The Northern, Yorkshire & Humberside
NHS Directors of Informatics Forum
Information Governance Sub-Group
Yorkshire & Humber Area Strategic Information Governance Network (SIGN)
Lecture Room, Goole & District Hospital, Woodland Avenue, Goole, DN14 6RX
Minutes of the Meeting held on Friday 8 December 2017
Present:
Caroline Britten / CB / Head of IG / Leeds Community HealthcareHayley Gillingwater / HG / Senior IG Specialist / EMBED
Leon Kaplan / LK / IG Officer / DMBC
Narissa Leyland / NL / IG Lead / NHS England
Steve Massen / SMa / IG Security Specialist / RDaSH
Sue Meakin (CHAIR) / SMe / IG Manager / RDaSH
Caroline Million / CM / Head of IG / EMBED
Adam Mosley / AM / Audit and Information Manager / The Retreat, York
Gershon Nubour / GN / IG Manager / EMBED
Tracey O’Mullane / TO’M / IG Officer / Humber NHS FT
Derek Stowe / DS / IG Manager / RFT
Lynne Trickett / LT / IG Officer / RDaSH
Roy Underwood / RU / Head of IG / DBTHFT
Peter Wilson / PW / IG CSS / STH
John Wolstenholme / JW / Information Manager / SHSC
In Attendance:
Geof Welford-Dart / GW-D / Local Implementation Manager / National Data Opt-out Programme / NHSE1. Apologies:
June Emptage / Optum Commissioning Support GroupJeremy Daws / NLaG
Kay Fowler / Lindsey Lodge Hospice
Jenny Pope / NHSD
Mike Taylor / DCCG
Barry Jackson / EMBED
Sue Drury / NHSD
Susan Hall / Audit Yorkshire
Carolyn Sampson / SCH
Caroline Squires / Calderdale Clinical Commissioning Group
Andy Nutting / Leeds City Council
ACTION
National Data Opt-Out Programme – Presentation by NHS England
GW-D from NHS England attended the meeting to give a presentation of the National Data Opt Out Programme which will give patients more control of how their personally identifiable data is used. Awareness is now being raised and NHSE is visiting as many organisations across England as possible so organisations know how to speak to patients about this.
A team is currently working with patients regarding the usability of the system and are also material and product testing. From March 2018 patients will be able to opt out of sharing their data. Organisations then have to uphold this opt out which will be a staged process up to 2020. GW-D confirmed they are working with the ICO in relation to the GDPR in order to align the programme.
Opt out will be via www.nhs.uk, included with the link there will be information on the benefits of data sharing. Off line methods will also be available through a contact centre, email, letter and telephone. It was confirmed opt out is instant.
For any organisation not connected to the spine a system is being built and organisations will be able to put information in a drop box which is linked to the spine. It was noted an NHS number is required to be able to opt out.
A discussion took place on opting out for other people if the NHS number is known or found out. CB asked how anyone can opt out without proving who they actually are. It was agreed this could carry a lot of risk.
PW asked if a patient can opt out of some things and not others? It was agreed there will only be one question to opt out of.
GW-D stated work is being undertaken with the data team at NHSE to align this with the GDPR ‘right to object’. The age of when a person can opt out and who can opt out on someone else’s behalf is currently being looked into.
Communication pathways will be established so patients are informed about this. RU asked if a patient has not opted out it will it be understood that they know about this and have chosen not to opt out? This was confirmed as correct.
It was also asked if the CCG or hospital can manually check if a person has opted out? GW-D reported that as long as the data controller has the right to use the data and has access to the spine they will be able to do this.
Information materials will be made available and this information can be tailored to meet local area’s needs.
A network of contacts will be established, and the key people involved will cascade information down.
GW-D stated front facing staff are not expected to know a lot about this but NHSE would like to get to a position where staff know minimum and can sign post a patient to where they can find out further information and opt out if they wish.
GN asked when this is implemented will there be changes to legislation to make this legitimate? GW-D confirmed there will be no further legislation changes; this is not consent or implied consent, this is opt out.
Type 1 and 2 opt outs were discussed. It was confirmed Type 1s will remain up to 2020 and type 2 opt outs will continue. Patients who previously opted out on the previous system will still be opted out and will be contacted. If they wish to change their mind they will have to opt in.
PW asked if patients are being communicated with using the data available, is this not a direct contradiction of the GDPR? GW-D stated this is in the public’s interest.
It was confirmed that hospitals can access the spine and use the data of patients who have not opted out.
The presentation ended and thanks were given to GW-D.
2. / Minutes of the last meeting held on 10 November 2017 – Paper A
The minutes of the last meeting were agreed as a true record subject to the following amendments:
Page 2 – bottom of page clearer sentence to be added regarding the discussion of the age of consent for a child.
Page 4 – bottom of page should read ‘show’ of hands not ‘shoe’.
CM spoke of a DPO who has been employed in Bradford which may cause a potential conflict of interest for EMBED.
3. / Action Points – Paper B
The actions were closed or updated as required on the action log.
4. / GDPR
Draft Data Protection Bill
It was noted it could be Easter before the Data Protection Bill gets Royal Assent. GN asked what will happen when waiting for local guidance under the GDPR and it was agreed a caveat could be placed in policies to be updated when things are agreed.
Children’s Data and Rights
A separate privacy notice for children was queried and it was noted most are looking at a layered approach. It was agreed there is a need to ensure this is within the privacy notices. SMe asked LK for a Local Authority point of view on this and LK agreed to report back.
Data Breaches
It was queried if only level 2 data breaches will go to the ICO for decision? It was reported that the GDPR states a data breach is to be reported where it is likely to lead to impact on peoples’ rights and freedoms; which makes almost everything reportable. SMe asked if anyone had new policies and it was agreed most are changing existing ones.
PW raised privacy impact assessments where, for severe risk, these will have to be signed off by the ICO. The ICO have recently announced they won’t have the staff to do this analysis for another 2 years which could lead to a severe risk to the DPIA. It was noted the clarification of ‘severe risk’ has not been given as yet. PW asked how this would be done in own organisations in this 2 year period? The general consensus was the DPO would do this. PW suggested sign off by an organisation’s Board/SIRO and this was agreed as a good idea. It was also agreed there must be a standard for all. PW agreed to look further into this and report back. / PW
5. / Regional/National Event Updates
The IGA conference took place on the 28 November 2017, some colleagues attended and some watched online. Documentation from the IGA will potentially be coming out in the new year. It was noted the exact terminology of the Data Protection Officer is with the Department of Health lawyers.
Dialling in to this meeting was suggested; this was discussed and agreed that technology might let this option down and also a chance to network with colleagues would be missed. LK suggested moving this meeting to Doncaster as a more central area. SMe agreed to put this out in the new year for consideration. / SMe
6. / IG Education/Personal Development Updates
Several colleagues attended the GDPR Practitioner course which recently took place in Leeds and was found to be very useful. The course was QA run, based on GCHQ’s training, and lasted 4 days. DS stated there was an emphasis on the course that it was EU GDPR. DS reported on finding it useful to go through the Articles as they are and discuss in depth but found some exercises were not in line with what was expected.
The term ‘Information Governance’ was discussed and how this will be changing. SMe spoke of attending a meeting where it was understood all IG colleagues had the same background.
Caroline Million left the meeting at 15:25.
It was agreed a clear IG qualification in future would be beneficial.
DS asked, in terms of the DPO role, where a large organisation has been advised to have their own DPO, what constitutes a ‘large’ organisation. CB stated that if an organisation processes data in large quantities, it is advised to have their own DPO, as opposed to sharing with another organisation. The capacity an individual has to undertake a DPO role and for whom was discussed.
HG and AM left the meeting at 15:30.
SMe asked LK about the DPO role in LAs. LK reported that IG have suggested the DPO should be the level of statutory officers and the LA is looking at Articles where they are saying professional expertise and knowledge are required. It has been suggested that one of the IG officers should be the DPO and should be matrix managed by the IG manager and Monitoring officer to preserve the DPO’s independence. GN stated the DPO has to have an understanding and knowledge of data protection. TO’M reported on a Trust who has employed their Director of Corporate Affairs as their DPO.
7. / Information Governance Toolkit
LK confirmed LAs are also doing the toolkit.
Audits of the Information Governance Toolkit were raised and SMe reported that the RDaSH audit is taking place January/February 2018. DS spoke of a conversation which took place with auditors regarding the GDPR.
8. / Confidentiality, Data Protection and Freedom of Information
PW reported STH is on target to hit 1000 FOI requests this year. A discussion took place on the sign off hierarchy of FOIs in different Trusts.
Discussion took place on an article SMe circulated with regards to Morrison’s and a data breach which has gone to the High Court.
DS reported on the ICO reminding people that sending confidential information to an unsecure email address is a data breach as far as they are concerned, even if the recipient has sanctioned it being sent in this way.
PW spoke of STH’s pathology department visiting a coroner/senior lawyer who has insisted details be sent via unsecure means as they do not have NHS mail. If this request was not granted then STH were told they would lose the contract. PW reported the Trust asked the coroner to write a letter of instruction for this, which has been received, and a risk assessment undertaken.
DS asked the group if Subject Access Request (SAR) records are provided digitally. PW answered some at STH are. It was noted the documents must be encrypted if they go out of the organisation. The scanning of records and documents for SARs was discussed.
TO’M raised consent forms and electronic consent and spoke of Humber NHS FT wanting to move away from the patient signing a document for release of records/data and use an electronic tick box instead. It was noted some other Trusts are using this method and PW reported STH are looking into this. GN reported this could be used as long as the service can demonstrate the patient has agreed. DS stated it must also be proven it was the patient who agreed.
9. / Data and IT / Information Security
GN reported on EMBED being able to see who in the organisation has connected their NHS.net account to mobile devices.
PW spoke of pen testing at STH.
10. / Any Other Business
SMe will bring the Terms of Reference for this group to the next meeting for discussion.
SMe raised an information sharing gateway with secured funding for 12 months. A meeting is scheduled for January in Sheffield and SMe will circulate the details.
JW reported on SHSC taking dates of birth out of letters for IG reasons as it could be seen through the envelope window. It was agreed the date of birth has no value if the NHS number is present. JW confirmed the date of birth was moved on the letters so it is now no longer visible.
No further business was discussed and the meeting closed at 16:05. / SMe
SMe
Date and Time of Next Meeting
Friday 12 January 2017, 1:00pm – 4:00pm, Lecture Room, Goole Hospital, Woodland Avenue, Goole, DN14 6RX.
Page 2 of 6