Trusts 'treat IG return as box-ticking'
05 Feb 2010
Too many trusts are using the Information Governance Toolkit return as a tick-box exercise rather than as a means to ensure that confidential information is safe, a conference has heard.
Tony Cobain, head of IM&T for Mersey Internal Audit and Assurance, told the CHKS annual user group conference in London that about a third of trusts lived and breathed IG and used audit to check whether policies were being used in practice.
One third were doing their best, he said, but a final third were “going through the motions” and viewed the IG return as a tick-box exercise.
He said: “It’s left until March 31 and is done in half an hour by one manager with no research. It is all about ticking boxes.”
Cobain is now working with the Audit Commission and Department of Health on a new toolkit and audit methodology. The IG toolkit lists 67 questions that trusts must answer each year.
Cobain said that although it had wide ranging coverage and was based on good practice, there were a number of problems. He said: “It [the IG return] tells you about policies but not about what people are doing with them.”
To highlight his point, he compared press coverage of data losses from several NHS trusts and primary care trusts in 2009 with their annual IG returns.
In one case, a health worker lost a memory stick with medical details of prisoners on it. The stick was encrypted, but the worker had written the password on a sticky note and posted the two together. It had subsequently gone missing.
However, the PCT’s IG return said that users had been given secure removable devices and instructions on using them.
In another case, a secretary was blamed for losing data on a disc. Again, the trust’s IG return said staff had been provided with secure removable devices and trained on their use. A later investigation by the trust found that there had been a delay in getting memory sticks to staff and a gap in training.
Cobain said: “Organisations are using the IG return to paint nice pretty pictures of themselves despite what is actually going on. The statements do not stack up.”
The mandated return was also limited by its lack of risk assessment, he said. Trusts score zero to three points on each of its questions and are encouraged to improve year on year.
But he added: “It has no concept of a trust having understood risk and deciding not to move forward. The last 20% of the push requires 80% of the effort and it must be up to trusts to take a risk management position on whether they expend resources on this or on something else.”
He welcomed a recommendation from the Care Quality Commission - made in its review of IG published in March 2009 - for mandatory audit of information governance with external validation.
This is now being taken up, with the new IG toolkit and audit methodology being developed by the Audit Commission and DH due for publication this summer.
He warned NHS trusts: “You will be crawled over by auditors from the strategic health authority. It not about the toolkit or its requirements but about having clear policies in place, people who understand them and doing the right thing.”
In a statement, the DH said: “We have set clear standards for NHS organisations to adhere to on data handling, and have issued guidance that sets out the steps they must take to ensure records are kept secure.”
In addition to the new toolkit and audit methodology, the DH has made training available via NHS Connecting for Health and is working proactively with NHS partners to ensure robust information governance.
Daloni Carlisle
|
© 2010 E-HEALTH-MEDIA LTD. ALL RIGHTS RESERVED.
|
1 Stark Warning on laissez faire attitudes07 Feb 10 10:02 This must not go unheeded, well done EHI for reporting what to some folks might seem rather dull. Information Governance lies at the heart of all Health and Social Care and anyone seen to be dismissing the requirements to tyake it uber seriously should themselves be dismissed. 2 Pious but truemr.acute.cio@live.co.uk 08 Feb 10 11:02 The case for IG is sound and necessary, but its delivery and evangelism is not so. IG will not be delivered by the nanny state approach being taken righ now, where there is a very real risk that IG becomes like Health & Safety - detached fom reality. The underlying issues have roots deep in culture, ownership, structure, funding and the swings and roundabouts of the NHS's managerial history. Just shouting at us or setting Toolkit targets on what we should be doing won't help. Dump the soap boxes and ask yourselves (find out) why IG is not high up everyone's "must do" list. 3 Is there a better alternative to what is being mandated08 Feb 10 14:02 and importantly what is crass about the IG standards that are being mandated ? Does anyone agree that the IG requirements are worthwhile? I'd certainly agree that H&S standards go over the top in many cases in the pursuit of correctness - does this really apply to IG? 4 Pot-Kettle-Black09 Feb 10 13:02 ....“You will be crawled over by auditors from the strategic health authority. It not about the toolkit or its requirements but about having clear policies in place, people who understand them and doing the right thing.”.... Would that be the same SHA that recently e-mailed all their PCTs a shared username and password, unencrypted and in the same message, to non-nhs.net e-mail accounts, for access to a public-facing sftp site, in order to upload SCR data that anyone with the credentials could then access? 5 How simple life is for a SHA09 Feb 10 16:02 It is easy for SHA's to be righteous (or was that pious). They issue these demands and, possibly based on the simplicity of their structures, think large complex trusts can meet them, just like that. I for one don't disagree with any of the IG objectives or standards, but the sender who said it is all about culture and complexity hit the nail on the head. Developing/establishing ownership of IG within the organisation ain't that easy. 6 How simple life is for a SHA?09 Feb 10 20:02 I can understand where poster 5 is coming from, but Tony doesn't actually work for an SHA. MIAA is a separate body which provides a variety of audit services to various NHS organisations in the NW. See http://www.miaa.co.uk/ for more details.
ps I don't work for MIAA :-) 7 Self assessment vs external audit12 Feb 10 08:02 Even where there is a double check of Trust's scores against an external audit this is not done - see Clinical Coding vs PbR audit. Trust's have had nothing to MAKE them take notice. Self assessment will always be an easy way to ignore the reality of the requirements. It is about a changing culture - we are all users of new technology, we have yet to learn caution and respect for our own personal data in the way that we protect more material things, so how will we respect it in the work environment? 8 Real teeth12 Feb 10 11:02 We all know that some/most people will "tick the boxes" while there is no real threat or incentive. The surprise to me is that only 1/3rd do this. It is to be hoped that the ICO's new powers to levy substantial fines for data losses will concentrate the minds of those with this cavalier attitude. I further hope that his interpretation of "reckless" will extend to cover just this sort of disregard for people's rights to privacy and confidentiality. 9 More practicality pleasejulianlesaux@nhs.net 13 Feb 10 16:02 The trouble with the IG toolkit is that it's all high principle and very little practical application, which is what makes it difficult for people to engage with it in their everyday working lives. For example, one of the requirements in the new requirements for GP practices is "Does the Practice have documented plans and procedures to support business continuity in the event of power failures, system failures, natural disasters and other disruptions?", and attainment level 3 is "The Practice has measures in place to counteract interruptions to critical patient information systems and processes from the effects of major failures and disasters, and these measures have been tested, reviewed and communicated to all staff". What does this actually mean? Does it mean each practice has got to have its own generator? If so, why doesn't it say so, and where's the money going to come from? Examples of recommended policies in this area would be helpful. Likewise, "Does the Practice have a publicly available and easy to understand patient information leaflet that informs patients how their information is used, who may have access to that information, and their own rights to see and obtain copies of their records?" Well, if the IG site actually supplied a recommended leaflet then this requirement would be extremely easy to achieve. What would be generally more helpful would be an approach based on known practical issues. For example, when a member of surgery staff has a school-age child off sick, does that member of staff bring the child into the surgery and allow the child to have access to office areas where confidential information may be on display? Breach of IG protocol. If the PCT supplies you with new computers, does the PCT also undertake to remove the old computers and data-cleanse them? They ought to. If not, how do you dispose of the old computers? Do you ever give them away to members of staff? If your clinical system transfers patient documents to caches which are outside the clinical system (eg. tranferring Choose and Book referral letters into a Choose and Book folder) how often are these caches cleared and by whom? This is the way to get IG awareness into the routine of working life. You have to tie it into nitty-gritty working procedures. Most IG lapses are the result, not of deliberate dereliction of duty, but of people's failure to realise that what they're doing may have an IG implication. The DoH's insistence on taking an arid, disconnected-from-ordinary-life approach to the subject of IG actually makes this problem worse, not better. |
comments
comment
a friend