1 / 17

Information Governance in Commissioning

Information Governance in Commissioning. Mental Health Commissioners Collaborative. Introduction. David Stone Head of Information Governance Apira Limited d avid.stone@apira.co.uk 07947 052704. 2011/12 Standard Terms and Conditions for Mental Health and Learning Disability Services.

carlo
Download Presentation

Information Governance in Commissioning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Information Governance in Commissioning Mental Health Commissioners Collaborative

  2. Introduction David Stone Head of Information Governance Apira Limited david.stone@apira.co.uk 07947 052704

  3. 2011/12 Standard Terms and Conditions for Mental Health and Learning Disability Services • Context • Law/Contract • Regulation • Risk/Liability • Contract compliance/Assurance • Incidents/Breaches • Patient Identifiable Data/Secondary Use

  4. Dear colleague Gateway Ref: 16607 We want to call your attention again to a significant change that came into force on 6 April 2010, which enables the ICO to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act 1998. Obviously we are all hoping that it will not be necessary for the enhanced powers to be exercised, but at present a significant percentage of all data breaches reported to the ICO relate to NHS organisations. The purpose of this letter is to outline the actions that we jointly recommend to ensure your systems and practices deliver adequate information governance and that commissioning criteria adequately reflect its importance. Nicholson, NHS CEO and Graeme, IC to all NHS CEOs, 05/09/11

  5. Law/Contract • Data Controller/Data Processor • The Commissioner is a Data Controller in law (27.3) • The Commissioner may be Data Controller Jointly or In-common, but remains legally liable, even after the end of the contract (for the data) • The Information Commissioner will pursue the Data Controller in the event of a breach • Service Level Agreements are not valid in law (unless bound in contract) • The Data Protection Act (1998) trumps the NHS & Communities Act (1990)

  6. Case Study • In February 2011, London Boroughs of Hounslow and Ealing were fined £70,000 and £80,000 respectively under the Data Protection Act 1998 (DPA). • The Monetary Penalty Notice (MPN) arose from the theft of two unencrypted laptops from an employee of Ealing Council. The laptops contained the personal data of approximately 1,000 Ealing service users and approximately 700 Hounslow service users. • Hounslow were found to be in breach of the DPA because they had failed to have a valid legally contract in place with Ealing and because they had not monitored Ealing’s operational compliance of their commissioned service.

  7. Regulation • Monitor • “Monitor would look to commissioners, the Information Centre and Information Commissioner to lead on policing IG at FTs and it is not our role to otherwise interpret information requirements. Only where other bodies have exhausted their powers would Monitor generally consider acting in the absence of other breaches of the authorisation.” (email response 04/08/2011)

  8. Regulation • CQC • The Commission uses the information from the Information Governance Toolkit in our Quality and Risk Profiles. • Quality and Risk Profiles are an essential tool for providers, commissioners and our own staff in monitoring compliance with the essential standards of quality and safety. • They help in assessing where risks lie and can play a key role in providers’ own internal monitoring as well as informing the commissioning of services. (email response 10/08/2011)

  9. Regulation • Department of Health • The IGT is not a required central return as the Department of Health is just one, and not the main, interested party. The Department expects commissioners to drive improvements in provider information governance and to insist that their contractual requirement to publish an IGT assessment continues to be met.

  10. Contract Compliance • 27.2 Data Protection • The Provider shall achieve a minimum level 2 performance against all requirements in the relevant NHS Information Governance Toolkit relevant to it. Where the Provider has not achieved level 2 performance by the Service Commencement Date, the co-ordinating Commissioner may, in its sole discretion, agree a plan with the Provider to enable the Provider to achieve level 2 performance within a reasonable time.

  11. Risk/Liability Red = Unsatisfactory in IGT

  12. Consent • 9.1 Consent • The Provider shall operate a Service User consent policy to comply with Good Clinical Practice, good Health and/or Social Care Practice and the Law • NHS Care Record Guarantee Commitment 4 • Legally, no-one else can make decisions on your behalf about sharing health information that identifies you. • European WP29 • Consent is recognised as an essential aspect of the fundamental right to the protection of personal data

  13. Person Identifiable Information • All health data is ‘sensitive’ under the Data Protection Act • SUS is only legal for limited use (S251) • 18 weeks, PBr, planning care provision • Contested payments/Challenges • New Safe Haven operation • Pseudonymisation/secondary use

  14. Not Applicable Contract Clauses • The following clauses do not apply to data that comes with the scope of the Data Protection Act (1998) • 15.5: Incident reporting • 29, especially 29.9: require information • Note: the contract cannot require the Provider to break the law • There may be others in the schedules

  15. Assurance • Schedule 5 • Independent audit of IGT self-assessment scores and information risk must be shared with the commissioner • Information incident reporting (or as Schedule 7) in compliance with Gateway 13177 • Information Lifecycle: what happens to the data at termination? (35/36) • Clarification of the right to disclose confidential information (39.1.4) • Transport of data using N3 • Use of NHSmail

  16. Conclusion • The Commissioner is a Data Controller in law and legally liable for what happens to the data, even after the end of the contract • A legally binding contract is required by law for every commissioned service • The standard commissioning contract does not meet all legal requirements without additions in Schedule 5 • The standard contract is not always correct when applied to information covered by the Data Protection Act • All but one MHT in London failed to meet the standard required in contract

More Related