INFORMATION GOVERNANCE. Caldicott Approval Procedure

Transcription

1 NHS TAYSIDE INFORMATION GOVERNANCE Caldicott Approval Procedure Author: Peter McKenzie Review Group: Information Governance Group Review Date: September 2010 Last Update: September 2009 Document : NHST-ISC-CAP Issue : 1.2 UNCONTROLLED WHEN PRINTED Signed: Executive Lead

2 NHS Tayside Caldicott Guardian Approval Procedure Role of the Caldicott Guardian Caldicott Guardians will be responsible for agreeing and reviewing internal protocols governing the protection and use of patient-identifiable information by the staff of their organisation or those shared with other NHSS organisations. Guardians will need to be satisfied that these protocols address the requirements of national guidance/policy and law and that their operation is monitored. Caldicott Guardians will also be responsible for agreeing and reviewing protocols governing the disclosure of patient information across organisational boundaries, e.g. with social work services and other partner organisations contributing to the local provision of care. These protocols should underpin and facilitate the development of cross boundary working, health improvement programmes and other changes. Patient Identifiable Information The term patient identifiable information means any data item or combination of data items by which a patient's identity may be established. Commonly used patient identifiable data items are; Forename Surname Address Postcode Telephone / Fax CHI Date of Birth Diagnosis address The Caldicott Principles Justify the purpose(s) Every proposed use or transfer of patient-identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed by an appropriate guardian. Don t use patient-identifiable information unless it is absolutely necessary. Patient-identifiable information items should not be used unless there is no alternative. Use the minimum necessary patient-identifiable information. Where use of patient-identifiable information is considered to be essential, each individual item of information should be justified with the aim of reducing identifiability. Access to patient-identifiable information should be on a strict need to know basis. Only those individuals who need access to patient-identifiable information should have access to it, and they should only have access to the information items that they need to see. Everyone should be aware of their responsibilities. Action should be taken to ensure that those handling patient-identifiable information both clinical and non-clinical staff are aware of their responsibilities and obligations to respect patient confidentiality. Understand and comply with the law Every use of patient-identifiable information must be lawful. Someone in each Organisation should be responsible for ensuring that the organisation complies with legal requirements. NHS Tayside NHS Tayside Caldicott Guardian Approval Procedure Page 1 of 11

3 Access Control Access control is essential for ensuring that only authorised persons have: physical access to computer hardware and equipment; access to computer system utilities capable of over-riding system and application controls; access to manual files containing confidential information about individuals; access to computer files and databases containing confidential information about individuals Access to Confidential Information about Individuals Access to person identifiable information will be restricted to those staff who have a justifiable need to know in order to effectively carry out their jobs. The Caldicott Principles underpin the approach that NHS Tayside will adopt. Registered access levels will be used to further limit the access of authorised persons to the minimum information that they need to carry out a task or function. This is particularly relevant to information held electronically, but the principles apply to all records, e.g. staff who need access to manual files for filing purposes should not need to access the information already contained within the files. There are also legal restrictions on who may see certain patient-identifiable information. Only staff whose responsibilities include the treatment of individual patients with such diseases or who are involved more widely with the treatment or prevention of disease, such as those employed by public health departments, should be permitted access to such information. Access Levels and Registration There will be formal and documented user registration for access to all person-identifiable information held in confidence, where multiple users need access. Although this is mainly applicable to electronically held information, the principles extend to manual files. It is particularly important that it is clear, at any point in time, just who should have access to what information and the purpose the information is to be put to. Applying for Caldicott Guardian Approval to Access or Record Patient Information The application process relies upon the completion of a Confidentiality Statement and Data Processing Specification (appendix 1) An approved application is relevant to the specific research/study/project/audit that is specified in the application. The information provided on that basis must not be used for other purposes. The Confidentiality Statement The contents of the Statement are described below. However, the Statement is an approval document and is not expected to contain adequate information to allow authorisation for anything but the simplest of situations. Therefore, it is likely in most cases that additional application information will be provided in support of the application in the form of: Ethics Committee letter of approval, including any recommendations made by the Committee. Where ethics approval has not been necessary an indication of that to be included. An outline of the research/study/project/audit programme indicating; The purpose of the research/study/project/audit - to conform to Data Protection and Caldicott Principles. Any person identifiable information to be used and any anonymisation that will be applied. The arrangements to be employed in contacting/inviting/informing/interviewing/follow up of individuals as part of the research/study/project/audit, where this will occur. NHS Tayside NHS Tayside Caldicott Guardian Approval Procedure Page 2 of 11

4 The management arrangements - to define responsibilities and to confirm that all agreed arrangements take place. Specification of the users and departments/agencies/organisations/companies that will have access to the information - to define responsibilities and if necessary confirm that all have been made aware and will abide by NHS Tayside rules of confidentiality and security. A specification of any manual or computer databases to be devised as part of the research/study/project/audit indicating; Software to be used Who will be developing the database and their employer Where the database will be run from Relevant security arrangements: access control, backup and restore, ongoing support, etc. The arrangements for disposal of the information held. Your arrangements for accessing and processing identifiable personal data must be summarised in a Data Processing Specification for each data source. User Details - the details of the person who is responsible for the work to be undertaken associated with the information to be provided. There is a requirement that this person will abide by NHS Tayside rules of confidentiality and security in using the provided information. Sponsor Details - the details of the NHS Tayside person who is supporting the provision of the information in question, usually to be signed by a consultant if patient data is requested and the applicant is not of that status or is not medically qualified Data Protection Reg.. - only relevant to organisations or agency outside NHS Tayside. Data Requested - a brief description of the information that is to be provided. This is to be supported by the completion of a Data Processing Specification for each data source. Co-users of the Data - a list of individuals who will have access to the information provided and who will be under the management/supervision of the User. Intended use of Data - a brief description of the purposes that the information will be put to. User's Declaration - dated signature of the User. Sponsor's Declaration - dated signature of the Sponsor. Data Processing Specification: - to ensure that it is clear what data is being requested and that the applicant has made appropriate arrangements to gain access with those responsible for managing that data and that the data provided will be managed appropriately by the applicant, a data processing specification is required for each data source. Return Details - completed applications along with supporting documentation to be returned to the Information Governance Office. A flowchart describing the process for application for Caldicott approval is included in appendix 2. Confirmation of Approval Once Caldicott approval has been given the User will receive a confirmation letter and copy of the approved application. Further Development The outcome of research/study/project/audit programmes is often that further work or development in to departmental systems is considered. In such cases further consideration must be taken beyond the Caldicott Guardian approval process and the original approval will unlikely be adequate. NHS Tayside NHS Tayside Caldicott Guardian Approval Procedure Page 3 of 11

5 Where further development is being considered then the NHS Tayside Project Approval Process must be followed in order that such development is considered by the ehealth Group in the context of the NHS Tayside ehealth Strategy. (appendix 3) NHS Tayside NHS Tayside Caldicott Guardian Approval Procedure Page 4 of 11

6 CONFIDENTIALITY STATEMENT - for users of person identifiable data Appendix 1 User Details Name: Position: Organisation: Address: Sponsor Details Name: Position: Organisation: Address: Tel: Tel: Data Protection Reg.. Data Requested : A Data Processing Specification must also be completed. Co-Users of the Data : Intended use of data (inc. publications) : User s Declaration I declare that I understand and undertake to abide by the rules for confidentiality, security and release of data received from NHS Tayside. Signature Date On completion, please return this form to: Information Governance Officer NHS Tayside Ashludie Hospital Monifieth Dundee DD5 4HQ Sponsor s Declaration (to be signed by a consultant if patient data is requested and the applicant is not of that status or is not medically qualified) I declare that the above named user of the data is a bona fide worker engaged in a reputable project and that the data requested can be entrusted to this person in the knowledge that they will conscientiously discharge their obligations in regard to confidentiality of the data. Signature Date Release authorised by Date Ref.. For NHS Tayside use only NHS Tayside NHS Tayside Caldicott Guardian Approval Procedure Page 5 of 11

7 RULES ON CONFIDENTIALITY, SECURITY AND RELEASE OF INFORMATION FOR USERS OF NHS PATIENT DATA 1) If the data received from NHS Tayside are to be held on computer, the signatory of this request, or the organisation (s)he represents, should have an appropriate registration with the Office of the Data Protection Registrar. Details of the registration number should be entered on this document. 2) Data received from NHS Tayside must not be used for any purpose other than for the intended use specified on this document. 3) Data received from NHS Tayside must not be divulged to any person who is not specified as a co-user of the data on this document. 4) Proper safeguards should be applied in keeping the data and destroying it on completion of the work/project declared to prevent any breach of confidentiality. 5) Any misuse or loss of these data should be notified immediately to the Information Governance Officer for NHS Tayside at Ashludie Hospital, Monifieth ( ). 6) Recipients of information supplied by NHS Tayside are reminded that the data has been supplied for the purposes stated in the approved study only. Further submission for approval will be required for any other uses of that data. 7) Any statistics or results of research based on data received from NHS Tayside should not be made available in a form which: a) directly identifies individual data subjects b) is not covered by the intended use of data specified NHS Tayside would welcome copies of any publications based on data supplied. Information Governance Ashludie Hospital Monifieth DD5 4HQ Telephone : Fax : NHS Tayside NHS Tayside Caldicott Guardian Approval Procedure Page 6 of 11

8 CALDICOTT APPROVAL - DATA PROCESSING SPECIFICATION To be submitted with application for Caldicott Approval For each separate source of patient identifiable data that you intend to access in support of your study please provide the following information. Data Source: (Medical Records/System Name) Data Items: (list the data items that you will require from the named data source) Data Source Contact Details: (who have you agreed access to the source data with?) Name: Designation: Base: Tel : address: Data Storage Arrangements: (where arrangements are described in a supplied study protocol then reference to the relevant sections of the protocol can be used) Location: (NHS Tayside, University, etc.) Device to be held on (desktop, laptop, network storage, etc.) Access Controls (how will the data be protected from unauthorised access?) Encryption: (will encryption be used to protect the data?) Anonymisation: (how will the identity of individuals be protected) Format (spreadsheet, database, etc.) If you intend to make contact with patients identified through the processing of this data, indicate how this will be done and how you will ensure that it is appropriate to contact them. It is recommended that contact with patients is through correspondence signed by the patient s GP/Clinician or Head of Clinical Service. NHS Tayside NHS Tayside Caldicott Guardian Approval Procedure Page 7 of 11

9 Appendix 2 - NHS Tayside Confidentiality Statement Flowchart Has your project been approved? Yes Yes Are you going to be accessing patient records or patient identifiable information? You need to get approval from the project stakeholders before you can proceed any further! You require Caldicott approval You do not require Caldicott approval Obtain copy of the Confidentiality Statement and Data Processing Specification from Staffnet Complete User Details on form The Sponsor is usually Lead health or social care organisation The lead employer of the researchers The provider of funding Do you have approval of and details of the project sponsor? Yes Complete details of sponsor on form. Obtain details of the sponsor before proceeding. NHS Tayside NHS Tayside Caldicott Guardian Approval Procedure Page 8 of 11

10 Will data received from NHS Tayside be held on computer? Yes Where data is to be held on a computer, the signatory of this request, or the organisation(s) he/she represents, should have appropriate registration with the Office of the Data Protection Registrar. Details of the registration number should be entered on the appropriate confidentiality statement Where databases are to be created refer to information requirements in the main procedure under Confidentiality Statement section. Do you know the registration number? Obtain the registration number from the organisation that will be holding the information. Yes Enter details on form Enter a brief statement about the data requested and complete a Data Processing Statement for each data source. Data received from NHS Tayside must not be divulged to any person who is not specified as a co-user of the data on the confidentiality statement. Will there be cousers of the data? Yes Full details must be included in the confidentiality statement Full details of the intended use of data must be included NHS Tayside NHS Tayside Caldicott Guardian Approval Procedure Page 9 of 11

11 Include full details of intended publications Yes Do you intend to publish the data? Any statistics or results of research based on data received from NHS Tayside should not be made available in a form which: Directly identifies individual data subjects Is not covered by the intended use of data specified Indicate the period for which the data will be retained Proper safeguards should be applied in keeping the data and destroying it on completion of the work/project declared to prevent any breach of confidentiality Complete the user declaration and have the sponsor complete their declaration on the form Once the form is fully completed, pass to the Information Governance Officer who will obtain Caldicott approval on your behalf. A copy of the authorised confidentiality statement will then be retuned to you to retain as part of your project/research. As noted in the main procedure it is most likely that supporting documentation will have to be provided with the Confidentiality Statement and Data Processing Specifications. Please ensure that you have included this information to avoid delay in processing the application. NHS Tayside NHS Tayside Caldicott Guardian Approval Procedure Page 10 of 11

12 Appendix 3 NHS TAYSIDE: Ehealth/IM&T Computer Systems STANDARD BUSINESS CASE tes: 1. The standard business case will be presented to the ehealth and Area Business IM&T group for clinical and business systems respectively for approval to ensure that any proposal is consistent with the ehealth strategy for NHS Tayside. 2. A separate Standard Business Case Template is required for each individual proposal. 3. Standard business cases should be completed in conjunction with the under-noted members of staff to ensure that all IM&T aspects of the project are covered within the business case to:- Mr Stewart Hunter Mr Ian Fenton stewart.hunter@nhs.net ian.fenton@nhs.net If a scheme covers all the areas within Tayside then any of the above will assist in preparation of the business case. 4. where funding for the project has been identified the support of the relevant Finance staff must be agreed. 5. please note that submissions will only be accepted on this template. 6. tes written in italics are provided for guidance/example only and should be deleted completely before templates are returned. 7. Any queries with this template should be raised, in the first instance, with Stewart Hunter, Tel: Ext Title of the Project Proposal This should include speciality/operational system name E.g. Photobiology, catering systems 2. Introduction/Background - Strategic Objectives A brief overview of the strategic objectives of the proposal relevant to ehealth strategy and how it would impact on Clinical Group/ Service/ Departmental objectives. - Clinical needs A brief overview of the clinical objectives of the proposal relevant to the Group/ Service/ Department/ Facilities clinical needs, as well as those other Departments/ Areas/Groups that rely upon its support.e.g. introduction of computer system may improve information for the clinician but may also impact on the medical records service. - Proposed Outcomes benefits to patient NHS Tayside NHS Tayside Caldicott Guardian Approval Procedure Page 11 of 11

13 A very brief overview of the proposal and how patients and the service will benefit from it? E.g. Will they been seen quicker, will they have to travel less, will they be reviewed by fewer people, etc? NB. This is expanded upon in section Description of the service concerned. - Current Service What does the service look like now and why does it have to change? - Proposed Service What will the service look like if this proposal is implemented? 4. List of options A brief high-level outline of those alternative options for the service initially considered, including brief reasons why each was excluded. 5. Preferred Option A brief narrative describing the preferred option (the proposal) in more detail, explaining the relationship between it and the strategic objectives of the ehealth Strategy as well as meeting the Clinical Directorates/Departments objectives.. 6. Revenue Impact Where financial resources have been identified, these need the support of your accountant within the finance dept. 7. Capital Cost As above. 8. Risk Assessment Please identify any risks to the project either by not implementing the proposal or any known risks associated with developing and implementing the project at this stage. NHS Tayside NHS Tayside Caldicott Guardian Approval Procedure Page 12 of 11

14 Project Approval Process Funded Stream n Funded Stream Commercial Supplier Proposal ehealth Programme Director Business Case (template) ehealth / Area Business IM&T Groups Prioritisation Group ICT Maryfield CTC Ninewells Commercial Supplier NHS Tayside NHS Tayside Caldicott Guardian Approval Procedure Page 13 of 11