120 likes | 289 Views
Prism Data Security. KB Leake Head of Operations & Development, Information Products Unit Health Solutions Wales 24 February 2010. Overview. Brief overview of all aspects of security around Prism Information Sharing Agreement Extraction of data from GP Practices
E N D
Prism Data Security KB Leake Head of Operations & Development, Information Products Unit Health Solutions Wales 24 February 2010
Overview • Brief overview of all aspects of security around Prism • Information Sharing Agreement • Extraction of data from GP Practices • Central processing & pseudonymisation • Access via the web-based tool • IG rules framework for access control
Data Flow requirements • Requirements for development of risk tool • Individual-level GP practice data • Read codes with information about conditions, examinations, measurements and prescriptions • Individual-level secondary care data • Wide range of clinical and administrative data from hospital admissions and outpatient attendances databases • Pseudonymised individual-level record linkage across all 3 sources of data • Risk scores fed back to GP practices in suitable format • Adherence to information governance rules, and protection of patient confidentiality
Data Flow Methodology • Based on split file methodology • Methodology developed jointly by HSW and the SAIL project (Swansea University) – recently published • The SAIL databank: linking multiple health and social care datasetsRonan A Lyons et al.BMC Med Inform Decision Making 2009; 9: 3. ,Published online 2009 January 16. doi: 10.1186/1472-6947-9-3
Prism File 1(Demographic) Prism File 2(Clinical) Revised ‘at-risk’patient list PRISM Data flows Health Solutions Wales GP Practice Pseudonymisation Service HSW Data Warehouse (Includes pseudonymised Hospital Admission and Outpatient data) Audit+ NHS WalesData Switching Service(NWDSS) GPSystem Recombine PRISM ScoringDatabase De-pseudonymisation PRISMWeb-tool
Securing Access to the Prism Web-tool Account Control 3 (AC3)
Account Control 3: Background • AC3 is a Role Based Access Control mechanism, which has been developed in line with NHS Wales’ policies, standards and guidelines, and the emerging National Architecture • It has been signed-off as being fit for purpose by: • Informing Healthcare’s Design Advisory Group • National Architecture Design Board • National Information Governance Advisory Group • Welsh Patient Safety Board • NHS Connecting for Health’s various governance boards • Access Control Mechanism is utilised by other all-Wales services (e.g. Welsh Demographic Service)
Account Control 3: Principals of Operation • AC3 uses a self-registration / remote approval model, similar to many Internet sign-up processes • Getting access to Prism is a 3 stage process: • A user registers to use Prism • Registration approved by an authorised individual • The approved user logs on to the system for 1st time • Authority to access Prism is devolved to the local Practice, not held centrally by HSW or Informing Healthcare
Account Control 3: ‘Key Players’ inAuthentication Process • All-Wales Information Governance Officers • Information Governance Team within Informing Healthcare • Caldicott Guardians • One per Practice • Caldicott Delegates (optional) • One or more delegates authorised by Guardian • Users within Practices
Account Control 3: IG Role Interactions All-WalesInformation GovernanceOfficers National Local Practice Caldicott Guardian Caldicott Guardian Caldicott Guardian Caldicott Delegate Caldicott Delegate Caldicott Delegate Caldicott Delegate Caldicott Delegate Registration Operational Use User User User User User User User User User User User User User User