Information governance Flashcards
What is the definition of information governance?
It is the way in which the NHS handles all of its information, in particular personal and sensitive information relating to patients and employees
It provides a framework to ensure that personal information is dealt with in legally, securely, efficiently and effectively in order to deliver the best possible care
What are the 4 key pieces of legislation govern the handling and protection of data in the NHS?
- Health and social care act
- GDPR (DPA 2018)
- Common law- Duty of confidentiality
- Freedom of Information act
What 4 key changes did the health and social care act implement?
- Creation of the CQC
- Legal requirement of duty of candour
- Creation of CCGs
- Legal requirement to reduce health inequalities for the people of England
What is purpose of GDPR?
Defines standardised data protection laws for all members of countries across the European Union and provides rules for handling information about people and protects people’s right to privacy.
It is a REGULATION not a DIRECTIVE. Meaning it is binding and applicable!
What are the 7 principles of GDPR?
LPDASIA
- Lawful, fair and transparent
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
What are the differences between the DPA 1998 and GDPR?
- No principle for ‘individual rights’. Now covered in chapter 3
- No principles for international transfer. Now covered in chapter 5
- New accountability principle
What is pseudoanonymisaiton?
A security measure involving the removal of personally identifiable information in a digital record and replacing this with a unique code
What is anonymisation?
A security measure involving the removal of all directly and indirectly identifiable data.
Directly identifiable data- e.g. Name, address, postcode, photo etc…
Indirectly identifiable data- e.g. Information that can be linked with other sources of information to identify an individual e.g. where you work, job title, salary etc…
What is GDPR’s stance on pseudoanonymised data?
Pseudoanonymisation is only a security measure and personal data remains personal data within the scope of GDPR
What is the common law duty of confidentiality?
Outlines a legal duty to keep information from patients/service users confidential. Confidential information can only be disclosed with patient’s consent.
What types of media are covered by the duty of confidentiality?
- Paper
- Computer records
- Audio/video recordings
What are the circumstances where the disclosure of confidential information is lawful?
- Where individuals have consented?
- Where disclosure is necessary for safeguarding or in the public interest
- Where there is a legal duty to do so e.g. a court order
What is the purpose of the Freedom of Information act?
To provide the public access to information held by public authorities (remove unnecessary secrecy)
How does the FOI remove unnecessary secrecy?
- Provides an obligation of public authorities to publish certain information about their activities e.g. policies, procedures, minutes of meetings e.t.c.
- Members of the public organisations are obliged to respond to information requests from the public
e. g. how long do patients wait in A&E before being seen by a clinician at your hospital?
What does the FOI not give individuals the right to?
Does not give individuals the right to access their own personal data e.g. health records
This should be handled via a subject access request under GDPR
