Professional Documents
Culture Documents
Training Workbook
2017 - 2018
Use the answer sheet (on last page) to submit your answers
Index To ensure compliance with the law and NHS requirements, all NHS staff
must be appropriately informed of their legal responsibility to keep
patient and staff information confidential and secure. The Department
Page 1 IG & you of Health has mandated that such Information Governance training
should be undertaken on an annual basis.
Page 2 Whats new
Put simply, Information Governance is to do with the rules that should
Page 3 What is IG? be followed when we process information. It allows organisations and
individuals to ensure information is processed legally, securely,
Page 4 Why is IG efficiently and effectively.
important?
IG applies to all the types of information which the Trust may process,
but the rules may differ according to the type of information
Page 5 Personal, concerned.
confidential &
sensitive information In this Workbook youll look at how you can make sure you follow the
right processes and procedures when you process information in
Page 6 Sharing other words, how to practise good Information Governance (IG).
information &
consent Youll find out about:
How to avoid breaching confidentiality law and guidelines
Page 7 Why protect How to comply with data protection and freedom of information
information? legislation
Good record keeping
Page 8 Caldicott Effective information security.
Report
All of the above topics will give you good knowledge and skills to
provide an effective, confidential and secure healthcare service. You
Page 9 Good Record will also find out how your contribution to IG best practice is very
Keeping important.
Page 10 Cyber
Security
Contacts
IG Support
Page 12 How to
All IG Policies, procedures and guidance documents are available on the
protect Information IG Intranet Page at http://qehkl-inet/
Information Governance (IG) determines the ways the Trust processes or handles
information about our patients and staff. It includes aspects of the law such as the
Data Protection Act 1998, the Freedom of Information Act 2000 and the common
law duty of confidence. It also incorporates national guidance from the Department
of Health, such as the codes of practice on confidentiality, records management and
information security.
IG covers personal information, i.e. that relating to patients/service users and
employees, and corporate information, such as finance and estates records.
Information Governance provides a way for Trust staff to deal consistently with the
many different rules about how information is handled. This will ensure that
everyone can be more confident that information is:
Properly protected
Only shared when it is right and proper to do so
Accurate and up to date
Available when and where it is required
Ultimately, it means that the Trust will be able to deliver the best possible service to
our patients.
REMEMBER: Breaches of confidentiality can have not only a monetary impact, but
could also result in damaging both patient trust and our reputation.
The rules and procedures that make up Information Governance ensure that we
provide a confidential service to our patients and they feel safe in the knowledge that
they can trust us with their information.
NHS Standards
NHS Care Record Guarantee 2011
The NHS Care Record Guarantee for England sets out the rules that govern how patient
information is used in the NHS (ie safely and securely) and what control the patient can
have over this.
Confidentiality: NHS Code of Practice 2003
This document sets out the required standards of practice concerning confidentiality
and patients' consent to use their health records.
Data Handling Review 2008
After serious losses of personal information, including the loss in 2007 of computer
disks containing the names, addresses and bank details of 25 million child benefit
claimants, the Government conducted a Data Handling Review (June 2008). This sets
out mandatory measures for public bodies on protecting personal data such as staff
training and committed the Government to publicly reporting progress on putting
these measures into place.
NHS Constitution 2009
The NHS Constitution describes the principles of the NHS in England and the rights and
responsibilities of patients, public and staff. One such right is that patients can expect
the NHS to keep their confidential information safe and secure.
The NHS Operating Framework 2010/11
The Department of Health (DH) published an Operating Framework which set out
objectives for the NHS. Key themes included complying with all IG requirements
(including mandatory annual IG training) and the reporting of all information risk and
incidents.
The requirements of these are covered within this workbook and further guidance is
available at: www.hscic.gov.uk
Confidential Service
We must ensure that information is kept secure and reported as an incident when it is
not. From these reports we can then improve our work practices to prevent further
incidents.
Staff that have little or no contact with patients will still see and hear information
about patients that must be kept confidential. You may see a neighbour, friend or
colleague attending the hospital as a patient. This remains that individuals confidential
information. Furthermore, we are all still bound by the laws of confidentiality even
after we leave the workplace.
Patient Trust
Providing services to patients is in a position of public trust and everyone has to work
hard to avoid failures that not only could cause significant patient embarrassment or
distress but could become the next days headline and lead to fines against the Trust or
individuals.
To keep patient information confidential, secure, accurate and up to date,
EVERYONE must help.
This isnt always straightforward, for example, a persons name and address are clearly
personal information when presented together, but an unusual surname may itself
enable someone to be identified. This is an important distinction in law.
Abuse of Privilege
It is strictly forbidden for staff to knowingly browse, search for or look at any
information relating to themselves, their own family, friends or other persons,
without a legitimate purpose eg treating a patient. This includes accessing paper or
electronic health records, test results etc.
Action of this kind will be viewed as a breach of confidentiality, of Trust policy and of
the Data Protection Act and dealt with under the Trusts Disciplinary Policy.
1. The person has given consent for the disclosure. For patients:
Consent may be implied for care purposes and related purposes that support or
check the quality of care provided.
For other purposes consent should be specifically sought.
2. There is a legal basis which permits or requires disclosure of confidential
information (e.g. a court order).
3. There are exceptional circumstances (e.g. investigation or prevention of serious
crime) where the overriding public interest outweighs the duty of confidentiality.
Duty of confidence
A duty of confidence arises when sensitive information is obtained and/or recorded in
circumstances where it is reasonable for the subject of the information to expect that
the information will be held in confidence.
Patients provide sensitive information relating to their health and other matters as part
of their seeking treatment and they have a right to expect that we will respect their
privacy and act appropriately. The duty can equally arise with some staff records, e.g.
occupational health, financial matters, etc.
Patients have a right to be informed about how we will use their information for
healthcare, the choices they have about restricting the use of their information and
whether exercising this choice will impact on the services offered to them. The Trust has
produced a patient leaflet, Your information, your rights, which informs patients of
the reasons we collect confidential information about them. This leaflet is available in
all clinical areas across the Trust.
Explicit consent
Where it is proposed that patient information is disclosed outside of the Trust for
purposes other than healthcare, in most cases it is necessary to ensure that the patient
has explicitly consented to this happening e.g. Patient identifiable information used for
research purposes.
Legal requirement
Always remember confidentiality is a legal requirement, supported by the
confidentiality clause in your contract and, where applicable, your professional code of
conduct. The Trust is required to:
Inform patients about how personal information relating to them will be used
see the patient leaflet Your information, your rights available in all clinical
areas;
Inform patients of their right to object to the disclosure of their confidential
personal information outside of the Trust; and
Seek explicit consent before disclosing patient personal information for non-
healthcare purposes (unless rarely an exception applies).
The Data Protection Act 1998: The Act sets out how the Trust should process and
handle personal data. It also details the rights of the individual in relation to the data
that is held about them. This applies to all data being held. These rules also apply to all
records an employer holds about you e.g. finance details and personnel records.
There are eight Data Protection Principles that define how organisations should look
after information. Any breaches of these principles can result in legal action being
taken against an individual and/or the organisation.
Principle 1 - Personal data should be processed fairly and lawfully: There should
be no surprises - inform patients why you are collecting their information, what
you are going to do with it and who you may share it with.
Principle 2 - Personal data should be processed for a specified purpose: Only use
personal information for the purpose(s) for which it was obtained eg Healthcare
Principle 3 - Data should be adequate, relevant and not excessive: Only collect
and keep the information you require.
Principle 4 Data should be accurate and up to date: Always check patient details
when they arrive to keep information up to date.
Principle 5 Data should not be kept for longer than necessary: The NHS Records
Management Code of Practice lists the minimum retention period for every type
of record (available in the IG intranet site).
Principle 8 - Not transferred outside the EEA without adequate protection: Not all
countries outside Europe have Data Protection legislation.
All FOI requests must be responded to within 20 working days of the Trust
receiving the request. If you receive an FOI request directly, please forward
it immediately to Brian Pursglove, the Legal Services Support Officer, who can be
contacted on Ext 3429.
5. Do you understand your responsibility and duty to the subject with regards
to keeping their information secure and confidential?
Everyone should understand their responsibility for protecting information, which
generally requires that training and awareness sessions are put in place.
If the intention is to share the information, those people must also be made
aware of their own responsibility for protecting information and they must be
informed of the restrictions on further sharing.
6. Do you understand the law and are you complying with the law before
handling the confidential information?
There are a range of legal obligations to consider when using confidential
information. The key ones that must be complied with by law are provided by the
common law duty of confidentiality and under the Data Protection Act 1998.
If you have a query around the disclosure of medical or other confidential
personal information you should go to your Line Manager initially then the IG
Manager if you are still not sure. For serious and complex issues your Manager
should contact the Caldicott Guardian for advice and guidance.
Meet expectations
Only use personal information in ways that people would reasonably expect.
You don't need to obtain consent every time you use or share personal information for
the same purpose, providing you have previously informed the individual they should
know what is happening and have no objections.
Sharing information for care
Sharing information with the right people can be just as important as not disclosing to
the wrong person.
Where sharing will assist the care or treatment of an individual and it is reasonable to
believe that they understand the information sharing that is needed to support that
care you have a legal duty to share the information.
Respect objections
Normally, if the individual objects to any proposed information sharing, you must
respect their objection even if it undermines or prevents care provision.
Cyberattack
sabrtak/
noun: cyberattack
An attempt by hackers to damage or destroy a
computer network or system which can lead to
information and identity theft.
THINK TWICE!
Language a bit strained, not
business like
Whats that in front of the
sign?
and the big giveaway?
THINK TWICE!
Hover the cursor over the
online link and you get the
real name of the link
thewoodelf.co.uk!!
and
ITS NOT HIS PHONE
PROVIDER EITHER!!
HE HASNT ORDERED
http://www.dhl.co.uk/content/gb/en/express/tracking.shtml?printPage=true&position=right&brand=DHL&AWB=2
407600416. (JsReport - JavaScript based reporting platform)
DO NOT CLICK ON THE LINK - DO NOT REPLY NOTIFY THE ICT SERVICE DESK
SELECT THE EMAIL, RIGHT-CLICK IT AND MARK IT AS JUNK DELETE THE EMAIL
Security measures can be divided into three groups and the table below provides some
examples.
The key principle is to overlap security measures, whenever possible, to avoid situations
where only one measure protects against the danger. Overlapping is good practice as it
avoids total reliance upon a single measure that may fail e.g. an outside security door
(a physical measure) may be left open by staff, but security staff carrying out routine
checks (a people measure) at the end of the day discover the open door and secure it
before anything is stolen.
Reporting Incidents
Probably the worst position for any organisation is not knowing that a risk exists or
that security measures are not working or are not being reported.
You are the expert in your work area at assessing potential problems, such as doors or
windows that dont lock properly or confidential information left in public access areas.
Early intervention will help minimise any impact and ensure corrective action can be
swiftly taken to ensure that they do not reoccur for a second or third time.
We all have an obligation to act responsibly and to be aware of our local policies and
procedures for reporting incidents. All new incidents should now be reported on the
Datix system accessed via the Intranet. Full details are available on the Risk
Management Intranet page.
Fax
When faxing confidential information:
Only send it by fax if it is absolutely necessary and there is no alternative method
Use the Confidential Fax front sheet (available from the IG Intranet site)
Make sure you double check the fax number you are using. It is best to dial from a
directory of previously verified numbers
Check that you are sending a fax to a recipient with adequate security measures in
place, for example, your fax should not be left uncollected in an open plan office
If the fax is sensitive, ask the recipient to wait by the fax machine & confirm receipt
For further guidance refer to the Safe Haven Procedure on the IG Intranet site
You must not release any information on a social networking website which you
have obtained as part of your job role (e.g. Guess who I saw at the hospital
today?)
You must not discuss any aspect of patient care on a social networking website,
even if you believe you are chatting to the actual patient
You must not use social media sites or other non-work related sites when you
are supposed to be working.
Defamatory remarks about the Trust or any of its employees must not be made.
What may be considered to be letting off steam about a work situation can
potentially be read by someone who may take offence at the content of a
posting
The date and time that comments or photos are posted are often visible on
these sites please bear this in mind if using them at inappropriate times (e.g.
during work hours)
Social networking sites should not be used for raising and escalating concerns
(commonly referred to as whistleblowing). For further guidance see the Trusts
Policy for Staff When Expressing Concerns about Standards of Care or Other
Trust Activities Whistleblowing
Be aware that even in your private life, what you post on Social Media may be
subject to disciplinary action
For further guidance, see the Social Media Policy available on the
Information Governance intranet page
Users of this workbook must demonstrate that the course has been completed by
answering the following IG questions, using the assessment sheet on the last page of
this workbook and submitting their responses to their Line Manager or directly to the
IG Team who will update your Electronic Staff Record.
Question 1
Who is responsible in the hospital for the security of confidential information?
(Select one option)
Question 2
What are the potential consequences of a patient information security breach?
(Select four options)
Question 3
Two healthcare assistants (HCAs) are bed-bathing a patient. One HCA starts talking
about Sarah, a nurse on the ward who was taken ill at work and admitted to the
gynaecology ward. She tells the other HCA that Sarah is a lot better. The following
week Sarah is at work and the patient asks her if she should be back at work so soon.
Did the HCAs breach the duty of confidentiality? (Select 1 option)
A. No, Sarah had not been admitted to that ward, she wasnt one of their patients
so no duty of confidentiality was owed
B. Yes, the duty to maintain confidentiality is part of the duty of care to all
patients
C. No, the HCA only mentioned that Sarah was admitted, not what was wrong
with her
Question 4
A young man was treated in A&E for stab wounds. Later, police enquiring about a
vicious fight nearby, ask and are given the patients name by the doctor on duty. Why
was the doctor justified in disclosing this information?
(Select 1 option)
Question 5
Which of the following can you not do?
(Select 3 options)
A. Access the test results of friends or relatives you are not treating
B. Enter the hospital health records library and read your own health record
C. Apply to the hospital to have a copy of your health records sent to you
D. Access a patient information system you have not been trained in
Question 6
Which of the following is the best course of action if you receive a suspected phishing
or scam email?
(Select one option)
A. Reply to the email stating that they must have the wrong email address
B. Click on the requested link to see if it is a scam email
C. Mark the email as Junk and then delete it
D. Forward it to your line manager
E. Notify the ICT Service Desk, mark as Junk and delete
Question 7
Which of the following statements regarding the Data Protection Act 1998 is correct?
(Select one option)
Question 9
Which of the following is typical of a strong password?
(Select one option)
Question 10
Which of the following should not be used to send personal information unless
absolutely necessary?
(Select one option)
A. Post
B. Fax
C. Email
D. Telephone
IG Training
Full Name:_______________________________Department:_____________________________
First name + Surname - Please use block capitals
I confirm that I have read and understood the IG Training Workbook
Signed:________________________ Date:____________________________
Question 1 A B C D E (Select 1)
Question 2 A B C D E F (Select 4)
Question 3 A B C (Select 1)
Question 4 A B C (Select 1)
Question 5 A B C D (Select 3)
Question 6 A B C D E (Select 1)
Question 7 A B C D (Select 1)
Question 8 A B C D E (Select 1)
Question 9 A B C D (Select 1)
Question 10 A B C D (Select 1)
% Achieved = _____________________