Privacy Impact Assessment. Integrated Personal Commissioning (IPC) Programme

Transcription

1 Privacy Impact Assessment Integrated Personal Commissioning (IPC) Programme Reference number: IG MAY17 Date PIA completed: May 2017 The Clinical Commissioning Group MUST comply with the Data Protection Act 1998 and other legal requirements. The Privacy Impact Assessment (PIA) process assists by evoking a 'privacy by design' approach to all projects/activities. PIAs are a tool which can help organisations identify the most effective ways to comply with their data protection obligations and meet individuals expectations of privacy. The PIA should be completed clearly and accurately as they may be published on the Clinical Commissioning Group s website (unless they contain commercially sensitive information) after being approved. Stage 1 *This PIA incorporates information from the Nottinghamshire County Council led PIA assessment and recognition is given for the support in this* Project Summary (key elements): The model of g is a new approach to joining up health, social care and other services (such as education for children and young people) at the level of each individual. It is part of a wider drive introduced through the NHS Strategy, the Five Year Forward View, to better meet peoples needs, promote health communities and support disabled people and those with long term conditions to manage their own health, care and wellbeing. Nottinghamshire County is an early adopter site for g, as is Nottinghamshire City. In Nottinghamshire, the five Clinical Commissioning Groups (the CCGs): NHS Mansfield and Ashfield, NHS Newark and Sherwood, NHS Nottingham North & East, NHS Nottingham West and NHS Rushcliffe joined together to deliver Integrated Personal g programme. The County Programme is being delivered by Nottinghamshire County Council and the Clinical Commissioning Group s. The same approach applies to the City Programme. Delivery of these programmes supports the aims of the Sustainability and Transformation Plan in Nottingham/Nottinghamshire and the Programmes will be developed and aligned with the Sustainability and Transformation Plan moving forward. This PIA relates to the County Programme and a separate PIA is being undertaken and will be submitted for the City. The emerging g framework published by NHS England is characterised by five key shifts in the model of care, underpinned by a number of specific service components. A key element of the programme is to contribute to the evaluation and development of linked data sets for purposes of future cohort identification. The requirements of the programme are outlined in the Memorandum of Understanding between the Clinical Commissioning Group, Local Authority and NHS England. MoU IPC Nottinghamshire 20 This PIA is necessary to scope all the data sharing requirements for the Date of Issue: 30 June 2017 Page 1 of 14

2 g programme, identify any privacy risks and controls which may need to be put in place and demonstrate how data will be processed within a legal framework meeting data protection and duty of confidentiality requirements. There are a number of different elements to the g programme which require specific Information Governance considerations and assurances. These include the following: 1. Identification of the initial cohort/group of patients/citizens who will be recruited onto the g programme. The g Programme Board has agreed to target known cohorts and therefore there is not a requirement for the initial recruitment to process or link data initially to identify these individuals. For its initial cohort, the programme will be working with existing individuals who are in receipt of PHBs, Continuing Health Care ( CHC ) funded individuals and joint funded health and social care packages, including s.117. The IG requirements relevant to this element are around ensuring that the initial access to data is completed by someone who is part of the care team with a legitimate relationship. For County Clinical Commissioning Group Continuing Health Care and PHB packages, the recruitment will be done either by a staff member employed within the CityCare Continuing Health Care team. For joint health and social care packages, this will be done by the person in the Local Authority team who already has an existing relationship with the individual. 2. To support recruitment to the initial g cohort, scoping is required of the IG requirements specific to fair processing / g data sharing and capturing of informed consent to share identifiable data locally with g partners. (This includes an g leaflet, data sharing leaflet, consent form (see examples below) and staff guidance that have been developed to take individuals through the g recruitment process. The same process and principles will be applicable to future cohorts once identified). IPC leaflet_dd v.3.2 Signed off.pdf IPC consent leaflet_dd v.3.2 Sign IPC Consent Form V2 Signed off.pdf 3. Data sharing for a finance purpose(s) - this could be sharing internally within the organisation to make payments or data sharing with a data processor (third party) who may be involved for the purposes of making payments on behalf of the Clinical Commissioning Group. 4. Establishing the required systems and processes for sharing non-identifiable data with NHSE/SQW as part of the evaluation requirement- this includes informing patients/citizens as part of the initial recruitment process. But not necessarily asking for consent of this element. This information is referenced in the data sharing leaflet and consent form. In addition, the systems and processes for sharing data with NHSE/SQW will need to be documented with regards to how this will be done securely. The point of contact (within the Clinical Commissioning Group) will lead on ensuring a robust local process for anonymising the patient information before this is transferred securely to the national evaluation team. It is anticipated that once scoped and all necessary assurances documented, the process and principles should be applicable to future cohorts in respect of data sharing for purposes of evaluation. Page 2 of 14

3 5. Capture of initial consent from recruited patients to be contacted in the future to participate in surveys, peers reviews or focus groups. Further guidance and information will be developed and shared with patients that consent to participating. This will be in the form of an information leaflet to support the IG requirements relating to this element of the programme. It is made explicitly clear to patients that they can agree to an g but do not necessarily need to agree/consent to being involved in completing surveys, peer reviews or being involved in a focus group. Some considerations relating to the above areas include: for survey completion there will be an additional information leaflet given to patients and data collected is then shared under implied consent. Only surveys should be sent to patients who have consented to participate as part of the initial recruitment/consent process. For focus groups or peer support networks there will be additional consent processes managed by SQW, including potentially signing of a participant confidentiality agreement. 6. Processing and analysing linked datasets for the purposes of future cohort identification. This element is not specific to direct care but processing data for secondary use and therefore the IG considerations are much more complex. Cohort used in this context means a group of patients or citizens who could benefit from being offered g. This element is important in order to understand current service use and provision and costs of care or care packages. It is also important to help plan how resources can be used differently and effectively to achieve a ised approach. There are a number of options to be scoped on how this piece of work can be completed within the required legal framework for processing data for a secondary use in compliance with data protection and confidentiality requirements. These could include; at individual level where patient/citizen consent is captured to process and link identifiable data from a number of providers. Alternatively options could be considered regarding data that is already held locally for the provision of direct care. There is an option to scope the analysis/processing of psuedonymised (non-person identifiable) datasets held centrally within the GP Repository for Clinical Care (GPRCC) which has been collected to facilitate direct care. This output could then be used to identify future cohorts. The option of using the GPRCC will require an IG compliance assessment considering areas such as: authority from all the data controllers who have shared data in the central repository to support direct care; an assessment of compliance with the Nottinghamshire Records and Information Group s (RIG) guidance which outlines the systems, processes and controls for secondary uses of data; potential update of existing data processing agreements or information sharing agreements supporting flows to the GPRCC; and agreement from the relevant Caldicott Guardians (for the organisations who legally own the data within the central repository). List of attachments: (e.g. project initiation document or proposal) MOU between NHS England and Clinical Commissioning Group/Local Authority (jointly known as an early adopter site); Page Page 3 of 14

4 g leaflet (outlined what IPC means) g Data Sharing leaflet g Consent form g Staff Guidance when recruiting individuals to the programme Further related documentation as these are produced (e.g. g survey questionnaire) Page 4 of 14

5 Brief description of the data affected (is this confidential data e.g. health information, criminal records or other information people are likely to consider as private?): Personal identifiable data will be shared with local g partners with explicit consent of the participants for coordination of care and delivery of g. Non- data (anonymised) will be shared with the NHS England evaluation team for evaluation purposes and in order to shape the wider development of the programme. Participants will be made aware of this data sharing requirement but explicit consent will not be captured given the sharing relates to anonymised data only. In order to identify future cohorts, linked data sets will need to be used. There are a number of options relating to this for due consideration. The principles are that if this is person identifiable data is processed for a secondary purpose of identifying future cohorts, then explicit consent will be required. Alternatively, pseudonymised datasets may be processed (none data) under strict IG controls to identify future cohorts (but without needing to process data), consent for this is not necessarily required as long as the appropriate controls are in place. At the point of needing to process linked datasets, an IG assessment will need to be undertaken to ascertain the legal basis for processing and controls that need to be in place. Financial data will also need to be shared about the programme - but this will not be person identifiable information. Details of data being processed: Whole records/referrals Local identifier only * NHS Number * Name * Date of birth Postcode (full) * Postcode (LSOA) 1 Age (exact or <1 year) Age bands 5 years Age bands 10 years * Ethnicity * Gender Religion * Disability * GP practice Other (please describe): Will data be: * Anonymised * Pseudonymised 2 * Fully identifiable (PID) If processing is for secondary purposes (i.e. not related to direct care) and fully identifiable information is to be used, please explain why anonymised or pseudonymised data will not meet the project objectives? The data processed for different elements of g will be anonymised (i.e. for evaluation purposes), potentially psuedonymised (for linked datasets and cohort identification) and fully identifiable for care coordination and g delivery. These all have different IG considerations which will be risk mitigated within this PIA. 1 Lower Layer Super Output Area: relates to first half of postcode and number only of second half. Much public health reporting and published Indices of Deprivation are based on LSOA and this is the standard that is widely accepted and expected for large scale research/statistical reporting. 2 A pseudonym is replacing identifiable information with a key which does not identifiable an individual. Page 5 of 14

6 Frequency of transfers: (delete as applicable) One off / daily / weekly / monthly / quarterly / annually / other (please state): Variable depending on purpose of sharing. There is not one data flow and not one purpose for data sharing. Please provide details on how long data will be retained by any organisation involved with processing, and destruction arrangements (attach supporting documents where appropriate) Data will be retained in accordance to the Health and Social Care Records Management Code of Practice 2016 retention periods, or in accordance with a locally agreed data sharing agreement. For participates who consent to be involved and then withdraw consent at a later date- within the information leaflet it outlines previously collected data will be retained and not deleted. Organisations involved and stakeholders: Organisation The Clinical Commissioning Groups (Lead Organisation) Nottinghamshire County Council (Partner Organisation with Nottingham City Clinical Commissioning Group) NHS England Stakeholders Nottingham City Care (Contracted assessment & Care Provider) Contact Name and Details Debbie Draper, g Programme Manager; d.draper@nhs.net Jane Cashmore, Commissioning Manager: jane.cashmore@nottscc.gov.uk Maria Smith, Senior Manager for Integrated Personal Commissioning - Midlands and East Integrated Personal Commissioning & Personal Health Budgets Teams maria.smith1@nhs.net Contact Name and Details (Where applicable) Tracy Tyrrell Director of Nursing and Allied Health Professionals Nottingham City Care Tracy.tyrrell@nottinghamcitycare.nhs.uk All patients/ citizens recruited to the g Programme Patient (and their carers and families) If the data involved in the project/activity is anonymised and the sharing is between organisations who have a legitimate* reason to receive the data you don t need to complete stage 2. However please highlight how you will keep the data secure and mitigate any risks. N/A Have you considered if an information sharing agreement is required? Page 6 of 14

7 Yes in regards to the data sharing with NHSE as part of the data sharing for evaluation purposes. This will need to be put in place at the point the data sharing commences. All local partners are involved in the care coordination, IG Toolkit compliant and therefore an information sharing agreement will not be put in place locally. Stage 2 Describe and map the data flows and who will have access to the data (who is collecting, receiving, transferring or storing the data): Nottingham CityCare, Clinical Commissioning Group and Local Authority Sharing identifiable data locally for the purposes of (ongoing) co-ordination of care. Also key for cohort (1) identification of known patients / citizens. (This will include the sharing of financial data relating to packages of care); CityCare worker (Contracted by Clinical Commissioning Group) or social care worker Collects sign up to consent form by patient / citizen; CityCare worker or social care worker Circulates questionnaires to consenting citizens for surveys and feedback collated to SQW/NHS England (Pseudonymised); The Clinical Commissioning Groups - Processing of analysed linked datasets to inform future cohort(s)- Nottinghamshire County Clinical Commissioning Group sharing anonymised data with the national evaluation team. Health Data Flow chart.pdf This flow chart demonstrates the flow of data. Will the project involve the collection of new confidential information about individuals? (if yes, please describe) Yes Will the project compel individuals to provide confidential information about themselves? (if yes, please describe) No- however consent will be necessary. Will information be disclosed to organisations or people who have not previously had routine access to the information? (if yes, please describe) Yes- but this will be with consent or anonymised data only Are you using information about individuals for a purpose it is not currently used for or in a way it is not currently used? No - however consent is captured regarding the purposes Page 7 of 14

8 Will explicit consent be obtained from data subjects? 3 Yes verbal, recorded in record * Yes written, scanned into record * No not required No other reason If explicit consent is not to be obtained, please state reason(s) below: Yes for sharing identifiable data locally. However patients will not need to provided consent for sharing anonymised data but will be informed about this. Will the project require you to contact individuals in ways which they may find intrusive? (if yes, please describe) No What security arrangements will be put in place to ensure the confidentiality and information security of confidential data? (consider any residual threats to data security) All data and information will be processed within the auspices of existing information governance and data sharing processes in place across key stakeholder organisations. This includes existing arrangements for storage and security of data to be stored. (Use of safe addresses in respect of patient identifiable information, encrypted equipment and devices to support day to day operations). What will be the impact of decisions brought about by the project or activity and processing of PID? (please highlight both positive and adverse impacts either directly or indirectly) Greater levels of citizens accessing gs, specifically people currently accessing health and / or social care who have complex needs. The anticipated impact of take up is: Better quality of life for people with complex needs and their carers, with greater involvement in their care, because it has been designed around their needs and circumstances. Fewer crises in people s lives that lead to unplanned hospital admissions. Better integration and quality of care, including better experiences for people and families. Specific outcomes for citizens that are part of the g programme includes the following, which they will experience across social care, health and education provision: Be able to access information and advice that is clear and timely and meets their individual information needs and preferences. Experience a coordinated approach by those who provide them with care and support that is open and honest, and empowering. Have access to a range of options for support to help build knowledge, skills and confidence in managing their own health and wellbeing from others with similar experiences, and through the community or networks in which they live and operate. 3 The individuals who the records are about. Page 8 of 14

9 Be valued as an active participant in conversations and decisions about their health and wellbeing. Be central in developing their ised care and support plan and agree who is involved. Be able to agree the health and well-being outcomes they want, and also learning outcomes in the case of children and young people. Wider implications from the implementation of g could include changes to g processes / approaches for target area groups, where this is deemed to be feasible and practicable. If applicable, please give details of any service user/staff/public consultations that are going to take place, or have taken place in relation to this processing? (include internal and external stakeholders) Please return the completed PIA to Paul Gardner- Nottingham City Clinical Commissioning Group Head of IG Section 3 (to be completed by the Information Governance Department) Approval and Sign Off IG Lead comments and recommendations: Recommendation 2 as below. OUTCOME: 1) Sufficient information provided above illustrating controls, mitigation and management to proceed with the project/activity with no further action (no significant privacy concerns) IG approval Caldicott Guardian approval SIRO approval YES YES YES YES 2) Proceed with project completing and or managing the below actions (appendix A) to reduce and or manage the identified risks IG approval Caldicott Guardian approval SIRO approval YES / NO YES / NO YES / NO Page 9 of 14

10 3) Stop the project/activity because significant corporate or compliance risks have been identified which required senior sign off IG approval Caldicott Guardian approval SIRO approval NO NO NO Approving group or Committee (if appropriate): Caldicott Guardian and g SRO Nichola Bramhall, Director of Nursing and Quality and Caldicott Guardian, South Nottinghamshire County CCGs Elaine Moss, Director of Quality and Governance and Caldicott Guardian, NHS Mansfield and Ashfield CCG and NHS Newark and Sherwood CCG Date: 24 July 2017 Page 10 of 14

11 Appendix A: Action Plan Identified Risks and Agreed Actions What are the key privacy issues and associated compliance and corporate risks? (Some privacy issues may have more than one type of risk i.e. it may be a risk to individuals and a corporate risk). Consider if project process needs to be adapted to address privacy concerns? Describe the actions you could take to reduce the risk and any future steps which would be necessary (e.g. new guidance, inform and or engage patients of a particular change, put in place an information sharing agreement or data processing contract etc.) Risk and risk lead (responsibility for the action) Data about g participants may be captured and shared without the appropriate fair processing requirements being met and appropriate legal basis in place. This could result in a patient complaint, loss of trust or confidence or an incident/data breach being raised with the ICO because of non-compliance with data protection. Lead: Solution (s)/actions taken to reduce the risk Robust participant engagement process has been developed which includes: The initial recruitment involves only known cohorts and recruitment of these will be by the team with an existing legitimate relationship with those individuals. Development of g leaflet which has been taken via patient groups and feedback included to ensure this is clear and understandable. Development of data sharing leaflet which includes a clear outline of all data sharing requirements to be provided to all participants. Consent form developed which captures patient consent to share identifiable data, puts patients on notice about sharing of anonymised data for evaluation purposes and captures an additional consent to future proactive involvement in the g programme going forward (e.g., surveys, focus groups, peer support networks). For patients who consent to be more proactively involved additional information leaflets will be provided and where required Result: Is the risk reduced, eliminated or accepted? Is impact proportionate in considering aims of project? Reduced Implementation of outcomes back into project and review date Review progress routinely as part of g Board Page 11 of 14

12 g Programme Manager with support from IG consent captured for further data sharing. To aid further understanding staff guidance has been developed to take participants through the g recruitment process. This will also ensure consistency in the process. Risk to data security and inappropriate sharing of data in appreciating all the different partners involved in the g Programme. The result of this risk could be a breach of security or data protection. Lead: g Programme Manager and wider team Data sharing with NHSE evaluation team without formalised data sharing agreement in place required to outline the purpose of sharing, practical arrangements, security considerations and limitations of data use etc. The g Programme lead has outlined security requirements in the above section what security measures will be in place to ensure the confidentiality and security of information of a confidential nature. Strict adherence to IG policies and procedures will ensure security and confidentiality of information which includes the Clinical Commissioning Group s information security policy, data protection and confidentiality policy, safe haven policy, policy on use of , remote working policy and network security policy. Additionally all staff involved in the g will ensure they complete and keep in data with IG training. Any issues re security or confidentiality will be raised with the Clinical Commissioning Group IG manager for support and advice. Any new data flow outside the agreed flows will require future IG approval and Caldicott Guardian approval if necessary. Participants are made aware as part of the recruitment process of the requirement to share anonymised data with NHSE for purposes of evaluating success of the g Programme. Robust local Clinical Commissioning Group processes will be embedded to ensure data is effectively anonymised before this is shared with NHSE. This will also include the security processes and data transfer arrangements in place. At the point in which data will be shared with NHSE an information sharing agreement will be put in place to outline practicalities of sharing and expectations of Reduced Reduced Review progress routinely as part of g Board Review progress routinely as part of g Board Page 12 of 14

13 Without a formal sharing agreement this could result in data loss or use of data outside expectations. Lead: g Programme Manager with support from IG and Head of Research and Evaluation In order to identify future cohorts the Clinical Commissioning Group and LA will need to link datasets. This is processing data for a secondary none direct care purpose and therefore an appropriate legal basis is required to complete this work. Lead: g Programme Manager with support from IG purpose of sharing and data use. Reference will also need to be set out regarding the onward sharing with SQW and how this third party are expected to use and protect data. This document will support the business relationship between NHSE and the Clinical Commissioning Group/LA as set out in the MOU. Additionally the Clinical Commissioning Group s Head of Research and Evaluation is involved in advising and supporting the evaluation elements of the g which includes the local Clinical Commissioning Group assurances. At the point at which future cohort identification is required and the process for doing this has been scoped. IG will need to be involved to complete an IG compliance assessment. If GPRCC is the preferred method the below actions will also need to be confirmed: authority from all the data controllers who have shared data in the central repository to support direct care; an assessment of compliance with the Nottinghamshire Records and Information Group s (RIG) guidance which outlines the systems, processes and controls for secondary uses of data; potential update of existing data processing agreements or information sharing agreements supporting flows to the GPRCC; and agreement from the relevant Caldicott Guardians (for the organisations who legally own the data within the central repository). Cannot reduce risk until processes agreed/scoped and IG compliance assessment completed. Approval will also be required from the respective Clinical Commissionin g Group Caldicott Guardians. Review progress routinely as part of g Board Page 13 of 14

14 Other low risks relating to data retention, data quality and accuracy requirements will be managed in accordance to the document assurances in this PIA and operationally by the g Programme manager. Page 14 of 14