INFORMATION GOVERNANCE Caldicott Approval Procedure

Document Sample
INFORMATION GOVERNANCE Caldicott Approval Procedure Powered By Docstoc
					                              NHS TAYSIDE




             INFORMATION GOVERNANCE


              Caldicott Approval Procedure



Author: Peter McKenzie                Review Group: Information
                                      Governance Group



Review Date: September 2010           Last Update: September 2009



Document No: NHST-ISC-CAP             Issue No: 1.2




                   UNCONTROLLED WHEN PRINTED


         Signed:                              Executive Lead
NHS Tayside Caldicott Guardian Approval Procedure


Role of the Caldicott Guardian
Caldicott Guardians will be responsible for agreeing and reviewing internal protocols governing the
protection and use of patient-identifiable information by the staff of their organisation or those shared
with other NHSS organisations. Guardians will need to be satisfied that these protocols address the
requirements of national guidance/policy and law and that their operation is monitored.
Caldicott Guardians will also be responsible for agreeing and reviewing protocols governing the
disclosure of patient information across organisational boundaries, e.g. with social work services and
other partner organisations contributing to the local provision of care. These protocols should
underpin and facilitate the development of cross boundary working, health improvement programmes
and other changes.
Patient Identifiable Information
The term patient identifiable information means any data item or combination of data items by
which a patient's identity may be established. Commonly used patient identifiable data items are;

Forename              Surname               Address               Postcode              Telephone / Fax
                                                                                        No

CHI                   Date of Birth         Diagnosis             e-mail address

The Caldicott Principles
Justify the purpose(s)
Every proposed use or transfer of patient-identifiable information within or from an organisation should
be clearly defined and scrutinised, with continuing uses regularly reviewed by an appropriate
guardian.
Don’t use patient-identifiable information unless it is absolutely necessary.
Patient-identifiable information items should not be used unless there is no alternative.
Use the minimum necessary patient-identifiable information.
Where use of patient-identifiable information is considered to be essential, each individual item of
information should be justified with the aim of reducing identifiability.
Access to patient-identifiable information should be on a strict need to know basis.
Only those individuals who need access to patient-identifiable information should have access to it,
and they should only have access to the information items that they need to see.
Everyone should be aware of their responsibilities.
Action should be taken to ensure that those handling patient-identifiable information – both clinical and
non-clinical staff – are aware of their responsibilities and obligations to respect patient confidentiality.
Understand and comply with the law
Every use of patient-identifiable information must be lawful. Someone in each Organisation should be
responsible for ensuring that the organisation complies with legal requirements.




           NHS Tayside         NHS Tayside Caldicott Guardian Approval Procedure            Page 1 of 11
Access Control
Access control is essential for ensuring that only authorised persons have:
    physical access to computer hardware and equipment;
    access to computer system utilities capable of over-riding system and application controls;
    access to manual files containing confidential information about individuals;
    access to computer files and databases containing confidential information about individuals
Access to Confidential Information about Individuals
Access to person identifiable information will be restricted to those staff who have a justifiable need to
know in order to effectively carry out their jobs. The Caldicott Principles underpin the approach that
NHS Tayside will adopt.
Registered access levels will be used to further limit the access of authorised persons to the minimum
information that they need to carry out a task or function. This is particularly relevant to information
held electronically, but the principles apply to all records, e.g. staff who need access to manual files
for filing purposes should not need to access the information already contained within the files.
There are also legal restrictions on who may see certain patient-identifiable information. Only staff
whose responsibilities include the treatment of individual patients with such diseases or who are
involved more widely with the treatment or prevention of disease, such as those employed by public
health departments, should be permitted access to such information.
Access Levels and Registration
There will be formal and documented user registration for access to all person-identifiable information
held in confidence, where multiple users need access. Although this is mainly applicable to
electronically held information, the principles extend to manual files.
It is particularly important that it is clear, at any point in time, just who should have access to what
information and the purpose the information is to be put to.
Applying for Caldicott Guardian Approval to Access or Record Patient Information
The application process relies upon the completion of a Confidentiality Statement and Data
Processing Specification (appendix 1)
An approved application is relevant to the specific research/study/project/audit that is specified in the
application. The information provided on that basis must not be used for other purposes.
The Confidentiality Statement
The contents of the Statement are described below. However, the Statement is an approval document
and is not expected to contain adequate information to allow authorisation for anything but the
simplest of situations. Therefore, it is likely in most cases that additional application information will be
provided in support of the application in the form of:
    Ethics Committee letter of approval, including any recommendations made by the Committee.
    Where ethics approval has not been necessary an indication of that to be included.
    An outline of the research/study/project/audit programme indicating;
        The purpose of the research/study/project/audit - to conform to Data Protection and Caldicott
        Principles.
        Any person identifiable information to be used and any anonymisation that will be applied.
        The arrangements to be employed in contacting/inviting/informing/interviewing/follow up of
        individuals as part of the research/study/project/audit, where this will occur.


           NHS Tayside         NHS Tayside Caldicott Guardian Approval Procedure            Page 2 of 11
       The management arrangements - to define responsibilities and to confirm that all agreed
       arrangements take place.
       Specification of the users and departments/agencies/organisations/companies that will have
       access to the information - to define responsibilities and if necessary confirm that all have
       been made aware and will abide by NHS Tayside rules of confidentiality and security.
       A specification of any manual or computer databases to be devised as part of the
       research/study/project/audit indicating;
           Software to be used
           Who will be developing the database and their employer
           Where the database will be run from
           Relevant security arrangements: access control, backup and restore, ongoing support, etc.
           The arrangements for disposal of the information held.
Your arrangements for accessing and processing identifiable personal data must be summarised in a
Data Processing Specification for each data source.
User Details - the details of the person who is responsible for the work to be undertaken associated
with the information to be provided. There is a requirement that this person will abide by NHS Tayside
rules of confidentiality and security in using the provided information.
Sponsor Details - the details of the NHS Tayside person who is supporting the provision of the
information in question, usually to be signed by a consultant if patient data is requested and the
applicant is not of that status or is not medically qualified
Data Protection Reg. No. - only relevant to organisations or agency outside NHS Tayside.
Data Requested - a brief description of the information that is to be provided. This is to be supported
by the completion of a Data Processing Specification for each data source.
Co-users of the Data - a list of individuals who will have access to the information provided and who
will be under the management/supervision of the User.
Intended use of Data - a brief description of the purposes that the information will be put to.
User's Declaration - dated signature of the User.
Sponsor's Declaration - dated signature of the Sponsor.
Data Processing Specification: - to ensure that it is clear what data is being requested and that the
applicant has made appropriate arrangements to gain access with those responsible for managing
that data and that the data provided will be managed appropriately by the applicant, a data processing
specification is required for each data source.
Return Details - completed applications along with supporting documentation to be returned to the
Information Governance Office.
    A flowchart describing the process for application for Caldicott approval is included in
                                         appendix 2.
Confirmation of Approval
Once Caldicott approval has been given the User will receive a confirmation letter and copy of the
approved application.
Further Development
The outcome of research/study/project/audit programmes is often that further work or development in
to departmental systems is considered. In such cases further consideration must be taken beyond the
Caldicott Guardian approval process and the original approval will unlikely be adequate.
          NHS Tayside         NHS Tayside Caldicott Guardian Approval Procedure          Page 3 of 11
Where further development is being considered then the NHS Tayside Project Approval Process must
be followed in order that such development is considered by the eHealth Group in the context of the
NHS Tayside eHealth Strategy. (appendix 3)




          NHS Tayside       NHS Tayside Caldicott Guardian Approval Procedure       Page 4 of 11
                                                                                             Appendix 1
CONFIDENTIALITY STATEMENT - for users of person identifiable data

User Details                                          Sponsor Details

Name:                                                 Name:

Position:                                             Position:

Organisation:                                         Organisation:

Address:                                              Address:




Tel:                                                  Tel:


Data Protection Reg. No.
Data Requested :
A Data Processing
Specification must also be
completed.
Co-Users of the Data :




Intended use of data
(inc. publications) :




User’s Declaration                            Sponsor’s Declaration (to be signed by a consultant
                                              if patient data is requested and the applicant is not
I declare that I understand and               of that status or is not medically qualified)
undertake to abide by the rules for
confidentiality, security and release of     I declare that the above named user of the data is a bona
data received from NHS Tayside.              fide worker engaged in a reputable project and that the
                                             data requested can be entrusted to this person in the
                                             knowledge that they will conscientiously discharge their
                                             obligations in regard to confidentiality of the data.
Signature                                    Signature
Date                                         Date


On completion, please return this form to:                        For NHS Tayside use only
Information Governance Officer                      Release authorised by
NHS Tayside                                         Date
Ashludie Hospital                                   Ref.No.
Monifieth
Dundee
DD5 4HQ

                NHS Tayside      NHS Tayside Caldicott Guardian Approval Procedure     Page 5 of 11
RULES ON CONFIDENTIALITY, SECURITY AND RELEASE OF INFORMATION

                             FOR USERS OF NHS PATIENT DATA


1) If the data received from NHS Tayside are to be held on computer, the signatory of this
   request, or the organisation (s)he represents, should have an appropriate registration with the
   Office of the Data Protection Registrar. Details of the registration number should be entered on
   this document.

2) Data received from NHS Tayside must not be used for any purpose other than for the intended
   use specified on this document.

3) Data received from NHS Tayside must not be divulged to any person who is not specified as a
   ‘co-user of the data’ on this document.

4) Proper safeguards should be applied in keeping the data and destroying it on completion of the
   work/project declared to prevent any breach of confidentiality.

5) Any misuse or loss of these data should be notified immediately to the Information Governance
   Officer for NHS Tayside at Ashludie Hospital, Monifieth (01382-527920).

6) Recipients of information supplied by NHS Tayside are reminded that the data has been
   supplied for the purposes stated in the approved study only. Further submission for approval
   will be required for any other uses of that data.

7) Any statistics or results of research based on data received from NHS Tayside should not be
   made available in a form which:
   a) directly identifies individual data subjects
   b) is not covered by the ‘intended use of data’ specified


         NHS Tayside would welcome copies of any publications based on data supplied.


Information Governance
Ashludie Hospital
Monifieth                                                         Telephone : 01382 527920
DD5 4HQ                                                                 Fax : 01382 527808




          NHS Tayside       NHS Tayside Caldicott Guardian Approval Procedure      Page 6 of 11
                  CALDICOTT APPROVAL - DATA PROCESSING SPECIFICATION
                        To be submitted with application for Caldicott Approval
For each separate source of patient identifiable data that you intend to access in support of your
study please provide the following information.
Data Source: (Medical Records/System Name)



Data Items: (list the data items that you will require from the named data source)




Data Source Contact Details: (who have you agreed access to the source data with?)
Name:                                                     Designation:
Base:                                                     Tel No:
Email address:


Data Storage Arrangements: (where arrangements are described in a supplied study protocol then
reference to the relevant sections of the protocol can be used)
Location: (NHS Tayside, University, etc.)                 Device to be held on (desktop, laptop, network
                                                          storage, etc.)




Access Controls (how will the data be protected from      Encryption: (will encryption be used to protect the data?)
unauthorised access?)




Anonymisation: (how will the identity of individuals be   Format (spreadsheet, database, etc.)
protected)




    If you intend to make contact with patients identified through the processing of this data,
    indicate how this will be done and how you will ensure that it is appropriate to contact them.
  It is recommended that contact with patients is through correspondence signed by the patient’s
                            GP/Clinician or Head of Clinical Service.




             NHS Tayside          NHS Tayside Caldicott Guardian Approval Procedure              Page 7 of 11
Appendix 2 - NHS Tayside
Confidentiality Statement Flowchart


                                               Has your project
                                               been approved?

                              Yes                                                  No



                                                                              You need to get
                 Are you going to be                                         approval from the
                 accessing patient                                                project
                 records or patient                                            stakeholders
                 identifiable                                                 before you can
                 information?                                                  proceed any
      Yes                                 No
                                                                                  further!


                                          You do not
       You require                          require
        Caldicott                          Caldicott
        approval                           approval



                                    Obtain copy of the Confidentiality Statement
                                    and Data Processing Specification from
                                    Staffnet




                                                   Complete
                                                   User Details
                                                   on form




The Sponsor is usually
       Lead health or social care
       organisation                                  Do you have
       The lead employer of the                    approval of and
       researchers                                   details of the
       The provider of funding                     project sponsor?
                                         Yes                                 No



                                    Complete                          Obtain details
                                    details of                        of the sponsor
                                    sponsor on                        before
                                    form.                             proceeding.




                  NHS Tayside          NHS Tayside Caldicott Guardian Approval Procedure         Page 8 of 11
                                                         Will data received
                                                       from NHS Tayside be                            No
                                                         held on computer?

                               Yes



  Where data is to be held on a computer, the signatory of this                      Where databases are to be created
  request, or the organisation(s) he/she represents, should have                     refer to information requirements
 appropriate registration with the Office of the Data Protection                     in the main procedure under
Registrar. Details of the registration number should be entered on                   Confidentiality Statement
             the appropriate confidentiality statement                               section.




               Do you know                 No      Obtain the registration number
                    the                            from the organisation that will
                registration                         be holding the information.
                 number?

         Yes

   Enter details                                     Enter a brief statement about the data requested and
     on form                                         complete a Data Processing Statement for each data
                                                                           source.




          Data received from NHS
          Tayside must not be divulged                               Will there be co-                  No
          to any person who is not                                   users of the data?
          specified as a ‘co-user of the
          data’ on the confidentiality
          statement.
                                                                       Yes

                                                            Full details must be included in the
                                                                 confidentiality statement



                                                          Full details of the intended use of data
                                                                     must be included




                     NHS Tayside                NHS Tayside Caldicott Guardian Approval Procedure                Page 9 of 11
                                                                                   Any statistics or results of research
                                            Do you intend to                       based on data received from NHS
                                            publish the data?                      Tayside should not be made
                             Yes                                                   available in a form which:
                                                                                            Directly identifies
                                                          No                                individual data subjects
              Include full                                                                  Is not covered by the
               details of                                                                   ‘intended use of data’
                intended                                                                    specified
              publications




                                                                Proper safeguards should be applied in keeping
   Indicate the period for which the data                       the data and destroying it on completion of the
              will be retained                                  work/project declared to prevent any breach of
                                                                                confidentiality




    Complete the user declaration and
     have the sponsor complete their
         declaration on the form




   Once the form is fully completed, pass
   to the Information Governance Officer                            A copy of the authorised confidentiality
    who will obtain Caldicott approval on                        statement will then be retuned to you to retain
                your behalf.                                            as part of your project/research.




As noted in the main procedure it is most likely that supporting documentation will have to be provided with
                     the Confidentiality Statement and Data Processing Specifications.
    Please ensure that you have included this information to avoid delay in processing the application.




          NHS Tayside              NHS Tayside Caldicott Guardian Approval Procedure                 Page 10 of 11
Appendix 3

NHS TAYSIDE: Ehealth/IM&T Computer Systems


STANDARD BUSINESS CASE

Notes:

     1. The standard business case will be presented to the eHealth and Area Business IM&T
        group for clinical and business systems respectively for approval to ensure that any
        proposal is consistent with the eHealth strategy for NHS Tayside.
     2. A separate Standard Business Case Template is required for each individual proposal.
     3. Standard business cases should be completed in conjunction with the under-noted
        members of staff to ensure that all IM&T aspects of the project are covered within the
        business case to:-



                   Mr Stewart Hunter                 stewart.hunter@nhs.net

                   Mr Ian Fenton                     ian.fenton@nhs.net



If a scheme covers all the areas within Tayside then any of the above will assist in preparation of
the business case.

     4. where funding for the project has been identified the support of the relevant Finance staff
        must be agreed.
     5. please note that submissions will only be accepted on this template.
     6. Notes written in italics are provided for guidance/example only and should be deleted
        completely before templates are returned.
     7. Any queries with this template should be raised, in the first instance, with Stewart Hunter,
        Tel: Ext. 33472




1.       Title of the Project Proposal

This should include speciality/operational system name E.g. Photobiology, catering systems

2.       Introduction/Background

         -    Strategic Objectives

A brief overview of the strategic objectives of the proposal relevant to eHealth strategy and how it
would impact on Clinical Group/ Service/ Departmental objectives.

         -    Clinical needs

A brief overview of the clinical objectives of the proposal relevant to the Group/ Service/
Department/ Facilities clinical needs, as well as those other Departments/ Areas/Groups that rely
upon its support .e.g. introduction of computer system may improve information for the clinician but
may also impact on the medical records service.

         -    Proposed Outcomes – benefits to patient




             NHS Tayside       NHS Tayside Caldicott Guardian Approval Procedure     Page 11 of 11
A very brief overview of the proposal and how patients and the service will benefit from it? E.g. Will
they been seen quicker, will they have to travel less, will they be reviewed by fewer people, etc?
NB. This is expanded upon in section 5.

3.        Description of the service concerned.

          - Current Service

What does the service look like now and why does it have to change?

          - Proposed Service

What will the service look like if this proposal is implemented?

4.        List of options

A brief “high-level” outline of those alternative options for the service initially considered, including
brief reasons why each was excluded.


5.        Preferred Option

          A brief narrative describing the preferred option (the proposal) in more detail, explaining the
          relationship between it and the strategic objectives of the eHealth Strategy as well as
          meeting the Clinical Directorates/Departments objectives..


6.        Revenue Impact

          Where financial resources have been identified, these need the support of your accountant
          within the finance dept.

7.        Capital Cost

          As above.


     8.      Risk Assessment

          Please identify any risks to the project either by not implementing the proposal or any
          known risks associated with developing and implementing the project at this stage.




            NHS Tayside        NHS Tayside Caldicott Guardian Approval Procedure        Page 12 of 11
Project Approval Process




   Funded Stream                                           Non Funded Stream


Commercial Supplier                Proposal




                             eHealth Programme
                                  Director




                                Business Case
                                  (template)




                                eHealth / Area             Prioritisation Group
                                Business IM&T
                                   Groups


    ICT Maryfield               CTC Ninewells             Commercial Supplier




         NHS Tayside       NHS Tayside Caldicott Guardian Approval Procedure      Page 13 of 11