professional guidance 2 Flashcards
Why is information security in healthcare settings important?
Information security is important to everyone
Information about people’s health is particularly sensitive
We have a duty to protect people’s information
Everyone using health services should be able to trust that their personal information is protected
You must comply with the laws and guidance on Data Protection
Poor security can cause personal, social and reputational damage
national data guardian standards
Advises the health and care system to ensure citizens’ confidential information is safeguarded and used properly. 10 standards:
1. Mandatory training- annual
2. Confidentiality- ensure personal data is always handled in confidence
3. Staff Responsibilities- ensure staff understand their responsibilities
4. Data Handling- Personal Data must be handled, stored, transmitted securely and only shared for lawful purposes
5. Accountable Suppliers- accountable via contracts for protecting personal data
6. Data Breaches- Cyber-attacks identified/resisted, all breaches are identified, reported and actioned
7. Process Reviews- at least annually
8. Continuity Planning- in place to respond to threats to data security
9. IT estate- no unsupported operating systems, software or internet browsers
10. IT strategy- strategy in place for protecting IT systems from cyber threats
Data Security and Protection (DSP
NHS Operating Framework 2009/10-NHS providers must assure the Information Commissioner on the management of personal information within their organisation:
Annual completion of the NHS DSP toolkit (formerly IG Toolkit)
Information Governance (IG)
‘IG is a series of rules and procedures required by the Information Commissioner (IC), describing the way in which organisations handle information about people’
…now termed Data Security and Protection (DSP)
Data Security and Protection Standards
1 Personal Confidential Data
2 Staff Responsibilities
3 Training
4 Managing Data Access
5 Process Reviews
6 Responding to Incidents
7 Continuity Planning
8 Unsupported Systems
9 IT Protection
10 Accountable Suppliers
Training for Data Security and Protection
SOPs
Training
Must have evidence of 95% of pharmacy staff trained
Information Commissioner’s Office ICO
set up to:
The ICO is the UK’s independent body set up to:
Uphold information rights in the public interest
Issue fines following a breach of personal data
Provide guidance (newsletters/guidance/leaflets)
Operate a helpline
ICO Upholds the following laws
Data Protection Act
Freedom of Information Act
Privacy and Electronic Communications Regulations
General Data Protection Regulation
Environmental Information Regulations
INSPIRE Regulations
eIDAS Regulation
Re-use of Public Sector Information Regulations
Types of Information in Pharmacies
Personal Information- identifies a person (living or deceased, including patients, customers, staff). Personal Data is a subset of this
Anonymised Information- does not identify an individual. Anonymisation requires the removal of name, address, postcode and any other detail or combination of details that might support identification
Pseudonymised Information- individuals are distinguished by using a unique identifier (a pseudonym). Allows linking of different data sets to the person
what is confidential informations
Private information
One person discloses information to another and expects it to be used in confidence (e.g. patient to pharmacist, pharmacy business information, staff issues)
Provided to someone who has a ‘duty of confidence’
Under common law of confidentiality, this information should not be used or shared further without consent
Maintenance of confidentiality
Relationship of trust between the HCP and patient
-legal obligation
-requirement of professional standards
-included within NHS employment contracts - linked to disciplinary procedures.
legal basis of confidentiality
Statute Law- written law at state level-forbids or directs certain actions, makes declarations or states government mechanisms to aid society
DPA 2018 - Data protection act
GDPR 2018 - the EU general data protection regulation
Civil Law- rules about private rights-governs disputes between individuals e.g. contracts, property, family law
Duty of Care-provide quality care to the best of your ability-e.g. confidentiality–if no duty of care, negligence….
Common (Case) Law- based on previous court cases. Law applied by reference to previous cases, based on precedent.
Duty of Confidentiality- if information is given where a duty of confidence applies, information cannot be disclosed without consent (some exemptions)
Data Protection Act (DPA) 2018
- Sets out PRINCIPLES on how companies/ organisations should process or handle personal data
- Provides people with RIGHTS regarding data held on them
- DPA includes the General Data Protection Regulation (GDPR) designed to:
-Harmonize data privacy laws across Europe
-Protect and empower all EU citizens data privacy
-Reshape the way organizations approach data privacy
The general data protection regulation (GDPR)
- same basic principles as current privacy law, but stronger expectations
- accountability is tightened
- new rights for individuals - strengthening of existing rights
-greater requirements to report breaches
-data protection impact assessment mandatory
-higher penalties for non-complaince
-compensations - individuals can bring claims for compensation and damages against both controllers and processors
Principles on Processing Personal Data
Lawful, fair and transparent
Purpose limitation -collected for specified legitimate purposes
Data minimisation -adequate, relevant and limited to what is necessary
Accuracy -accurate and kept up to date
Storage limitation -kept for no longer than necessary
Integrity and confidentiality (security) –processed to ensure security of personal data: protection against unauthorised/ unlawful processing, accidental loss, destruction or damage
Also Accountability-the data controller shall be responsible for, and be able to demonstrate compliance
rights for individials under GDPR/DPA?
THE RIGHT:
TO BE INFORMED- what data is being used for, who it is shared with (fair processing
-privacy notice/information
- OF ACCESS- able to get a copy of information free of charge, within a month of the request (subject access request)
- TO RECTIFICATION- to get inaccurate data corrected
- TO ERASURE- to ask for data to be destroyed-not an absolute right
- TO RESTRICTPROCESSING- to object to the use/sharing of information held in confidence-not an absolute right
- TO DATA PORTABILITY-individuals can obtain and reuse their data for their own purposes across different services-transmitted electronically from one controller to another
- TO OBJECT- to data processing where they claim they are suffering unwarranted distress or damage as a result-Individuals have an absolute right to stop their data being used for direct marketing
- TO AUTOMATED DECISION MAKING (NO HUMAN INVOLVEMENT) AND PROFILING-need consent
Under GDPR Organisations must:
Ensure data protection by design and default (a ‘built-in’ rather than ‘bolted-on’ approach).
Only use processors who provide ‘guarantees’ of GDPR compliance
Report data-related incidents deemed serious to the Information Commissioner’s Office (ICO) within 72 hours (for NHS using the DSP Toolkit incident reporting tool)
Conduct Data Protection Impact Assessments (DPIA) for projects likely to result in a high risk to individuals. Perform a DPIA prior to new systems, projects or processes
Maintain internal records of your processing activities for accountability
caldicott principles
- Justify the purpose(s) for using confidential information
- Only use it when absolutely necessary
- Use the minimum necessary personal confidential data
- Access should be on a strict need-to-know basis
- Everyone with access to personal confidential data should be aware of their responsibilities
- Understand and comply with the law
- The duty to share information can be as important as the duty to protect patient confidentiality……………..in best interests of patients
1997 Caldicott guardians/ Information Governance/Caldicott leads created as guardians of personal information in their organisation
Confidentiality - contractual obligation
Employment Contract – commercial confidentiality, staff data confidentiality
NHS Code of Practice on Confidentiality 2003
Guide to required practice for those who work in the NHS or under contract to it; concerned with confidentiality and patient consent to use their health records
Caldicott review 1997 updated 2013
All NHS organisations must have a Caldicott Guardian (senior person responsible for protecting the confidentiality of people’s information and making sure data is used properly)
NHS Community Pharmacy Contract essential service–
Clinical Governance: ‘Use of Information’ pillar refers to use of the DSP toolkit
Patients expect any records about them are held securely. You must:
Protect the confidentiality of information you receive, store, send or destroy – store out of sight and access to the public
Length of storage of paper copies MUR/private Rx/CD records etc
Cross shredding or secure confidential paper waste destruction
ipads/tablets/laptops/phones?
Pharmacy operational systems, SOPs, premises design
Take steps to prevent accidental disclosure
Training
Pharmacy operational systems/ SOPs
Privacy in patient consultations so that confidential information is not overheard or accessed
Consultation room use
Do not disclose information on websites, internet chat forums or social media that could identify patients
Staff training
High risk-famous
people/gossip/interesting cases
Make sure everyone working in the pharmacy knows their responsibility to maintain confidentiality
Staff training
Raise concerns if the security of personal information is not appropriate
With who ?
Continue to protect a person’s confidentiality after death, subject to disclosures required by law or in the public interest
Examples?
computer records
Restricted access with passwords, Personal Identification Number (PIN) or other restricted access systems
Consultation room with PMR locked when not in use
Timing out systems for PMR
PIN or passwords changed regularly
Protected/encrypted networks
Level of access that various members of the pharmacy team have to patients’ records should be appropriate to their duties
NHS Smartcard use, Summary Care Record (SCR) access
Data Security breaches in Pharmacy
Repeat slips in someone else’s medication bag
Giving out medication to the wrong patient
Deliver medication to the wrong address
Inappropriate conversations held in the pharmacy
Loss of prescriptions by courier when sent off at month end
Patient data on social media
Theft of prescription medication
What if there is a Data Security breach?
Apologise to patient
Investigate
Assess risk to patient
Pharmacy must report IG incident
Deal with as a complaint
Learn lessons
Take action to prevent a recurrence
Contact Information Commissioner if necessary- fill in DSP Toolkit incident reporting form WITHIN 72 HOURS
Get a fine!!
