By Kai Winterbottom, Group Manager, Good Practice.
There’s no doubt information security incidents in the public sector are big news. We’re approaching £5 million worth of civil monetary penalties issued by the ICO to the public sector, and for every one there’s a tale of negative headlines and undermined public confidence.
But while fines are the headline-grabbing part of our work, we also work proactively with organisations where they’ve held their hand up to ask for help or come to our attention through complaints and self-reported breaches.
And with that in mind, it was really pleasing recently to be able to work proactively with two NHS organisations who took steps to make the most of that engagement.
Our good practice team visited Plymouth Hospitals NHS Trust and Solent NHS Trust to help raise awareness of data protection and look at some areas where they’ve had issues in the past. From the start, the attitude to staff at both trusts was overwhelmingly positive. We ran an online survey in advance of the visit to gauge awareness, and over 400 staff at each location took the time to respond, demonstrating a willingness to engage and an awareness of the risk to information.
We worked with the trusts to make the most out of the engagement, from planning through to delivery. The survey itself became an opportunity to increase awareness of information security risks, and we used that in tandem with internal promotion such as posters, screen savers, face to face briefings from Information Governance staff, and messages from key senior staff in the build up to the visit.
The visits themselves also helped to increase the visibility of Information Governance staff and of a regulator supporting the NHS to promote good practice in handling patient information.
Once on site, we saw that both trusts have a mature approach to ensuring that information governance and security training is delivered to a diverse body of staff at the right times, in the right medium and with the right messages. We liked the use of a network of Information Governance (IG) champions, whose duties included acting as a conduit for IG information, carrying out subject access requests and spot-checks, and being a reference point for other staff.
We also liked the use of unique fobs to ‘pull’ a print job on request. This allows several people to share a printer, without the risk that sensitive information gets left unattended, or is mistakenly picked up by a colleague.
As with most organisations we visit, there were some areas that could be improved.
Using paper records, for instance, brought with it some problems that are common for NHS bodies. Patient handover sheets are a prime example. While they are clearly necessary, the key is ensuring robust mechanisms for handover between clinicians as well as ensuring records are properly secured and disposed of when they are no longer needed.
The heightened awareness by staff of the steps that need to be taken to protect patient confidentiality was reassuring, in conjunction with the development of other controls.
Tips for other NHS trusts to consider then, but definitely a pat on the back to the two trusts involved. We visit many trusts, and these two fitted what we often see: staff working hard to deliver front line care whilst at the same time ensuring that the Trust meets its obligations to process our personal data with care and respect.
For information about how you can work with the ICO to help improve how you handle information and to see if there are lessons you can learn from those we’ve already worked with see the Working with the ICO section of our website.
|Kai Winterbottom is Group Manager for the NHS sector within the ICO’s Good Practice team. Good Practice’s aim is to help organisations understand how to comply with the DPA.|
Last updated 01/10/2014 17:00