Information Sharing Policy

Transcription

1 Information Sharing Policy DOCUMENT CONTROL: Version: 1 Ratified by: Risk Management Sub Group Date ratified: 19 December 2012 Name of originator/author: Information Governance Manager Name of responsible Information Governance Steering Group committee/individual: Date issued: 20 December 2012 Review date: December 2015 Target Audience All staff

2 CONTENTS SECTION PAGE NO 1. INTRODUCTION 3 2. PURPOSE 3 3. SCOPE 4 4. RESPONSIBILITIES, ACCOUNTABILITIES AND DUTIES 4 5. PROCEDURE/IMPLEMENTATION Legal and Guiding Principles Who needs information Information Sharing Agreements Informed decision-making for sharing information 9 6. TRAINING IMPLICATIONS 10 7 MONITORING ARRANGEMENTS EQUALITY IMPACT ASSESSMENT SCREENING Privacy, Dignity and Respect Mental Capacity Act LINKS TO ANY ASSOCIATED DOCUMENTS REFERENCES APPENDICES Flowchart of Key questions for information sharing Information Sharing Agreement Template 15 Page 2 of 18

3 1. INTRODUCTION Government policy places a strong emphasis on the need to share information about service users between health care organisations, professional bodies and commercial third parties, in order to provide the effective provision of seamless care. It is also important that service users trust providers to respect their privacy and keep their information confidential. The public services involved in the provision of health and social care have a legal responsibility to ensure that their use of personal information is lawful, properly controlled and that an individual s autonomy is respected. It is important to achieve a balance between the need to share information to provide quality care and protecting confidentiality. 2. PURPOSE The purpose of the Information Sharing Policy is to outline the guiding principles for information sharing, based on legal and ethical requirements. The policy aims to: Provide a framework to establish and regulate working practice and to provide guidance to enable the secure and confidential sharing of person-identifiable information; Provide guidance and explain the security and confidentiality laws and principles which underpin the use and exchange of person-identifiable information; To define the common purposes for sharing personal information; Remove barriers to effective information sharing; To ensure compliance with the Information Governance Toolkit. 2.1 DEFINITIONS Personal Information Any data from which an individual can be identified either from the data or from the data and other information which is in the possession of, or likely to come into the possession of, the data controller Sensitive Information The Data Protection Act defines categories of sensitive personal data, namely, personal data consisting of information as to:- a) the racial or ethnic origin of the data subject, b) their political opinions, Page 3 of 18

4 c) their religious beliefs or other beliefs of a similar nature, d) whether they are a member of a trade union, e) their physical or mental health or condition, f) their sexual life, g) the commission or alleged commission by them of any offence, or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings. Anonymised Information Anonymisation is where all elements of potential identifiers to be removed completely so that it does not identify an individual. Pseudonymised Information Where data is anonymised but retains a single key such as a code or reference number, known only to the provider of the information so that when it is shared, the provider can link back to the individual. 3. SCOPE This policy applies to all Trust staff, and any staff undertaking activities on behalf of the Trust including agency staff and contractors, as well as volunteers, visitors and service users. 4. RESPONSIBILITIES, ACCOUNTABILITIES AND DUTIES 4.1 Chief Executive The Chief Executive has overall responsibility for Information Sharing in the Trust and for establishing and maintaining effective policies and procedures for meeting all statutory requirements and guidance relating to the processing and sharing of all types of information and data. 4.2 Director of Business Assurance The Director of Business Assurance has responsibility for governance processes including information and as Senior Information Risk Owner (SIRO) is accountable for the management of all risks relating to information and data security. 4.3 Medical Director As Caldicott Guardian the Medical Director has responsibility for overseeing all arrangements, protocols and procedures where confidential patient information may be shared. 4.4 Information Governance Manager The Information Governance Manager has responsibility for the implementation of the Information Sharing Policy and that Page 4 of 18

5 information sharing systems and processes are developed, coordinated and monitored. 4.5 Records Manager The Records Manager has responsibility to ensure that when sharing information there is compliance with records management and safe haven policies, processes, standards and legislation. 4.6 Managers Managers have a responsibility to make themselves familiar with the requirements of this policy and for advising staff to make themselves familiar with and understand the need for robust protocols to support working with partners and sharing information. 4.7 Staff All staff are responsible for the safety and confidentiality of information and that they comply with relevant legislation, guidance and policies and procedures at all times. Staff should also ensure that they are up to date with mandatory Information Governance training. Failure to comply with this policy may have serious consequences for the care of service users and the organisation and may include the individual being subject to civil, criminal or disciplinary proceedings. 5. PROCEDURE/IMPLEMENTATION Information sharing partners may use personal-identifiable information for different purposes, the main being for: managing the care and treatment of services users assuring and improving the quality of care and treatment prevention and detection of serious crime safeguarding children and vulnerable adults research and development On no account must personal identifiable information be divulged to anyone other than an authorised person who is either concerned directly with the care, diagnosis and/or treatment of an individual or has a justified non clinical need. If there is any doubt whatsoever as to the authority of the person or body asking for information of this nature advice must be sought from your line manager, Information Governance Team. If a query requires advice out of hours the manager on call should be contacted. Any inappropriate disclosures of information should be reported through the incident reporting system. Page 5 of 18

6 5.1 Legal and Guiding Principles Legal Principles The sharing of personal-identifiable information is subject to three major legal considerations Common Law Duty of Confidentiality, Human Rights Act 1998 and the Data Protection Act Common Law of Confidentiality is not coded in an Act of Parliament but built up from case law where practice has been established by individual judgement. The main principle is that information confided should not be used or disclosed further, except as originally understood by the confider or with their permission. As a result information can be only shared with the consent of the service user or where the information has been properly anonymised. Article 8 of the Human Rights Act 1998 covers the individual s right to privacy and states: Everyone has the right to respect for his private and family life, his home and his correspondence. Although this right is not absolute a breach must be justified. In order to justify a breach, the following will need to be shown: acted in accordance with the law; acted in the pursuit of a legitimate aim; and acted in a way necessary in democratic society. The Data Protection Act 1998 provides a framework that governs the processing of person-identifiable information personal data. Processing includes holding, obtaining, recording, using and disclosing of information. The Act applies to all forms of media from paper to images. The principles are: Be processed fairly and lawfully and shall not be processed unless certain conditions are met. Be obtained for specified and lawful purposes and shall not be processed in any manner incompatible with those purposes. Be adequate, relevant and not excessive for those purposes. Be accurate and kept up to date. Not be kept for longer than is necessary for those purposes. Be processed in accordance with the data subject's rights under the 1998 Act. Be the subject of appropriate technical and organisational measures against unauthorised or unlawful processing, accidental loss or destruction. Not be transferred to a country outside the European Economic Area, unless that country or territory has equivalent levels of protection for personal data. For further information on Data Protection please refer to the Data Protection Policy on the Trust website. Page 6 of 18

7 Guiding Principles Guiding principles are based on the six principles of good practice identified by the Caldicott Report, Justify the purpose what is the purpose of the disclosure? This should be clearly defined and scrutinised by Caldicott Guardian. Only Use patient identifiable information when absolutely necessary is the proposed disclosure a proportionate response to the need? Information should not be disclosed unless essential for the purpose specified. Use only the minimum necessary - what is the nature and extent of the information to be disclosed? Should be on a strict need to know basis - to who is the disclosure to be made? Everyone who has access to patient identifiable information should be aware of their responsibilities Understand and comply with the law In addition to the Caldicott principles the NHS Confidentiality Code of Practice describes the duty of confidence arising when one person discloses information to another. The Code: is a legal obligation that is derived from case law; is a requirement established within professional codes of conduct; must be included within NHS employment contracts as a specific requirement linked to disciplinary procedures; must be included in third party contract; must be included in all information sharing agreements. 5.2 Who needs the information? Internal Services within the Trust Health care for service users can run across more than one service and it is important that where relevant information is shared to enable that the care treatment and support needs are met. Coordinating Care with Social Services and other Agencies Health care is commonly a shared responsibility between health and local authorities; joint access to client information is essential if that responsibility is to be fulfilled effectively. Bodies such as housing authorities have an important part to play in helping people regain access to normal living and social inclusion, and they need to have appropriate information if they are to provide the right level of support and act in the interests of all of their residents and the wider population. The service user needs to be aware that some information sharing will be necessary and this can usually be discussed with the service user as part of the Care Planning Process. If a service user raises any objections the possible consequences of not having a Page 7 of 18

8 coordinated approach should be explained and assurance given that other agencies would receive only information which they really need to know (see also the Care Programme Approach Policy for further information). Any objections should be recorded in the service user s notes. The service user s ultimate decision should be respected unless there are overriding considerations to the contrary. Regulatory Bodies There are regulatory bodies that require notification of specific instances such as death of detained service user and Absent without Leave service user which require notification to the Care Quality Commission. This information is required to be either anonymised or pseudonymised. Coroners All enquiries from the Coroner s office are dealt with by the Information Governance Team through the Access to Health Records Policy. When a request is received the information is released by the Information Governance Team only with prior approval from the Assistant Director. Police /Court/Prison/Probation As with any general disclosure of information, requests from the police/ court are dealt with by the Information Governance Team. Staff must not feel pressured or intimidated into giving information just because the police have requested it. Information can only be released if the service user or employee has given their consent or with a court order. Please refer to the Access to Health Records Policy for more information or contact the Information Governance Team. In certain circumstances an individual s right to confidentiality may be overridden by the public s interest in having access to information. Decisions to disclose such information must be discussed with the Information Governance Team. The decision made must be recorded in the relevant file (e.g. health record/personnel file) and the reasons justifying the action taken. If a service user is taken into custody or appears in court, information may need to be exchanged. This may be necessary to ensure that those who need care receive it and that the criminal justice authorities can take the individual s health (including mental health) into account in determining the appropriate outcome. When an offender who is a service user is serving a community sentence, or has been released from custody, probation staff can be in the position of supervising people who are either receiving health care or are in need of such care. Probation staff need regular contact with the appropriate health workers to ensure that they are Page 8 of 18

9 fulfilling their public protection duties. An explicit and agreed approach to information sharing must be in place for sharing with the police or probation service. NHS Protect Formerly known as the NHS Counter Fraud and Security Management Service operate under the authority of the Secretary of State for Health Directions on Countering Fraud in the NHS. This direction places specific duties upon RDaSH to make available to NHS Protect any files or data as required in the pursuance of its counter fraud function. In addition, it has statutory powers conferred by the NHS Act 2006 that require the production of any documents containing information relevant to the exercise of any of its functions, further advice can be sought from the LCFS. Press and Broadcasting Media Under no circumstances should staff communicate directly with any press and/or broadcasting organisations. The Trust has a designated point of contact within Business Assurance Directorate for all press enquiries. Any queries should be referred to the Head of Communications. 5.3 Information Sharing Agreement This policy sets out the framework for Information Sharing however Information Sharing Agreements must be developed with the various agencies with which the Trust works with. An electronic register for all Information Sharing Agreements will be managed by the Information Governance Team that will ensure an agreement is in place with the required agencies and that the agreements are reviewed and re-signed on an annual basis. Whether the Trust is developing or is required to sign up to a third parties Information Sharing Agreement this will be agreed by the Information Governance Steering Group prior to signing and implementation. The authorised signatory for Rotherham Doncaster and South Humber Foundation Trust is the Caldicott Guardian. 5.4 Informed decision making for sharing information If the Trust is asked to share information or feels that information should be shared the Information Governance Team will make an informed decision on a case per case basis whether to do so unless there is a statutory duty or court order to share. Key questions to be considered are (see also appendix 1): 1. Is there a clear and legitimate purpose to share the Page 9 of 18

10 information? Take each case for sharing information individually if you acted previously one way it does not mean that the same course of action is required every time. If in doubt seek advice contact the Information Governance Team. NB: Names need not to be used at this point. 2. Does the information enable a person to be identified and is it confidential? Information should be shared with consent wherever appropriate staff should be open and honest with service users from the outset as to what, why and how information should or could be shared. 3. If there is no consent is there a good reason not to seek it, is there sufficient public interest to share? 4. If information is to be shared will it be done appropriately and securely? Only share what is necessary make sure the information being shared is relevant, accurate, and proportionate. Can it be anonymised or pseudonymised Ensure that an effective system is in place to ensure that the information is shared securely and only to the authorised person. Please refer to the Safe Haven Policy and the Policy and Procedure for the Secure Storage and Transfer of Patient Identifiable Data for more details. 5. Have you recorded the decision regarding sharing information? Always keep a record of the decision made and the reasons for it whether you share the information or not. 6. TRAINING IMPLICATIONS As a Trust policy, all staff need to be aware of the key points that it covers. Staff can be made aware through a variety of means such as: Information Governance Training Local induction Team Brief Weekly Newsletter Team meetings Page 10 of 18

11 7. MONITORING ARRANGEMENTS Area for Monitoring How Who by Reported to Frequency Breaches In Policy Information Sharing Agreements Information Governance Toolkit Incident Reporting Process Information Governance Annual Report Annual Submission Information Governance Manager Information Governance Manager Information Governance Manager Information Governance Steering Group Information Governance Steering Group Risk Management Sub Group Information Governance Steering Group By exception Annual Annual 8. EQUALITY IMPACT ASSESSMENT SCREENING - The completed Equality Impact Assessment for this Policy has been published on the Equality and Diversity webpage of the RDaSH website click here 8.1 Privacy, Dignity and Respect The NHS Constitution states that all patients should feel that their privacy and dignity are respected while they are in hospital. High Quality Care for All (2008), Lord Darzi s review of the NHS, identifies the need to organise care around the individual, not just clinically but in terms of dignity and respect. Indicate how this will be met As a consequence the Trust is required to articulate its intent to deliver care with privacy and dignity that treats all service users with respect. Therefore, all procedural documents will be considered, if relevant, to reflect the requirement to treat everyone with privacy, dignity and respect, (when appropriate this should also include how same sex accommodation is provided). Page 11 of 18

12 8.2 Mental Capacity Act Central to any aspect of care delivered to adults and young people aged 16 years or over will be the consideration of the individuals capacity to participate in the decision making process. Consequently, no intervention should be carried out without either the individuals informed consent, or the powers included in a legal framework, or by order of the Court Therefore, the Trust is required to make sure that all staff working with individuals who use our service are familiar with the provisions within the Mental Capacity Act. For this reason all procedural documents will be considered, if relevant to reflect the provisions of the Mental Capacity Act 2005 to ensure that the interests of an individual whose capacity is in question can continue to make as many decisions for themselves as possible. Indicate How This Will Be Achieved. All individuals involved in the implementation of this policy should do so in accordance with the Guiding Principles of the Mental Capacity Act (Section 1) 9. LINKS TO ANY ASSOCIATED DOCUMENTS Policy for Clinical Record Keeping Standards and Clinical Records Management Access to Health records Policy Records Management Policy Information Governance Policy Informatics Security Policy Policy for the Secure Storage and Transfer of Person Identifiable Data (PID) Data Protection Policy Protocol For Access Control Policy for the Secure Storage and Transfer of Person Identifiable Data Safeguarding Adults Policy Safeguarding Children Policy Policy for the provision of, access to and use of interpreters for service users and carers Common Law of Confidentiality Data Protection Act 1998 Human Rights Act 1998 Confidentiality NHS Code of Practice Multi-Agency Public Protection Arrangements (MAPPA) and duty to cooperate Children Act 2004 Page 12 of 18

13 Crime Disorder Act 1998 NHS Act 2006 Secretary of State Directions on Countering Fraud in the NHS 2004 Safety and justice sharing personal information in the context of domestic violence ( 10 REFERENCES Human Rights Act 1998 Information Sharing and Mental Health Guidance to Support Information Sharing by Mental Health Services 11 APPENDICES Appendix 1 Flowchart for key question for information sharing Appendix 2 - Sharing Information Protocol Template Page 13 of 18

14 Appendix 1 Flowchart of Key questions for information sharing You are asked to or wish to share informational Is there a clear and legitimate purpose for sharing the information? No Yes No Does the information enable a person to be identified? Yes No Is the information confidential? Not Sure Seek advice from IG Team Yes Yes Do you have consent? No You can share Yes Is there sufficient public interest to share? (for advice contact IG team) No Do not share Share Information: Identify how much information to share Distinguish fact from opinion Ensure that you giving the right information to the right person Ensure you are sharing the information securely Inform the person that the information has been shared if they were not aware of this and it would not create or increase the risk of harm Record the information sharing decision and your reasons, in line with local procedures. If there are concerns that a child may be at risk of significant harm or an adult may be a risk of serious harm, then follow the relevant procedures without delay. Seek advice if you are not sure what to do at any stage and ensure that the outcome of the decision is recorded. IG@rdash.nhs.uk Telephone: Page 14 of 18

15 Appendix 2 Information Sharing Agreement (ISA) Between Rotherham Doncaster and South Humber NHS Foundation Trust (RDaSH) & <Second Party> Version: Draft 1 Name of originator/author: Effective date: Latter approval signature date on last page Review date: 2 years after latter signature date Page 15 of 18

16 This agreement defines the information that will be transferred between the organisations listed and arrangements for assisting compliance with relevant legislation and guidance including the Data Protection Act Parties to the Agreement Organisation Data Controller Rotherham Doncaster and South Humber NHS Trust (RDaSH) Caldicott Guardian Dr Navjot Ahluwalia ICO Notification Registration no: Z <Second Party> ICO Notification Registration no: Purposes of the Agreement General Requisites of the Agreement Both organisations have an up-to-date Data Protection Act Registration (Notification), which covers them for the information and activities detailed in this ISA. Each organisation signing this agreement shall have appointed a responsible officer who will ensure the protection of personal information e.g. Caldicott Guardian or senior manager responsible for data protection. Page 16 of 18

17 Both organisations will, as appropriate, ensure that records are accurate, complete and up-todate. Shared information will be stored in a secure fashion appropriate to its sensitivity. All equipment used and data transfer methods, within both organisations will meet current NHS security standards. Shared information will only be used for the agreed purposes. Specific Requisites Information to be Shared Methods Used for Sharing Data Usage and Record Retention Records will be retained and disposed of in accordance with the requirements of applicable current legislation. Staff Development/Support Issues Both organisations will ensure that all staff having access to the information shared will have received adequate security related training. Consent From Service Users Contact Details Comments or questions regarding this ISA should be addressed to: Page 17 of 18

18 <Name> <Title>, RDaSH. < address> Tel - <phone no.> <Name> <Title>, <organisation> - < address> Tel - <phone no.> Approval Signatures ISA Approved by: Date Print Name For Rotherham Doncaster and South Humber NHS Foundation Trust ISA Approved by: Date Print Name For <Second Party> Page 18 of 18