Introduction to the Information Sharing Workshop NIGB would like to thank County Durham and Tees Valley Information Governance Leads Group who allowed us to adapt this workshop from their original workshop materials
The role of the National Information Governance Board (NIGB) • To support improvements in information governance in health and social care • To advise on the use of powers under section 251 of the NHS Act 2006
Our definition ‘Information governance describes the structures, policies and practices which are used to ensure the confidentiality and security of records of individuals Correctly developed and implemented it enables the appropriate and ethical use of information for the benefit of individuals and the public good’.
History of NIGB • 2005 – review of IG in DH and wider NHS • 2007 – ‘shadow’ NIGB takes over functions of the Care Record Development Board • 2008 – NIGB becomes a statutory body • 2009 – NIGB takes over the functions of the Patient Information Advisory Group (PIAG)
The NIGB as a Statutory Body • The NIGB is an Advisory Non-departmental Public body • Reports to the Secretary of State and of Health • It’s Statutory powers support it in delivering it’s terms of reference
Who are we? • 22 members - • 12 public members appointed by Appointments Commission • 10 organisations invited to be represented by Secretary of State for Health • Corresponding Advisors • Observers • Statements of Collaborative Working
Dealing with complex issues • NIGB regularly has to deal with complex, often ethical, issues • No right or wrong answer – the best answer using available evidence • Varied background of members makes it ideally placed to do this
Importance of multi-agency information sharing and information sharing protocols • Stockton Information Sharing Workshop Pilot • NIGB analysis and review of the pilot materials • To be made available on NIGB website for training
History of Caldicott • In 1997 the NHS established a Caldicott Committee led by Dame Fiona Caldicott • Caldicott Committee (1996-97) Review of patient-identifiable information commissioned by the Chief Medical Officer of England . . . “owing to increasing concern about the ways in which patient information is being used in the NHS in England and Wales and the need to ensure that confidentiality is not undermined.”
History of Caldicott cont. • The review recommended that “Guardians” of personal information be created to safeguard and govern the uses made of confidential information with the NHS • In 2002 Calidcott standards were extended into Social Care
So what are the Caldicott principles? • The Caldicott principles and processes provide a framework of quality standards for the management of confidentiality and access to personal information
The Caldicott Report ( Sept ’97) Six key principles: • Principle 1 – Justify the purpose for using confidential information • Principle 2 – Only use it when absolutely necessary • Principle 3 – Use the minimum that is required • Principle 4 – Access should be on a strict need to know basis • Principle 5 – Everyone must understand their responsibilities • Principle 6 – Understand and comply with the law.
Key Caldicott Guardian responsibilities Supported by the Information Governance Team the Caldicott Guardian has responsibility for: • Strategy and Governance • Confidentiality and Data Protection expertise • Internal Information Processing • Information
The Caldicott Report Sixteen specific recommendations, one of which was that: “A senior person, preferably a health professional, should be nominated in each health organisation to act as a guardian, responsible for safeguarding the confidentiality of patient information.”
The role of the Caldicott Guardian • To play a key role in ensuring Health & Social Care organisations satisfy the highest practical standards for handling an individuals identifiable data. • To work as part of the broader Information Governance function with support staff • To have a strategic role representing and championing Information Governance requirements and issues at senior management level • Advise on the implementation of the Electronic Social Care Record and Common Assessment Framework
Caldicott Guardian Role “The conscience of the organisation” Establish the highest practical standards for handling personally identifiable information in the NHS and Social Care monitoring process against an annual improvement plan
Today is About… . . . knowing how to share information: • Safely • Legally and • Confidentially . . . and an opportunity for you to share knowledge and concerns with other professionals to improve multi-agency information sharing
Why is information sharing so important? • it is essential to safeguard and promote the welfare of children, young people and vulnerable adults • to achieve the best outcome for the individual • To prevent death or serious harm as a result of: • Failing to record information • To share it • To understand the significance of the information shared • To take appropriate action in relation to known or suspected abuse or neglect
Consequences of not sharing information appropriately • 1973 – Maria Colwell – killed by her stepfather sustaining severe internal injuries and brain damage • 2000 – Victoria Climbie – died of hypothermia after months of sustained abuse by her guardians • 2002 - Soham Murders – death of 2 ten year old girls by Ian Huntley a school caretaker • 2007 - Baby Peter, died of horrific injuries inflicted by his carers - Laming enquiry criticised failings in information sharing between agencies
Adult Safeguarding • 2006 – Steven Hoskin had learning disabilities and was 39 years old • Sustained repeated abuse by youths including assault, forced to take drink and drugs and made to falsely confess to being a paedophile • Reports of anti-social behaviour connected to the flat • Steven was marched to top of a viaduct and forced over the edge • Serious Case Review – ‘information sharing poor’
Adult Safeguarding • 2007 - Death of Francesca Hardwick (daughter), severe learning disabilities, Fiona Pilkington (mother) primary carer. • After 10 years of repeated verbal abuse, a sustained campaign of vandalism, harassment and intimidation by local youths, Fiona set light to their car • Inquest criticised ‘failure to share information between the Police and local councils’
Local Case - Adult Safeguarding • 2007 - Susan Hale (service user) and Sarah Merritt (agency carer) murdered by David Tiley a convicted rapist • Police were monitoring Tiley as one of 300 violent or sex offenders in Southampton • Tiley had been on sex offenders’ register after being convicted of two counts of rape • In and out of prison for breaching order for failing to notify Police of his address
Local Case - Adult Safeguarding • Living with Ms Hale following release in 2007 Tiley was subject to MAPPA (multi-agency public protection arrangements) • Review led by a member of the Prison Service concluded that there ‘needed to be improved relations between agencies’ and • Lessons needed to be learned
The Legal Context • The Data Protection Act 1998 • The Human Rights Act 1998 • The Health and Social Care Act 2008 • Common Law of Confidentiality • Administrative Law • FOI Act 2000 • Other Legislation e.g. • Children Act, Mental Capacity Act, Gender recognition Act, Adoption Act
So, what about Data Protection? • The Data Protection Act is not a barrier to sharing information • Confidentiality is a boundary to be negotiated and can be a barrier sometimes but not where there is a public interest justification such as the protection of others • Practitioners should understand when, why and how they should share information to do so confidently and appropriately • It provides a framework to ensure information is shared appropriately • Consent should be best practice
A Duty of Confidence A duty of confidence arises when one person discloses information to another (e.g. patient to clinician, client to social worker) in circumstances where it is reasonable to expect that the information will be held in confidence or where it is obvious the information is confidential in nature. The duty of confidence - • Is a legal obligation derived from case-law. • Is a requirement within professional codes of conduct. • Is included within many employment contracts as a specific requirement linked to disciplinary procedures.
Exemptions to the Duty of Confidence • Where there is legal requirement (either under statute or a court order) to disclose the information (for instance, notification of certain diseases to public health authorities); • Where there is an overriding duty to the public (for instance, the information concerns the commission of a criminal offence or relates to life-threatening circumstances); or • Where the individual to whom the information relates has consented to the disclosure
How do we obtain consent? • Consent should be sought at the earliest opportunity • Social Care record consent on the Permission to Share form signed by both social work professional and the individual or their representative. In Heath this should be recorded in the patient notes • Clear explanation should be given to the individual on what they are consenting to and for how long • It should be made clear that consent can be withdrawn at any time but we will share when there is a legal requirement to do so • Individuals should understand that if they withdraw their consent this may affect services we can provide to them • Revisiting consent – at least annually or when a new event/episode of care happens
Implied Consent • Consent not expressly given: • Often consent is assumed for sharing information with colleagues within an organisation i.e. in Health if a patient sees a nurse for a test, it is assumed that the patient will consent for the results to be shared with the treating doctor. • In Social Care sharing with other departments in the Local Authority would require explicit consent for another purpose unless there is a legal reason for sharing. • Sharing information between health care colleagues in different organisations e.g. ambulance crews to A & E staff
Explicit or Informed Consent • Agreement to sharing should be recorded • Individuals should be made aware of: - • What information is to be shared • What is the purpose of sharing it • Who it is to be shared with • How the information will be protected • Whether it may be further shared • That they have the right to refuse (if they do) • The consequences of refusal and agreement to consent
Competence to Consent • Children and young people • 16 assumed to be competent • Under 16 competent if they have the capacity to understand and take own decisions • Otherwise consent from whoever has parental responsibility • Onus of proof shifts from being on the child to being on the person wanting to assert lack of capacity.
Competence to Consent • Adult unable to give consent? • Take into account the views of relatives or carers • Respect any previously expressed wishes • Mental Capacity Act (MCA) • Adults lacking capacity may have an advocate • Provision under MCA for proxy consent via LPA or Court appointed deputy • Ultimately, the professional must act in individuals best interests • Record the decision and the reasons for it
Understanding consequences • Explain consequences of agreeing to consent • Explain consequences of refusing consent i.e. Limiting services – housing etc.
Sharing without consent • There are some circumstances in which sharing confidential information without consent will normally be justified in the public interest: • When there is evidence that the child/vulnerable adult is suffering or is at risk of suffering harm; or • Where there is reasonable cause to believe that a child /vulnerable adult may be suffering or at risk of significant harm; or • To prevent significant harm arising to children/vulnerable adults including through the prevention, detection and prosecution of serious crime
So, what if they say No? • Consider Public Interest justification before seeking consent which could affect approach to consent. • I.e. need to provide the information but would prefer to disclose with their agreement. Give an opportunity for them to state their case for non-disclosure. • May not be appropriate if there is risk to staff or others.
So, what if they say No? • If the individual is competent to make the decision and they fully understand the consequences of the decision for care or treatment: • Understand their reasons and see if they can be satisfied • Can care be provided in different way? (Must be practical) • Balance the risks – consider ‘public interest’ – you may need to share anyway . . . - Harm to self - Harm or risk to others
Even Worse! What if they say “Yes” . . . and then change their mind!
QUESTIONS TO ASK BEFORE SHARING INFORMATION Q: Can I still disclose if they don’t consent? “There must never be another tragic case where a child suffers as a result of professionals not sharing what they know.”Margaret Hodge “…in every judgment they make, staff have to balance the right of a parent with that of the protection of the child.”Lord Laming, The Victoria Climbié Inquiry
QUESTIONS TO ASK BEFORE SHARING INFORMATION Q: Can I still disclose if they don’t consent? • Failure to share information appropriately can be a serious breach of care • Sharing without consent may be necessary and appropriate under some circumstances: • When a child is believed to be at serious risk of harm • When there is evidence of serious public harm or risk to others or and individual • For the prevention, detection or prosecution of serious crime • When instructed to do so by a court
Proportionality • The proposed disclosure should be proportionate to the need to protect the child’s/vulnerable adult’s welfare • The amount of information disclosed and the number of people to whom it is disclosed should be no more than is necessary to meet the public interest in protecting the health and well-being of the child/vulnerable adult
When in Doubt • Consult a Manager/Caldicott Guardian or Data Protection/Information Governance Officer • Obtain advice from legal services if appropriate • Record reasons why a decision was made to: • Override the requirement to seek consent • Share information without consent
Difficult Areas • Power of Attorney • May not include access to records • Pre Adoption records • Only medical history should be in new record – procedures • Protected Addresses Gillick Competency • Father and son same name • Parental rights • Gender Re-assignment • Deceased Records • Not covered by DP Act – remove anything the patient would have expected to keep private and third party data • Police requests • Section 29 forms
Why do we need an Information Sharing Protocol ? • What data do we want to share? • With whom do we want to share it? • Why do we want to share it? • How can we justify sharing it? • How do we comply with the law? PROACTIVE FRAMEWORK
Using the Three Tier Model at local level 1 Principles we all will work to contained in the high level Protocol 2 Purpose for Sharing Information e.g. Care of Adults Process of how we will share the information in the Service Level Information Sharing protocol 3
The Protocol should describe • How we comply with the Law • Why we need to share the information • How we justify sharing the information • What information we want to share • With whom we will share the information • How we will protect the information
How We Comply With The Law • How we restrict access to the information -consent • Who needs to know, how much • What security will protect it • How long it will be kept for • What format will it be in • When it can be destroyed or Archived • Subject Access rights • Data Quality • Hiding behind legislation and red tape!!!