The integration of health and social care means personal and sensitive data about patients need to be shared between local government and healthcare organisations. This has become more and more crucial in the drive for person-centred care and to meet the needs of an ageing population.
But data sharing is highly-regulated. We’re noticing increasing pressure on local authorities from health and social care partners to evidence strong data security and information governance.
Despite this, local government is responsible for 10% of all reported data security breaches, according to the latest figures from the Information Commissioner’s Office (ICO). Of these, 21% affected social care data and 16% affected health or clinical data[i]; this is the second-highest level outside of the NHS [ii]. What’s more worrying, is this represents a 34% rise on the previous quarter.
Why is this important?
Local authorities find it harder to work with health and social care partners without evidence of compliance. Data security is also more in the public eye than ever before. People are increasingly aware of their rights – and how to raise concerns if their information isn’t managed appropriately. Health data is classed as some of the most sensitive personal data and poor handling of information can cause a significant amount of detriment and distress to affected individuals. Legal consequences of not managing information carefully are also severe. Fines from the ICO can be up to £500,000, and in some rare cases, criminal charges can be filed.
But this should not prevent the sharing of data. The challenge is striking the right balance between the protection of the patient or user’s information, and the use and sharing of such information to improve care (Caldicott Review).
What does this mean for healthcare?
Successful delivery of health and care services relies on patient trust and disclosure. Patients also expect their care to be seamless – requiring the appropriate sharing of information across the care team.
The Health and Social Care Information Centre (HSCIC) sets out the regulation and standards for the secure management of healthcare data. Like any organisation that utilises healthcare data, Local Authorities must provide assurances to the HSCIC of their compliance with these standards. This is accomplished through the submission of an annual assessment against the IG Toolkit and by signing the Information Governance Statement of Compliance (IG SoC).
What should Caldicott Guardians do?
Caldicott Guardians are appointed individuals within an organisation, responsible for ensuring appropriate security of confidential information. Based on our experience of supporting the sector, here are five things we think you should be doing:
1. Embed Information Governance in to project planning. Using a simple checklist as part of the internal project documentation will ensure IG questions are asked (and answered) before a project is approved. This should include ensuring that privacy impact assessments are completed for each project and new data flows recorded.
2. Rationalise data sharing agreements. It’s easy for documents used for support flows of information to become unmanageable. Consider developing a standard set of documentation across all sectors with your care partners.
3. Know what your key information risks are. Ensure that the information asset register is current and reviewed regularly. This will provide oversight of the key information risks and allow you to manage them accordingly.
4. Monitor incidents and breaches. Allow the organisation to learn from issues and provide a feedback mechanism for staff to raise their awareness. This was an area flagged this week in the Caldicott report and by the CQC.
5. Communicate responsibilities. Make sure that all staff understand their responsibilities and handle confidential information securely. This was also a key message from the National Data Guardian for Health and Care’s review of Data Security, Consent and Opt-outs published on 6th July 2016.
We know that some organisations resources are stretched and they require some additional, experienced IG support. If you would like more information on how we can help you, please contact me on 07939 129791 or email@example.com or visit Information Governance and Security Services to find out about Monmouth’s Information governance, risk and compliance services.