Western Sussex Hospitals NHSFoundation Trust

The Challenging and Changing Face of NHS Information GovernanceAndrew HarveyInformation Governance LeadWestern Sussex Hospitals NHS FT

ChairSussex-Wide Information Governance Group

IRMS ConferenceThe Metropole Hotel, Brighton, 17 May 2016

Introduction…

Achieving an

acceptable

definition

The macro

environment –

now and in the

future

The micro

environment

Somewhere

in between Prioritising

the top 2 Methodology

About me

PART 1: Achieving a Definition

Existing definitions (1/2)…

“Allows organisations and individuals to ensure that

personal information is handled legally, securely,

efficiently and effectively, in order to deliver the best

possible care. It additionally enables organisations to put

in place procedures and processes for their corporate

information that support the efficient location and retrieval

of corporate records where and when needed, in

particular to meet requests for information and assist

compliance with Corporate Governance standards.”

Health and Social Care Staff Members: What You

Should Know About Information Governance,

NHS Connecting for Health (2008)

Existing definitions (2/2)…

“The management discipline

that exploits an organisation’s

data whilst associated risks

and costs are minimised.”

David Stone, former Head of

Information Governance,

NHS South East CSU (2014)

“[P]reservation of confidentiality, integrity and

availability of information; in addition, other

properties, such as authenticity,

accountability, non-repudiation, and reliability

can also be involved.”

ISO 27000 (2009), Information Technology

- Security Techniques - Information

Security Management Systems

Getting an acceptable definition…

“Ensuring that the Trust and its staff have a

person-centred approach to managing the

personal and sensitive information of its

patients and staff, treating it and the

organisation’s corporate information in a similar

manner to which they would expect their own

Medical Records or banking information to be

treated.” Andrew Harvey 02/2015,

Western Sussex Hospitals FT’s

Information Governance Mission Statement

No technobable

No jargon

No negativity

Understand-able to staff

Patient-centred

Getting an acceptable definition…

“An enabling discipline to ensure that

the Trust and its staff have a person-

centred approach to managing the

personal and sensitive information of

its patients and staff, treating it and the

organisation’s corporate information in

a similar manner to which they would

expect their own Medical Records or

banking information to be treated.”

No technobable

No jargon

No negativity

Understand-able to staff

Patient-centred

PART 2: The Macro Environment

The Macro environment 2013-16 (1/4)…

Despite IG safeguards in

place, “The history of the

past 15 years does not

inspire confidence”.

Dr Paul Hodgkin, CEO,

Patient Opinion

[Source: The Guardian, 10/04/2014] “The presumption we had a few years

ago [that we have consent to] share

data can no longer be presumed upon.

We have to earn that trust again. We

shouldn’t underestimate the concerns

both from extremely vocal groups and

the public as a whole.”

Kingsley Manning, Chair, HSCIC

[Source: e-Health Insider, 25/06/2014]

The Macro environment 2013-16 (2/4)…

Legislation (1/2): Health

& Social Care Act 2012,

disallowing CCGs to

access PCD for

commissioning purposes:

DSCRO, ASH, CEfF

[Source: www.legislation.gov.uk]

Legislation (2/2): Health &

Social Care (Safety &

Quality) Act 2015:

•Single identifier (NHS #)

•Statutory basis for new

Caldicott principle

[Source: www.legislation.gov.uk]

“The duty to share information can be as important as the duty

to protect patient confidentiality”

Delayed guidance: e.g.

Caldicott 3 Report on NHS

InfoSec and Data Sharing

stalled by EU referendum

[Source: Digital Health Website,

20/04/2016]

The Macro environment 2013-16 (3/4)…

Compulsory ICO DP

audits: From 02/2015, aimed

at cutting number of

breaches; intended as

collaborative / voluntary,

but… [Source: V3 website, 02/02/2015]

Poor programme

management and PR:

e.g. IIGOP advising

Care.Data not fit-for-

purpose but NHS England

going ahead, wasting £1m

[Source: Computing website, 07/01/2015]

Process issues, e.g.

11/2014, HSCIC reviewing

processes for releasing en

masse non-clinical to

police: 2.7k releases in

financial year 2013-14

[Source: e-Health Insider, 09/12/2014]

Outsourcing, e.g. 06/2013

Birmingham-based Diagnostic

Health knowingly breaching

basic IG rules: password

sharing, not encrypting, use of

Google drive[Source: BBC News website, 16/06/2014]

Programme to combine data from GPs and

hospitals to identify areas where more

work or investment

might be needed.

The Macro environment 2013-16 (4/4)…

Leaking data: NHS

England-approved

apps flout privacy

standards[Source: BBC News website,

25/09/2015]

More lack of consistency:

•NHS England moving

Medical Records without

consent

•ICO advising not sharing

when needed is a breach

[Sources: BBC News website, 04/09/2015;

Digital Health website, 15/10/2015]

Lack of consistency, e.g.

ICO fines 2 HIV clinic

email breaches differently:

£250 v £180k

[Sources: Computing website, 21/12/2015;

BBC News website, 09/05/2016]

Not all challenges:

Positives for IT :

•Carter: Meaningful use

•Government promises

>£4bn over 5 years

[Sources: Digital Health website,

08/02/2016 and 09/02/2016]

A big Macro problem: conflict re DoH push for digitalisation…

CareCERT, new

HSCIC cyber

security service from

01/2016[Source: Digital Health website,

03/09/2015]

Push for

digitalisation, e.g.

The Power of

Information

strategy, 05/2012

[Source: www.gov.uk]

02/2015, Dawn Monaghan,

former ICO Public Sector

Group Manager: cyber

attacks and ID theft will

increase as more patient data

online [Source: V3 website, 10/02/2015]

NHS England promises

full records access by

2018 – GPs largely

achieved it with DCR

by 03/2016[Sources: Digital Health website,

17/06/2015 and 22/03/2016]

Patients able to add

data from wearable

devices, e.g. Fitbit, to

their electronic patient

record by 2018

[Source: Digital Health website,

24/06/2015]

The Macro environment: unhelpful publicity…

Secretary of State for

Health: Jeremy Hunt,

publishes photo on

Twitter including

patients’ names

[Source: The Telegraph,18/07/2015]

Unfortunate (or

deliberate?) timing: HSCIC

receives ICO Undertaking for

failing to comply with patient

opt outs… same day change

name to ‘NHS Digital’

[Sources: ICO Website, 20/04/2016;

www.gov.uk Website 20/04/2016]

The Macro environment looking forward: GDPR

• Content agreed

• 2 year run in to

05/2018

• 13 changes

impacting NHS

[Sources: ICO 12 Steps (2016); PDP Compliance (05/04/2016); Dilys Jones Associates Ltd (18/01/2016) and Silicone Republic (04/04/2016)]

1. Accountability

to the DP

principles 2. Consent 3. Data

breaches 4. Data

portability 5. Data

processors 6. DP by design

7. DP Officer 8. Erasure of

information 9. Higher fines 10. Information

asset

management 11. Privacy

notices 12. Sensitive

personal data 13. Subject

access 2. Consent

•Stronger rights to delete

•Freely given, informed

•Not implied

•Verifying ages of children

•Joined up work: IG and clinical4. Data Portability

•Transferring data between

services

•Recognisable format

•Joined up work: IG and IT

5. Data Processors

•Notifying DCs of breaches

•Will it happen?

•Write into contracts

•Joined up work: IG,

Contracting and Procurement

8. Erasure of information

•Totally clear what it means?

•What can we delete?

•Records Management CoP

•Technicalities

•Joined up work: IG and IT

9. Higher fines

•2 tiers

•Highest up to €20m / 4%

previous year’s turnover – Trust

of £400m = £16m!

•Review IG Toolkit controls and

undertake gap analysis

13. Subject access

•Shorter response times

•Free – no backfill

•Possibility to refuse

•Cost benefit analysis of

accessing Medical Records

online – promoted anyway

• Clarification for NHS needed:

ICO, HSCIC, IGA, NDG

• Huge amounts of work!

• DPIA should be happening –

Cabinet Office

• Positive: creating more

joined up working !

My mortgage keeps

getting paid!

PART 3: The Micro Environment

Overview of the Micro environment…

Big Brother Watch, 2014

2011-2014: 7,255 NHS incidents.

•3.46% (251) = inappropriate sharing

with third party

•3.25% (236) = data shared by email,

letter or fax

•1.42% (103) = lost or stolen

•0.69% (50) = social media

[Source: BBC News website, 14/11/2014]

www.cable.co.uk FOI, 2014

2013-14 financial year: 701 NHS

incidents

•21% (147) = erroneous disclosure

•20% (137) = theft / loss

•12% (83) = posted or faxed to

wrong person[Source: Wired website, 25/11/2014]

Increase in Data Security Concerns

Healthcare highest industry for data

security breaches:

•Criminal attacks ↑ 125% since 2010

•734 breaches in 2014

•ICO 517 healthcare investigations in

2015 [Source: Information Age website, 20/01/2016]

Sophos Study, c.2015

250 NHS employed senior IT

professionals:

•76% cybercrime protection good

•72% data loss is biggest concern

•10% encryption well established

•42% use of mobile devices ↑

[Source: Information Age website, 22/01/2016]

Problems within the Micro environment…

Lack of knowledge,

e.g. British Pregnancy

Advisory Service

03/2012: £200k fine for

hacker threatening to

leak 10k patients PCD

[Source: BBC News website,

07/03/2014]

Carelessness, e.g. Chelsea

& Westminster NHS Trust

09/2015: 56 Dean Street)

sending email to 800 users

of HIV services: £180k fine

[Sources: Sky News website, 02/09/2015;

BBC News website, 09/05/2016]

Process issues, e.g.

Blackpool Teaching

Hospitals not checking

details published on

website, 03/2014: £185k

fine[Source: Digital Health Website,

05/05/2016]

Accidents, e.g.

Brighton & Sussex

University Hospitals

Trust, 09/2015: ward

handover sheet of 37

patients found in street

[Source: The Argus, 30/09/2015]

Malicious intent, e.g.

former Medical Centre

Director accessing

colleagues’ and family

Medical Records, c.

2015: £435 (!) fine

[Source: ICO Website, 10/12/2015]

Bizarre decisions, e.g.

•Pharmacy2U selling data

•Royal Free Trust sharing

with Google[Sources: The Independent,

20/10/2015; BBC News Website,

03/05/2016; Business Insider Website,

12/05/2016]

PART 4: ‘The Inbetweener’

A Replete IG Toolkit Concern…

PART 5: Conclusions

The Top Challenges…

Macro:

Lack of central

coordination, resulting in

wasted finances and a

poor reputation for the

IG discipline

Locally: Listen to and

research the best advice

that is available on any

situation at any given time

and apply best practice

compassionately

Micro:

Accidental breaches

and carelessness:

PEOPLE

Locally: Ensuring an

effective training,

awareness and assurance

programme, using IG and

the IGT in the best possible

way – not just ‘tick boxing’

Summary…

Achieving an

acceptable

definition

The macro

environment –

now and in the

future

The micro

environment

Somewhere

in between Prioritising

the top 2

Western Sussex Hospitals NHSFoundation Trust