professional guidance 2

Question 1

Why is information security in healthcare settings important?

Answer 1

Information security is important to everyone

Information about people’s health is particularly sensitive

We have a duty to protect people’s information

Everyone using health services should be able to trust that their personal information is protected

You must comply with the laws and guidance on Data Protection

Poor security can cause personal, social and reputational damage

Question 2

national data guardian standards

Answer 2

Advises the health and care system to ensure citizens’ confidential information is safeguarded and used properly. 10 standards:
1. Mandatory training- annual
2. Confidentiality- ensure personal data is always handled in confidence
3. Staff Responsibilities- ensure staff understand their responsibilities
4. Data Handling- Personal Data must be handled, stored, transmitted securely and only shared for lawful purposes
5. Accountable Suppliers- accountable via contracts for protecting personal data
6. Data Breaches- Cyber-attacks identified/resisted, all breaches are identified, reported and actioned
7. Process Reviews- at least annually
8. Continuity Planning- in place to respond to threats to data security
9. IT estate- no unsupported operating systems, software or internet browsers
10. IT strategy- strategy in place for protecting IT systems from cyber threats

Question 3

Data Security and Protection (DSP

Answer 3

NHS Operating Framework 2009/10-NHS providers must assure the Information Commissioner on the management of personal information within their organisation:

Annual completion of the NHS DSP toolkit (formerly IG Toolkit)

Question 4

Information Governance (IG)

Answer 4

‘IG is a series of rules and procedures required by the Information Commissioner (IC), describing the way in which organisations handle information about people’

…now termed Data Security and Protection (DSP)

Question 5

Data Security and Protection Standards

Answer 5

1 Personal Confidential Data
2 Staff Responsibilities
3 Training
4 Managing Data Access
5 Process Reviews
6 Responding to Incidents
7 Continuity Planning
8 Unsupported Systems
9 IT Protection
10 Accountable Suppliers

Question 6

Training for Data Security and Protection

Answer 6

SOPs
Training
Must have evidence of 95% of pharmacy staff trained

Question 7

Information Commissioner’s Office ICO
set up to:

Answer 7

The ICO is the UK’s independent body set up to:

Uphold information rights in the public interest
Issue fines following a breach of personal data
Provide guidance (newsletters/guidance/leaflets)
Operate a helpline

Question 8

ICO Upholds the following laws

Answer 8

Data Protection Act
Freedom of Information Act
Privacy and Electronic Communications Regulations
General Data Protection Regulation
Environmental Information Regulations
INSPIRE Regulations
eIDAS Regulation
Re-use of Public Sector Information Regulations

Question 9

Types of Information in Pharmacies

Answer 9

Personal Information- identifies a person (living or deceased, including patients, customers, staff). Personal Data is a subset of this

Anonymised Information- does not identify an individual. Anonymisation requires the removal of name, address, postcode and any other detail or combination of details that might support identification

Pseudonymised Information- individuals are distinguished by using a unique identifier (a pseudonym). Allows linking of different data sets to the person

Question 10

what is confidential informations

Answer 10

Private information

One person discloses information to another and expects it to be used in confidence (e.g. patient to pharmacist, pharmacy business information, staff issues)

Provided to someone who has a ‘duty of confidence’

Under common law of confidentiality, this information should not be used or shared further without consent

Question 11

Maintenance of confidentiality

Answer 11

Relationship of trust between the HCP and patient

-legal obligation

-requirement of professional standards

-included within NHS employment contracts - linked to disciplinary procedures.

Question 12

legal basis of confidentiality

Answer 12

Statute Law- written law at state level-forbids or directs certain actions, makes declarations or states government mechanisms to aid society
DPA 2018 - Data protection act
GDPR 2018 - the EU general data protection regulation

Civil Law- rules about private rights-governs disputes between individuals e.g. contracts, property, family law
Duty of Care-provide quality care to the best of your ability-e.g. confidentiality–if no duty of care, negligence….

Common (Case) Law- based on previous court cases. Law applied by reference to previous cases, based on precedent.
Duty of Confidentiality- if information is given where a duty of confidence applies, information cannot be disclosed without consent (some exemptions)

Question 13

Data Protection Act (DPA) 2018

Answer 13

1. Sets out PRINCIPLES on how companies/ organisations should process or handle personal data
2. Provides people with RIGHTS regarding data held on them
3. DPA includes the General Data Protection Regulation (GDPR) designed to:
   -Harmonize data privacy laws across Europe
   -Protect and empower all EU citizens data privacy
   -Reshape the way organizations approach data privacy

Question 14

The general data protection regulation (GDPR)

Answer 14

• same basic principles as current privacy law, but stronger expectations
• accountability is tightened
• new rights for individuals - strengthening of existing rights

-greater requirements to report breaches

-data protection impact assessment mandatory

-higher penalties for non-complaince

-compensations - individuals can bring claims for compensation and damages against both controllers and processors

Question 15

Principles on Processing Personal Data

Answer 15

Lawful, fair and transparent

Purpose limitation -collected for specified legitimate purposes

Data minimisation -adequate, relevant and limited to what is necessary

Accuracy -accurate and kept up to date

Storage limitation -kept for no longer than necessary

Integrity and confidentiality (security) –processed to ensure security of personal data: protection against unauthorised/ unlawful processing, accidental loss, destruction or damage

Also Accountability-the data controller shall be responsible for, and be able to demonstrate compliance

Question 16

rights for individials under GDPR/DPA?

Answer 16

THE RIGHT:
TO BE INFORMED- what data is being used for, who it is shared with (fair processing
-privacy notice/information

2. OF ACCESS- able to get a copy of information free of charge, within a month of the request (subject access request)
3. TO RECTIFICATION- to get inaccurate data corrected
4. TO ERASURE- to ask for data to be destroyed-not an absolute right
5. TO RESTRICTPROCESSING- to object to the use/sharing of information held in confidence-not an absolute right
6. TO DATA PORTABILITY-individuals can obtain and reuse their data for their own purposes across different services-transmitted electronically from one controller to another
7. TO OBJECT- to data processing where they claim they are suffering unwarranted distress or damage as a result-Individuals have an absolute right to stop their data being used for direct marketing
8. TO AUTOMATED DECISION MAKING (NO HUMAN INVOLVEMENT) AND PROFILING-need consent

Question 17

Under GDPR Organisations must:

Answer 17

Ensure data protection by design and default (a ‘built-in’ rather than ‘bolted-on’ approach).

Only use processors who provide ‘guarantees’ of GDPR compliance

Report data-related incidents deemed serious to the Information Commissioner’s Office (ICO) within 72 hours (for NHS using the DSP Toolkit incident reporting tool)

Conduct Data Protection Impact Assessments (DPIA) for projects likely to result in a high risk to individuals. Perform a DPIA prior to new systems, projects or processes

Maintain internal records of your processing activities for accountability

Question 18

caldicott principles

Answer 18

1. Justify the purpose(s) for using confidential information
2. Only use it when absolutely necessary
3. Use the minimum necessary personal confidential data
4. Access should be on a strict need-to-know basis
5. Everyone with access to personal confidential data should be aware of their responsibilities
6. Understand and comply with the law
7. The duty to share information can be as important as the duty to protect patient confidentiality……………..in best interests of patients

1997 Caldicott guardians/ Information Governance/Caldicott leads created as guardians of personal information in their organisation

Question 19

Confidentiality - contractual obligation

Answer 19

Employment Contract – commercial confidentiality, staff data confidentiality

NHS Code of Practice on Confidentiality 2003
Guide to required practice for those who work in the NHS or under contract to it; concerned with confidentiality and patient consent to use their health records

Caldicott review 1997 updated 2013
All NHS organisations must have a Caldicott Guardian (senior person responsible for protecting the confidentiality of people’s information and making sure data is used properly)

NHS Community Pharmacy Contract essential service–
Clinical Governance: ‘Use of Information’ pillar refers to use of the DSP toolkit

Question 20

Patients expect any records about them are held securely. You must:

Answer 20

Protect the confidentiality of information you receive, store, send or destroy – store out of sight and access to the public
Length of storage of paper copies MUR/private Rx/CD records etc
Cross shredding or secure confidential paper waste destruction
ipads/tablets/laptops/phones?
Pharmacy operational systems, SOPs, premises design

Take steps to prevent accidental disclosure
Training
Pharmacy operational systems/ SOPs

Privacy in patient consultations so that confidential information is not overheard or accessed
Consultation room use

Do not disclose information on websites, internet chat forums or social media that could identify patients
Staff training
High risk-famous
people/gossip/interesting cases

Make sure everyone working in the pharmacy knows their responsibility to maintain confidentiality
Staff training

Raise concerns if the security of personal information is not appropriate
With who ?

Continue to protect a person’s confidentiality after death, subject to disclosures required by law or in the public interest
Examples?

Question 21

computer records

Answer 21

Restricted access with passwords, Personal Identification Number (PIN) or other restricted access systems
Consultation room with PMR locked when not in use
Timing out systems for PMR
PIN or passwords changed regularly
Protected/encrypted networks

Level of access that various members of the pharmacy team have to patients’ records should be appropriate to their duties
NHS Smartcard use, Summary Care Record (SCR) access

Question 22

Data Security breaches in Pharmacy

Answer 22

Repeat slips in someone else’s medication bag
Giving out medication to the wrong patient
Deliver medication to the wrong address
Inappropriate conversations held in the pharmacy
Loss of prescriptions by courier when sent off at month end
Patient data on social media
Theft of prescription medication

Question 23

What if there is a Data Security breach?

Answer 23

Apologise to patient
Investigate
Assess risk to patient
Pharmacy must report IG incident
Deal with as a complaint
Learn lessons
Take action to prevent a recurrence
Contact Information Commissioner if necessary- fill in DSP Toolkit incident reporting form WITHIN 72 HOURS
Get a fine!!