Sunday, July 10, 2016
The UK Has A Close Look At Health Information Sharing And Comes Up With Some High Quality Rules Of The Road.
This appeared a few days ago.
6 July 2016
Dame Fiona Caldicott’s latest review of information governance and security in the NHS says trusts should make security control as high a priority as financial control, and recommends a tougher IG Toolkit for trusts.
The national data guardian’s long awaited report was released on Wednesday morning, after the 'purdah' restrictions that prevent civil servants from making politically controversial statements was lifted following the EU referendum.
“The leadership of every organisation should demonstrate clear ownership and responsibility for data security, just as it does for clinical and financial management and accountability,” the report says. "People’s confidential data should be treated with the same respect as their care."
This would include using a “redesigned” IG Toolkit and giving the Health and Social Care Information Centre the ability to report organisations with poor data controls to the Care Quality Commission.
Currently the toolkit can be treated as a "tick box exercise", the review says. The proposed changes should make it both more accessible for staff training and more externally measurable and accountable.
Speaking a briefing after the report's release, Dame Fiona said the toolkit needed to be "much more user friendly, and not just a self assessment toolkit." She added: "It can then be audited, rather than the organisation testing themselves. You can't mark your own homework in our view."
Oher recommendations include improved cyber security, embedding data protection in financial contracts. and harsher sanctions for malicious data breaches.
This could include changing the law to include “stronger sanctions to protect anonymised data", the report says. "This should include criminal penalties for deliberate and negligent re-identification of individuals."
Last updated: 6 July 2016 19:39
A letter to the Senior Health Minister in England summaries the key outputs of the review:
CQC's review of 60 hospitals, GP surgeries and dental practices focused on the availability, integrity and confidentiality of data systems in the NHS. Specifically, it found that:
· There was evident widespread commitment to data security, but staff at all levels faced significant challenges in translating their commitment into reliable practice.
· Where patient data incidents occurred they were taken seriously. However, staff did not feel that lessons were always learned or shared across their organisations.
· The quality of staff training on data security was very varied at all levels, right up to Senior Information Risk Owners (SIROs) and Caldicott Guardians.
· Data security policies and procedures were in place at many sites, but day -to-day practice did not necessarily reflect them.
· Benchmarking with other organisations was all but absent. There was no consistent culture of learning from others, and we found little evidence of external checking or validation of data security arrangements.
· The use of technology for recording and storing patient information away from paper-based records is growing. This is solving many data security issues but, if left unimproved, increases the risk of more serious, large-scale data losses.
· Data security systems and protocols were not always designed around the needs of frontline staff. This leads to staff developing potentially insecure workarounds in order to deliver good, timely care to patients – this issue was especially evident in emergency medicine settings.
· As integrated patient care develops, improvements must be made to the ease and safety of sharing data between services.
In carrying out the work to develop new data security standards for health and social care, the National Data Guardian’s review found that:
· There is a high degree of public trust in the NHS to safeguard people’s data. People want reassurance about security when data is being moved outside the NHS, and some want harsher sanctions for intentional or malicious breaches.
· GPs and social care professionals want a simple explanation of what they should and should not be doing and reassurance that organisations with which they share data are also protecting patient information.
· Previous information breaches mostly related to paper records, or to older equipment such as faxes. As the health and social care sector becomes more digital, many of these issues will be addressed automatically. However, as systems became more digital, breaches could affect greater numbers of people and the external cyber threat is becoming a bigger consideration.
· A number of data standards already exist, but data controllers are often unsure which to follow.
· Strong leadership, in particular from Senior Information Risk Owners (SIRO) and properly supported Caldicott Guardians, makes a significant difference.
· Integration is driving more data sharing between health and social care organisations, although a lack of understanding of security issues is causing people to default to risk avoidance and to be unwilling to share.
· Data breaches were caused by people, processes and technology, with people primarily motivated to get their job done and often working with ineffective processes and technology.
The National Data Guardian proposes ten new ‘data security standards’ for consultation. She recommends that leaders of all health and social care organisations commit to the standards, and demonstrate this through audit to support inspection.
In developing the proposed new consent / opt-outs model, the National Data Guardian Review found that:
· Trust is essential and should underpin any opt-out model. While there is still limited public knowledge about how data is used in health and social care, the NHS is trusted to collect, store and safeguard data.
· Both patients and professionals want clear communications about how professionals can and should share information.
· People’s opinions on their personal confidential data being shared are influenced by the purpose for which it would be used. For example, there was concern about personal confidential information being used for insurance or marketing. In general, people were content with their personal confidential data being used for their own care.
· Information is essential to support excellent care, for running the health and social care system, to improve the safety and quality of care, including through research, to protect public health, and to support innovation. But for the majority of purposes personal confidential data is not required. High quality, linked data that is anonymised will often be sufficient.
· There are some purposes where personal confidential data is needed: for example, for some planning, to check the quality of care, and for some research. People tend to support such uses, although they expect to be able to be asked about these purposes.
The National Data Guardian proposes a new consent / opt-out model for consultation to enable people to opt out from their personal confidential data being used for purposes beyond their direct care, including in running the NHS and care system and to support research to improve treatment and care. It is based on the purposes for which the data will be used. People should also be able to continue to give their explicit consent for specific research projects, as they do now. She proposes that the new model should be implemented by every organisation processing health and social care information. Ultimately, a person should be able to state their preference once (online or in person) and be reassured that this will be applied across the system. If they change their mind, that should be respected.
The National Data Guardian recommends that there needs to be a much more extensive dialogue with the public about how their information will be used, and the benefits of data sharing for their own care, for the health and social care system and for research. She suggests that there should be a full consultation on her proposals, as a first step in beginning that debate.
----- End Extract.
The Report and Letter can be downloaded from here:
To me this report is a model of sanity and clarity and really should be read and considered by the ADHA as a matter of urgency to ensure its approach to the areas of security and health information use are appropriate and sensible.
The views of the public on Health Information Sharing and Privacy in the UK seem to me to pretty accurately reflect the views of citizens in Australia – which makes what is said here very, very relevant.
I hope ADHA is already reading carefully. Moving in these directions could save themselves considerable grief!
Posted by Dr David More MB PhD FACHI at Sunday, July 10, 2016