Month: August 2018

Managing Risk – No. 8

Managing Risk – No. 8

Introduction and comments

Information is valuable to primary care and the NHS as a whole as it allows us to treat and protect patients, as well as to design and provide them with the best possible services. It is important for practices to understand what information they hold, why they hold it and what safeguards are in place to protect the data. By doing so we can ensure that information is used in a secure and lawful manner to prevent information breaches, as well as keeping our patient’s trust.

This week we looked at information risk management and revisited the role of the Data Protection Officers (DPOs) and the reporting of breaches and serious incidents.

Review of action points from prior session

  • To do 22 Review your DPIA to see what technical and organisational measures are required for your Practice
  • To do 23 The list of contracts you have listed for Blog No. 5 will require an assessment of compliance against the Data Security and Protection Toolkit or against the questions asked within the template checklist. If the latter send letter and checklist template to provider/supplier to complete and follow the process outlined within the blog.
  • To do 24 Review information on the new Data Security & Protection Toolkit and sign up for Webex training sessions
  • To do 25 Log-in or register for the Data Security & Protection Toolkit to start completing your submission before 31 March 2019

Work covered this week

Information Risk Management

Information risk should not be treated differently to any other risk to the practice, whether it is financial or workforce risk. You will already have risk management processes set up. We need to check whether information risks have been recorded within your risk registers and that mitigating controls have been put in place.

 

Where will information risks arise prior to a breach happening?

From the activities noted in Blog No.2 – Information Asset and Data Flow Mapping and Blog No.3 – Data Protection Impact Assessments (DPIAs), we have added possible risks to the practice and / or have identified risks from the DPIAs undertaken.

You may also conduct a physical audit of the practice to test staff awareness and processes to establish whether there are any potential information risks or training needs. These activities will enable you to identify risks and also demonstrate good evidence for your Data Security and Protection Toolkit.

We have developed an information risk register. This lists the information risks we have identified at this practice and shows examples of the different types of risks. The Information Governance Staff Handbook should also be reviewed as this also details good practice for mitigating information risk to your Practice.

 

Data Protection Officer (DPO) in relation to GP Practices

To support the Information Risk Management process, there is a need to establish a structured framework and reporting mechanism. To meet the requirements of GDPR and the Data Security and Protection Toolkit, each Practice is required to appoint individuals to roles to support this framework and to deliver compliance.

GP Practices are considered Public Authorities under the provisions set out within schedule 1 Freedom of Information Act 2000. This is due to the processing of Personal Confidential data for the NHS. GDPR specifies that all Public Authorities are required to appoint a Data Protection Officer (DPO).

The activities of the DPO within General Practice are detailed within the Information Governance Alliance GDPR guidance note for GPs and also their GDPR: Guidance on the Data Protection Officer.

Primarily the DPO should deliver independent advice and monitor processing activities and practice. Due to the independent nature of the role, here are some activities the DPO can and can’t do:

It is a requirement for the DPO to monitor processing activities to ensure compliance with GDPR. The Practice is required to submit their DPIAs, Information Assets and Data Flow registers, risk registers and incident logs to the DPO on a regular basis so that the DPO can monitor compliance with the Data Protection legislation and prevent personal data breaches.

For the activities that the DPO cannot undertake, the Practice should ensure that there is a decision-making function and approval process in place. This is likely to be your Practice Caldicott Guardian.

As part of the Caldicott function, the Caldicott Guardian should be aware of processing activities, information risks to the Practice or any risks that would have any privacy implications to data subjects. The Caldicott Guardian can approve information sharing agreements, contracts and breach investigation reports. The Caldicott Guardian should be the Practice’s first point of contact on Information Governance/GDPR matters.

Your Practice’s DPO [Action point]

As you are aware NWL CCGs have appointed a single DPO as an interim measure to help meet this responsibility, until Practices decide on how they wish to provide this service themselves. This arrangement can only work in the short-term in conjunction with the provision of GDPR support through this blog and our ability to access subject matter expert opinion through an IG consultancy. This is a time-limited resource and one which will reduce after November 2018. Whilst further support will continue to be available, this will be limited. It is essential that practices understand that it is a legal requirement for them to appoint a DPO who will be able to provide the services outlined in this blog.

Practices may decide to provide a DPO themselves, or consider a shared role across a CCG or federation. We have reminded CCGs about the limited timescale for implementation of DPOs to cover their GP practices in 2019, and are canvassing them for further support. We encourage NWL primary care health care communities discuss this important issue at their CCG member meetings.

Information Governance Breaches and Serious Incidents

The Practice should ensure that robust mechanisms are in place for the reporting and monitoring of information breaches, whether they are serious or near misses. GDPR defines a breach:

Article 4(12) “Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Here are some examples of breaches or near misses:

In the event of a personal data breach, the individual should follow the Practices Incident Reporting policy. The policy should include the reporting mechanism and roles the breach is reported to. The Practice should also follow NHS Digital’s Incident Reporting guidance.

The table below details the severity of breach which is required to be reported to the ICO or whether it can be dealt with locally. This is the reporting detailed within the new NHS Digital Incident Reporting guidance. It is a requirement that all Practices follow NHS Digital’s guidance on incident reporting.

 

The reporting mechanism is through the Practice’s Data Security and Protection Toolkit.

Reporting Structure:

GP Practices are required to report breaches through several mechanisms/bodies.

All levels of breach are required to be logged within the Serious Incident to the Strategic Executive Information System (StEIS) as a learning portal for the NHS, and at the Practice-level through incident report forms/logs. Subsequent risks should also be included within the information risk register. These will need to be provided to the DPO on a regular basis to assess whether the mitigating actions are effective, and the risk minimised.

Should a potential or actual breach occur, please consult the Caldicott Guardian and the DPO.

Resources Used

Output Documentation

 

Learning points

  • The earlier data flow mapping exercise and DPIA should provide much of the information required for information risk management.
  • Your practice must appoint a DPO.
  • Be aware of what your DPO can and can’t do and ensure your Caldicott Guardian is aware of their responsibilities.
  • NHS Digital has issued a guide on incident reporting which must be followed.
  • All levels of breach are required to be logged on StEIS and on Practice incident report forms/logs.

 

Practice checklist

  • To do 26 Check whether information risks have been recorded in your risk registers and that mitigating controls are in place. Look at your data flow mapping and DPIAs.
  • To do 27 Conduct a physical audit in your practice – test staff awareness and processes, to see if there are any potential information risks or training needs
  • To do 28 Review the example information risk register and update for your practice
  • To do 29 Review the Information Governance Staff Handbook to check you are following best practice, if not update your information risk register
  • To do 30 Discuss the future provision of a DPO for your practice (at a practice or CCG or Federation level) and if you have not done so already make arrangements to appoint one in 2019.
  • To do 31 Ensure you have decision-making function and approval process in place (Practice Caldicott Guardian)
  • To do 32 Make sure you have an incident reporting policy in place. The policy should include the reporting mechanism and roles the breach is reported to.
  • To do 33 Review the NHS Digital’s Incident Reporting guidance, and ensure you follow guidance.

 

Next session on 30.08.18

(Blog No. 9 due 04.09.18)

We will be looking at how we provide electronic access to patient records in routine circumstances and the issues around providing proxy access for children and patients who may lack capacity.

 

GDPR Accountability – No. 7

GDPR Accountability – No. 7

Introduction and comments

We made a change to our schedule this week, and instead of fair processing we have looked at the levels of accountability which we are required to demonstrate following GDPR:

  1. Practice accountability – the technical and organisation measures that need to be in place in order for us to be able to demonstrate this.
  2. 3rd party supplier accountability and contract management.

We will cover fair processing in a later blog and you can view the updated timetable here.

As an aside, we have continued to get many questions related to GDPR, and a recurring theme has been how to respond to various scenarios related to Subject Access Requests (SARs). I wanted to take this opportunity to clarify an important principle related to whether or not practices can levy a charge for SARs. We had previously, and in retrospect incorrectly, reflected an observation that it should be the purpose of the information which guides the decision to charge and if that purpose is the production of a medical report (regardless of who generates the report) then the practice can make a charge. We have now discussed this with the ICO and have had clarification that practices should only charge when they themselves are creating a medical report. In summary, then, we cannot charge a lawyer or insurance company who are requesting information on behalf of the patient even if that purpose is for the production of a medical report unless we have been asked to generate that report.

How to manage the significant resource which will fall to general practice as a result of SARs remains a thorny problem. We believe that the best way forward in the longer term will be to prepare our medical records and share them widely with our patients so that SARs can be responded to through this mechanism. Here is a thoughtful blog about that subject which we recommend you read, which recognises that this is not a straightforward process and highlights some of the challenges ahead.

Access to your Medical records online – It’s hard work for practices, even to do the right thing….

Review of action points from prior session

  • To do 18 Check your renewal data for registration with ICO, you will need to change to the new payment regime on renewal.
  • To do 19 Complete the Template Record of Processing
  • To do 20 Check the legal bases for processing for different categories of data
  • To do 21 Using the Policy Document Template, create a Policy Document for each category of data

Work covered this week

1)   Measures to demonstrate Practice accountability

Accountability is one of the data protection principles of GDPR.  Not only are we responsible for complying with GDPR but we must also be able to demonstrate our compliance. Whilst this is not a new principle, it is now a legal requirement.

This week we looked at technical and organisational measures which allow us to do this over a range of activities including:

Data Protection Impact Assessments (DPIAs) which we covered in Blog no3 can be excellent examples for showing the controls we have in place within our organisation which demonstrate our compliance.

The old IG toolkit provided a way of evidencing accountability, and this will continue with the new Data Security and Protection Toolkit.  It is now a mandatory requirement for all organisations that process NHS data to complete the Data Security and Protection Toolkit, which has been updated to include GDPR and also contains new recommendations to increase cybersecurity.

The new toolkit can be found here https://www.dsptoolkit.nhs.uk/ and this must be completed and submitted by 31st March 2019. As before your IG lead will be required to sign your practice up to the toolkit. The difference this year is that instead of this being a process of self-declaration “Yes we have done it”, there will now need to be external validation “Show us how you are compliant with the following requirement”.

CCGs are required to ensure that GP Practices are compliant with the Data Security and Protection Toolkit, so will be monitoring GP Practice compliance on an annual basis (after 31st March of each year). The specific nature of the external validation processes is yet to be clarified, but CQC inspection will almost certainly require evidence that the IG toolkit has been assessed and validated by an external assessor. The toolkit itself will help practices to demonstrate the actions they have taken to meet GDPR requirements and will be a repository which will allow scrutiny of any supporting evidence.

We will be revisiting the IG toolkit in a later blog and will provide templates to help you collate evidence for your Data Security and Protection Toolkit submission, which will be shared on this website.

2)   3rd Party Supplier and Contract Monitoring

As part of the principle of accountability, there is a requirement for data controllers to show that they monitor the performance of their data processors. This links in with the work we have done on DPIAs (Blog No.3 DPIAs) and Contract Reviews (Blog No.5 ISA & DPA)

Where processing is taking place, you should ask the third-party supplier for the independent audit of their Data Protection and Security Toolkit (this should be in the contract Terms and Conditions). The Template Data Processing Terms and Conditions (Crown Commercial service templates) was provided in Blog No. 5.

Some of these data processing services may have been commissioned by the CCG and will have had contractual details as part of the commissioning process. In these circumstances, compliance should be monitored by the CCG as the organisation which has commissioned the service. You should ask the CCG for their validation/review of provider/supplier compliance.

When working on the contract reviews we stated that Practices should be using the Crown Commercial service templates which would include those Terms & Conditions.  Whilst there is a processing agreement between GPs and EMIS as their data processor, there is not a similar arrangement with TPP.  NHS digital has advised that in the case of TPP this has been covered by local call offs that are signed by CCGs, in addition to a signed deed of undertaking which protects individual GPs against supplier data protection breaches.

Most data processors will be using the Data Protection and Security Toolkit (previously IG Toolkit), and the monitoring should be a simple matter of them providing you with their Toolkit compliance report.

If they are not taking part in the Toolkit or have not done an audit and you need further assurance, you can use a Provider Assurance Monitoring Checklist.  We have included two checklists – one for NHS data and one for non-NHS data (employee). Note that most processors will be using Toolkit and the monitoring should be a simple matter of them providing their Toolkit compliance report. The checklist below is more detailed but should not be required in the majority of cases of processors dealing with NHS data.  We have also included a letter template for you to send to your third-party processors with the checklist.

Practices must monitor responses (you can use Contract Log), and if there is sufficient assurance set an annual review date. If the response is inadequate and shows a level of non-compliance, send a second letter detailing the specific requirements by a given date. State that if the requirements are not met that you will consider termination of contract, financial penalty (if included in TOCs) or reporting data security concerns to the ICO.

Resources Used

Output Documentation

Learning points

  • This weeks activity provides an opportunity to review any DPIAs to make sure they are comprehensive and meet the accountability requirements by detailing the technical and organisational measures in place in your practice.
  • The Data Security & Protection Toolkit must be submitted by 31 March 2019
  • Evidence of assurance must be obtained from third-party data processors either through a Data Security and Protection Toolkit assessment or from the response to the checklists stated above.

Practice checklist

  • To do 22 Review your DPIA to see what technical and organisational measures are required for your Practice
  • To do 23 The list of contracts you have listed for Blog No. 5 will require an assessment of compliance against the Data Security and Protection Toolkit or against the questions asked within the template checklist. If the latter send letter and checklist template to provider/supplier to complete and follow the process outlined within the blog.
  • To do 24 Review information on the new Data Security & Protection Toolkit and sign up for Webex training sessions
  • To do 25 Log-in or register for the Data Security & Protection Toolkit to start completing your submission before 31 March 2019

Next session on 23.08.18

(Blog No. 8 and No. 9 due 28.08.18)

We will be covering two topics next week – reporting mechanisms through the DPO and access to records by children. There will be two separate blogs covering these subjects.