Sunday, July 10, 2016

The UK Has A Close Look At Health Information Sharing And Comes Up With Some High Quality Rules Of The Road.

This appeared a few days ago.

Tough penalties and better data control - Caldicott

Ben Heather
6 July 2016
Dame Fiona Caldicott’s latest review of information governance and security in the NHS says trusts should make security control as high a priority as financial control, and recommends a tougher IG Toolkit for trusts.
The national data guardian’s long awaited report was released on Wednesday morning, after the 'purdah' restrictions that prevent civil servants from making politically controversial statements was lifted following the EU referendum.
“The leadership of every organisation should demonstrate clear ownership and responsibility for data security, just as it does for clinical and financial management and accountability,” the report says. "People’s confidential data should be treated with the same respect as their care."
This would include using a “redesigned” IG Toolkit and giving the Health and Social Care Information Centre the ability to report organisations with poor data controls to the Care Quality Commission.
Currently the toolkit can be treated as a "tick box exercise", the review says. The proposed changes should make it both more accessible for staff training and more externally measurable and accountable.
Speaking a briefing after the report's release, Dame Fiona said the toolkit needed to be "much more user friendly, and not just a self assessment toolkit." She added: "It can then be audited, rather than the organisation testing themselves. You can't mark your own homework in our view."
Oher recommendations include improved cyber security, embedding data protection in financial contracts. and harsher sanctions for malicious data breaches.
This could include changing the law to include “stronger sanctions to protect anonymised data", the report says. "This should include criminal penalties for deliberate and negligent re-identification of individuals."
Last updated: 6 July 2016 19:39
More here:
A letter to the Senior Health Minister in England summaries the key outputs of the review:

Data security review findings

CQC's review of 60 hospitals, GP surgeries and dental practices focused on the availability, integrity and confidentiality of data systems in the NHS. Specifically, it found  that:
·         There was  evident  widespread  commitment  to data  security,  but  staff  at  all  levels  faced  significant challenges in translating their commitment into reliable practice.
·         Where patient data incidents occurred they were taken seriously. However, staff did not feel that lessons were always learned or shared across their organisations.
·         The quality of staff training on data security was very varied at all levels, right up to Senior Information Risk Owners (SIROs) and Caldicott Guardians.
·         Data  security  policies  and  procedures  were  in  place  at  many  sites,  but  day -to-day  practice did not necessarily reflect them.
·         Benchmarking with other organisations was all but absent. There was no  consistent  culture  of  learning from others, and we found  little  evidence  of  external  checking  or  validation  of  data  security  arrangements.
·         The use of technology for  recording  and  storing  patient  information  away  from  paper-based  records  is  growing.  This  is  solving  many  data  security  issues  but,  if left  unimproved,  increases the risk of more serious, large-scale data losses.
·         Data  security  systems  and  protocols  were  not  always  designed  around  the  needs  of frontline staff. This leads  to  staff  developing  potentially  insecure  workarounds  in  order  to  deliver  good, timely  care to patients  – this  issue was  especially  evident  in emergency  medicine  settings.
·         As integrated patient care develops, improvements must be made to the ease and safety of sharing data between services.
In carrying out the work to develop new data security standards for health and social care, the National Data Guardian’s  review  found that:
·         There is a high degree of public trust in the NHS to safeguard people’s  data.  People  want  reassurance about security when data is being moved outside the NHS, and some want harsher sanctions for intentional or malicious breaches.
·         GPs and social  care  professionals  want  a  simple  explanation of what  they  should and should not be doing and reassurance  that  organisations  with  which  they  share  data  are  also  protecting patient information.
·         Previous information breaches mostly related to paper  records,  or  to  older  equipment  such  as faxes. As the health and social care sector becomes more digital, many of these issues will be addressed automatically. However, as  systems  became  more  digital,  breaches  could  affect  greater  numbers  of  people  and  the  external  cyber  threat  is  becoming a bigger  consideration.
·         A number of data standards already exist, but data controllers are often unsure which to follow.
·         Strong leadership,  in  particular  from  Senior  Information  Risk  Owners  (SIRO)  and  properly supported  Caldicott  Guardians,  makes  a significant difference.
·         Integration is  driving more data sharing between health and social care  organisations, although a   lack of understanding of security issues is causing people to default to risk avoidance and to be unwilling  to share.
·         Data breaches were caused by people, processes and technology, with people  primarily  motivated  to get  their job done  and  often  working with ineffective  processes  and    technology.
The National Data  Guardian  proposes  ten  new  ‘data  security  standards’  for  consultation.  She recommends that leaders of all health and social care organisations commit to the  standards,  and demonstrate this through audit to support inspection.

Consent / opt-out review findings

In developing the proposed new consent /  opt-outs  model,  the  National  Data Guardian Review found that:
·         Trust is essential and should underpin any opt-out model. While there is still limited public knowledge about how data is used in health and social care, the NHS is trusted to collect, store and safeguard data.
·         Both patients and professionals  want  clear  communications  about  how  professionals  can  and should share information.
·         People’s opinions on their personal confidential data being shared are influenced by the purpose for which it would be used. For example, there was concern about personal confidential information being used for insurance or marketing. In general, people were content with their personal confidential data being used for their own  care.
·         Information  is  essential  to support  excellent  care,  for  running  the  health  and  social  care system, to improve  the  safety  and  quality  of care, including through research, to protect public health, and  to  support  innovation.  But for the majority  of purposes  personal confidential data  is  not  required. High  quality,  linked data that  is  anonymised will  often be sufficient.
·         There are some purposes where personal confidential data is needed: for example, for some planning, to check the quality of care, and for some research. People tend to support such uses, although they expect to be able to be asked about these purposes.
The  National  Data  Guardian  proposes  a  new  consent  /  opt-out model for consultation to enable people to opt  out  from  their  personal  confidential  data  being  used  for  purposes  beyond  their direct  care,  including in  running  the  NHS  and  care  system  and  to support  research  to improve treatment and care.  It  is based on the purposes for which  the  data  will  be  used.  People  should  also  be  able  to continue  to give their explicit  consent  for  specific  research  projects, as they do now.   She proposes  that the new model should  be implemented  by  every  organisation  processing  health  and  social  care  information.  Ultimately,  a  person should be able to state their preference  once (online  or in person)  and  be reassured that this will      be applied across the system. If they change their mind, that should be respected.
The  National  Data  Guardian  recommends  that  there  needs  to  be a much more extensive  dialogue  with the public  about  how their information will be used,  and the benefits of data sharing for their own care, for    the  health and social care system and for research.  She suggests  that  there should be a full  consultation   on her  proposals,  as  a first  step in beginning that debate.
----- End Extract.
The Report and Letter can be downloaded from here:
To me this report is a model of sanity and clarity and really should be read and considered by the ADHA as a matter of urgency to ensure its approach to the areas of security and health information use are appropriate and sensible.
The views of the public on Health Information Sharing and Privacy in the UK seem to me to pretty accurately reflect the views of citizens in Australia – which makes what is said here very, very relevant.
I hope ADHA is already reading carefully. Moving in these directions could save themselves considerable grief!

No comments: