

By signing this agreement, non-NHS organisations are agreeing to meet the Caldicottrequirements with regards to the agreed dataset.

All organisations have to comply with the eight principles of the Data Protection Act:

1. Personal data shall be processed fairly and lawfully

2. Personal data shall be obtained only for one or more specified and lawful purposes and shall not beprocessed in any matter incompatible with those purposes

3. Personal data shall be adequate, relevant and not excessive

4. Personal data shall be accurate and up to date

5. Personal data shall not be kept for any longer than is necessary for the purpose

6. Personal data shall be processed in accordance with the rights of data subjects

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful

processing of personal data and against accidental loss or destruction of, or damage to, personaldata

8. Personal data shall not be transferred outside the EEA without adequate protections



19/24

Evidence as to how either party is meeting the requirements of the seventh principle must beproduced on reasonable notice.

If the party providing information becomes aware of inaccuracies contained within informationthat has already been shared, they will inform the other party so that all records can beamended.

Is a protocol required?

The table below sets out when a protocol is always required and when it is optional.

Sharing for carepurposes

Sharing for non-care purposes

Recipient organisationis achieving therequired level ofinformation

governanceperformance

Sharing protocol isoptional.

Sharing protocol that focuses on thesecondary uses in question, i.e. the purpose,constraints on re-use of information, retentionperiods and destruction policies is necessary.

Recipient organisationis unable todemonstrate therequired informationgovernanceperformance

Sharing protocol thataddresses the requiredinformation governancestandards in therecipient organisationand the legal principlesthat apply is necessary.

Sharing protocol that addresses the requiredinformation governance standards in therecipient organisation, the legal principles thatapply and the additional standards associatedwith the secondary uses in question, (i.e. thepurpose, constraints on re-use of information,retention periods and destruction) isnecessary.

Responsibilities and standards for participating organisations

The signatory organisations listed below will formally adopt this information sharing protocol.

Each organisation will take responsibility for dissemination and implementation of thisagreement.

In respect of any confidential information received from the other party, each party agrees tokeep the information secret and strictly confidential and will not disclose any such confidentialinformation to a third party, unless:

Disclosure is authorised by the prior written consent of the discloser;

The disclosure is required to make sure the Trust complies with the Freedom ofInformation Act 2000 (FOIA);

The information is already in the public domain other than by breach of contract or otheract or omissions of the recipient.

Public authorities are subject to the Freedom of Information Act 2000. Both parties will act inline with the FOIA and assist the other with requests where necessary.

Each organisation signing this protocol shall have appointed a responsible officer who willensure the protection of personal identifiable information e.g. Caldicott Guardian or seniormanager responsible for data protection.

A list of information flows for this instance of data sharing is attached. NHS organisations arerequired to review all transfers of personal identifiable information annually.

Each organisation is committed to ensuring staff are appropriately trained in data protection /Caldicott procedures.



20/24

Security of information

Personal identifiable information saved to removable devices such as laptops or usb drivesmust be encrypted.

Email will only be used to send sensitive information when both the sender and recipient usenhs.net accounts.

Fax must only be used when the recipient has a fax machine in a secure area.

Multiple copies of the information shared should not be made as this compromises security.

Termination of this agreement

Any changes to this agreement must be agreed by both parties in writing.

If the party which is the recipient of information should use that information in any way which isoutside of the terms of this agreement or any addition confirmed by both parties, thisagreement will be terminated and information sharing will cease.

If, on review of this agreement, it is clear that the necessity to share information has ceased,termination must be agreed in writing by both parties. Each organisation will assist in any

review carried out.



21/24

Appendix 4

Sample - TCS Pre-transfer Information Sharing ProtocolDeclaration of acceptance and participation

Information will be shared between: XXXX PCT and

o AA NHS Foundation Trust,

o BB Health and Social Care NHS Trust,

o CC Acute Hospitals NHS Trust,

o DD NHS Foundation Trust

Data to be shared

Before a transfer of XX PCT Community Services takes place, patient identifiable data held onpaper records and on systems detailed in the XXXX PCT Systems Catalogue v5.0 will be

accessed by a strictly limited number of staff from the above named Trusts.Reason for sharing information

To develop an understanding of how the systems work.

Access

The following staff will have access to the information:

Community Services

Choose & Book

Human Resources

IM&T

Any other authorised user

Destruction details

Once the purpose for information sharing has ended, and where appropriate to do so,information will be disposed of in accordance with NHS and legal requirements (NHS Code ofPractice and NHS Retention & Disposal Policy).

Signed by

Signed . . . . . . . . . . . . . . . . . . . . . . . Print Name . . . . . . . . . . . . . . . . . . . . Date . . . . . . .

Position . . . . . . . . . . . . . . . . . . . . . . .

On behalf of XX PCT


Position . . . . . . . . . . . . . . . . . . . . . . .

On behalf of recipient Trust

Sample - TCS Post-transfer Information Sharing Protocol



22/24

Declaration of acceptance and participation

Information will be shared between:

o AA NHS Foundation Trust,

o BB Health and Social Care NHS Trust,

o CC Acute Hospitals NHS Trust,

o DD NHS Foundation Trust

Data to be shared

Following the transfer of community services, patient identifiable data held on paper recordsand on systems detailed in the XX PCT Systems Catalogue v5.0 will be accessed by a strictlylimited number of staff from the above named Trusts.

Reason for sharing information

To provide community services, each of the above Trusts needs access to the above systemsformerly controlled by XX PCT.

Each Trust must ensure that staff are reminded they must only access information for workpurposes and in relation to patients they are involved in the care of.

Each Trust is responsible for the data relating to their own patients. The accuracy and securityof the information must be maintained by the individual Trust.

Staff having access to these systems must sign a confidentiality agreement.

Access

The following staff will have access to the information:

Community Services

Choose & Book Human Resources

IM&T

Any other authorised user

Destruction details

Once the purpose for information sharing has ended, and where appropriate to do so,information will be disposed of in accordance with NHS and legal requirements (NHS Code ofPractice and NHS Retention & Disposal Policy).

If a system is to be replaced this will be discussed jointly with each Trust represented.

Signed by


Position . . . . . . . . . . . . . . . . . . . . . . .

On behalf of



23/24

Sample - TCS Project Confidentiality Agreement

The Data Protection Act 1998 requires that all organisations processing personal data keep thisinformation safe and secure. XXXX PCT is required to ensure that it complies fully with all its

legal obligations in this area, including data protection, and the need to respect patient andstaffs legitimate expectations of confidentiality. Everyone with access to personal data mustaccept their responsibility to uphold the requirements of data protection and confidentiality.

On this basis, I agree that any personal or other sensitive information that I receive whilstworking at XXXX PCT will be used solely for the purposes of carrying out my role as part of theTransforming Community Services project. I will not use, store, share or disclose anyinformation obtained as part of this process for any other reason, unless with the expressauthority of XXXX PCT. This includes any transfer of recorded information, and any verbaldisclosure

I will report all potential or actual breaches of confidentiality / Data Protection Act (1998) to mylocal Information Governance Lead, including the loss, theft or damage of any documents

containing personal data I obtained during my visit / work.I will not store personal data or other sensitive information on a portable device withoutencryption and unless absolutely necessary.

I will only email personal or other sensitive information with appropriate security / in accordancewith the policy of my Trust.

I understand that I owe a duty of confidentiality to any individual whose data is discussed orreferred to in any meetings, correspondence, documentation or data that I receive or handle.

I will not use any personal information that I receive or gain access to for any other purpose, ordivulge it to any third party.

I will dispose of any documents containing personal or confidential information securely assoon as my use of them is complete, unless XXXX PCT requires me to return them.

It does not apply to any document or information that I can reasonably establish was in mypossession or known to me before the date of this agreement or which becomes publicknowledge otherwise than as a result of a breach of any of the above agreements.

Signed

Print Name

Job Title / Designation

Organisation

Date



24/24

Appendix 5

IG related policies and procedures that may be affected by TCS

IG component of Informatics Strategy

IG Strategy

IG PoliciesIG Work plans

Information security policy

Network security policy

Remote access security policy

De-identification/pseudonymisation policy for secondary uses

Document storage policy

Housekeeping and anti-virus policies

Registration Authority

Acceptable Use policy

Usage policy acceptable use of emailUsage policy - internet

Usage policy mobile phone

Usage policy telephone usage

Printing policy

Home-working policy

Data Controller

Data Processors

IG Toolkit - assessment

Information Asset & IA Owners Lists (IAO)

Senior Information Risk Owners Lists (SIRO)Serious Untoward Incidents/ SUI reporting

Scope of record access (e.g. limit re MH)

Subject Access Requests (SARs) procedures

Section 10s procedures

Fair processing notices

Secure transfer of records

IG Training

tcs ig guidance mar 11 v1.0 13 april 2011

Documents