Information Governance and Registration Authority: Keeping data safe amid new ways of working
The NHS handles some of the most sensitive personal data available, and patients have a right to expect that any information being held about them will be looked after and kept safe.
In addition to that protection, patients also want to be reassured that anyone accessing information about them has the correct authorisation to do so.
The Information Commissioner's Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
Its new head, John Edwards, who took up the role of the UK’s Information Commissioner at the start of 2022, says:
“Privacy is a right not a privilege. In a world where our personal data can drive everything from the healthcare we receive to the job opportunities we see, we all deserve to have our data treated with respect.”
Ensuring that right to privacy remains intact, The Health Informatics Service (THIS) provides clients throughout the UK with knowledge, guidance and expertise on all aspects of Information Governance (IG) and Registration Authority (RA) as part of its professional services portfolio.
Information Governance covers a huge spectrum of activity ranging from Freedom of Information (FOI), data protection and confidentiality to IT security, anti-virus assurance and internet filtering and reporting.
Our award-winning IG service provides consultancy, training and learning products to help our host trust - the Calderdale and Huddersfield NHS Foundation Trust (CHFT) - and our healthcare clients handle personal and corporate data legally, securely and efficiently.
In order to access NHS systems and applications, healthcare professionals are required to be registered with NHS Digital and be issued with a Smartcard to ensure they are identified correctly and given appropriate access. This is achieved by identity verification and creating a national digital identity for each user.
This process is done via local ‘Registration Authorities’, which consist of people who are trained to create identities and grant access. Our Registration Authority (RA) service operates to NHS Digital’s National Operational Process and Guidance.
Confidentiality – the cornerstone of good medical practice
Confidentiality is the cornerstone of good medical practice and is central to the trust between doctors, colleagues and patients.
The Covid-19 pandemic placed significant pressures on the health and social care system. We opted for remote working for our teams to reduce the spread of Covid among staff with the aim of maintaining good service and support for our host trust and our clients.
But with all face-to-face activity in the IG and RA arenas suspended, we put our faith in Microsoft Teams to aid communication and collaboration.
It was vitally important the Trust adopted some basic security principles that would protect confidentiality while maintaining ‘business as usual’, especially as the use of Microsoft Teams was being encouraged to carry out consultations with patients and service users to reduce the spread of Covid-19.
There were some key considerations that had to be factored into the operational service to minimise any potential security breaches, and this resulted in the creation of new guidance documents covering working from home and the use of Microsoft Teams.
Home is where the threat is…
Home is often the place we feel most secure, but this can blind us to potential threats.
Some basic operational considerations have been implemented for using Teams and its associated services at home, such as:
- Never leaving laptop/desktop computers or tablets unattended
- Never sharing screens with anyone without a legitimate reason to see, use or access confidential information
- Not sharing login credentials to allow viewing of patient information, or inputting information into clinical applications
- Ensuring security: For example, not leaving confidential information on display, or documents which could be viewed visible
- Ensuring any recorded Teams sessions complied with standard local and national IG policy.
Other ‘common sense’ advice includes not leaving equipment on show at home and not leaving equipment in the car.
Keeping personal data safe
Microsoft Teams is the preferred communication platform for CHFT as it is UK-hosted, General Data Protection Regulation (GDPR) compliant, ISO/27001 compliant and provides integration with other CHFT software such as Outlook and ultimately Office 365. It is a secure, moderated collaboration tool that combines voice and video conferencing with WhatsApp style chat and instant messaging.
Our guidance put in place some must-do procedures to ensure we kept Personal Confidential Data (PCD) secure. These include:
- Minimising the use of PCD
- Security measures for accessing Teams on personal devices
- Not extracting or storing PCD on non Trust, personal or any other storage device
- Following the working from home guidelines
- Ensuring recorded Teams meetings complied with GDPR and IG policy
- Sharing data for use in Teams
The latter focused on the ways PCD could be shared in Teams, reminding users of GDPR considerations and how to pseudonymise anyone being discussed.
Our guidance says:
“If both parties have access to NHS mail accounts such as cht.nhs.uk or nhs.net this would be a secure method of sharing information with the other Teams contributors and again, use of video and voice conferencing would enable collaboration. The mail solution is secure and transfer of PCD would be appropriate.
“If neither of these approaches are available and it is important to distribute the PCD by Teams, it should be transferred in encrypted format. This could mean secure password protected files and would depend on the file format how the encryption is carried out. Passwords would need to be shared securely and separately from the encrypted material.”
Overcoming the upheavals of the pandemic
One of the biggest upheavals we have faced into is the suspension of face-to-face RA sessions, held pre-pandemic in Wakefield, Halifax, Huddersfield and Brighouse. This was business as usual. However, not maintaining that measure of BAU created a potential risk to organisations relying on THIS for RA support; namely not having new Smartcard users registered on the Care Identity Service quickly and efficiently.
With the RA team working from home, its members had to shift mindset, and that included posting out Smartcards via Royal Mail. In certain urgent circumstances Smartcards were even collected from the home of a RA team member; unconventional but necessary in a crisis situation. Overstepping a boundary that would not normally be overstepped ensured clients could access clinical systems to keep patient records accurate and current.
As the threats of the pandemic recede, NHS Digital is considering new ways of working based on the lessons learned over the pandemic. One proposed solution is a self-service registration portal and THIS has been asked to contribute to the consultation process.
Melanie Hill is THIS’ Information Governance and Registration Authority Manager. She says:
“Ideally, we would like to resort to seeing clients face-to-face but there is no doubt Microsoft Teams appointments and posting out Smartcards has relieved the pressure on our RA service in the circumstances.
“Posting out Smartcards had been requested of us before the pandemic but never agreed, it just wasn’t something we would consider. But in the context of the pandemic, posting out a Smartcard was no greater risk than posting out a bank card.
“Going forward, I think a combination of face-to-face and Teams appointments are a good compromise and we will be on hand to support our customers irrespective of the options that are available to them.
“In fact, Teams appointments, the potential option to self register and removing the restriction of a face-to-face meeting provides THIS with an opportunity to overcome geographical restrictions of new Smartcard users having to meet with us in person, making it more of a viable proposition to provide services to organisations anywhere in the UK.”
The additional pressures of new ways of working
A further manifestation of the upheaval caused by the pandemic has seen an increased reliance on existing Smartcard sponsors and ID Checkers. The suspension of face-to-face RA appointments has created a need for more ID Checkers, yet many in those positions have been working from home, restricting their operational ability, or have been self-isolating.
As these roles are not full time but additions to other responsibilities, the system has found itself under pressure due to a lack of available staff while there is difficulty in recruiting new sponsors and checkers.
The hope is these pressures will ease as the pandemic eases and more staff are convinced to adopt these important roles.
Tackling the perils of remote working
The proliferation in remote working has become a test of cyber security.
In 2021, the National Cyber Security Centre received nine million reports of scams which resulted in 70,000 stings being removed from 130,000 web addresses.
Phishing, when criminals use scam emails, text messages or phone calls to trick victims, has increased exponentially. The aim is often to make the intended victim visit a website, which may download a virus onto a computer, or steal bank details or other personal information.
Vigilance regarding cyber security is now tantamount. In one period of just two months, THIS’ host trust received 46,600 phishing emails and 34,600 spam emails that resulted in 1,658 malicious websites being blocked, and the blocking of 1,432 malwares.
Helen McNae, THIS’ Data Protection Officer, says:
“I think there are two reasons for this. Firstly, criminals know more people are working from home and the potential to catch them off-guard has increased. Second is the use of personal equipment being used at home to link into work, which people can do, but they might not have the same security inbuilt into their personal equipment.
“Our information security team can identify the IP addresses and the source of the emails. We are constantly blocking emails, websites and malware. We are constantly reminding our own teams and those of our clients to be more vigilant.”
If our clients need reassurance, THIS holds ISO 27001 Information Security Management, 9001 Cyber Management and 20000-1 Information Technology Service Management. We are compliant with NHS Digital/NHS England Data Security and Protection Toolkit (DSPT) and our IG team boasts more than 60 years’ worth of experience in their expertise.
“The training we conduct is NHS Digital/NHS England mandated, so we cannot influence that, but it has certainly changed to be more cyber security orientated. But the written guidance from THIS’ IG team is a change of practice, we didn’t do anything like that previously.”
THIS’ service desk also monitors cyber security and issues alerts to all CHFT staff if there is a threat and our account managers then alert their clients.
IG in the future
Covid-19 has honed the skills of the IG team, which has drawn on its collective experience to provide the best possible service to internal and external customers and ultimately have a positive influence on patient care.
The team has been adaptable in rising to the challenge, embracing flexibility. Some changes have been uncomfortable because it has been outside the scope of normal practice, but we have drawn on individuals’ experience and capabilities to ensure a smooth transition.
“This success has been made possible by good communication, trusting our colleagues, changing the way in which we lead and rapid decision-making.
“We have embarked on a journey and have embraced new ways of working in Teams, across organisations and sectors, and this has been supported by rapidly deployed technology. The use of video conferencing has enabled us to collaborate with colleagues far and wide and cut down considerably on travel time, meetings overrunning and unnecessary bureaucracy. Agile/remote working, I believe, is here to stay.”
More about Information Governance
We have a seven-strong team of qualified professionals providing high quality, specialist support and assistance to ensure organisational compliance in handling personal and corporate informational legally, securely, efficiently and effectively.
Our team supports NHS organisations, NHS arms-length organisiations, charitable organisations and private entities that have to access in NHS data from numerous locations across the UK.
Helen McNae adds:
“Data protection is compulsory whether you are an NHS or private organisation. That is what the Information Governance service is there for primarlily, to make sure organisations comply with the mandatory data protection regulations across all healthcare sectors.
“Much of our work is sector-specific as we are processing NHS data, for which we have the Data Security and Protection Toolkit (DSPT), a set of requirements that organisations have to comply with to be able to process any NHS data.”
THIS expertise covers consultancy, training and learning products for all aspects of information governance, such as Freedom of Information, privacy impact assessments, data flow mapping, records management, data quality, and IT security including anti-virus assurance.
Attaining the level of knowledge and best practice required by organisations is achieved via THIS’ specialist training services. The essential training provides guidance and education for senior information risk owners, information asset owners and administrators, data protection officers and Caldicott Guardians – a senior staff member responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly. All NHS organisations and local authorites providing social services must have a Caldicott Guardian.
Fundamentally, IG is an enabling service to ensure data is handled safely and stored securely. The end solution takes away any difficulties clients might encounter.
“For example, many NHS organisations have an IG officer and/or data protection officer within their organisation, who are responsible for the data they handle. The beauty of working with THIS is we can work with an organisation without really being visible to make them safe, secure and compliant. We make them compliant before they really have to worry about it, taking up the slack for them and providing peace of mind.”
More about Registration Authority
THIS’ RA service currently provides support to over 400 customer organisations, which equates to approximately 40,000 active Smartcards. Our clients include NHS Foundation Trusts, Clinical Commissioning Groups (CCGs), GP practices, pharmacies, local authorities, social enterprises, hospices and universities.
While THIS works primarily with the NHS and its arms-length organisations, its experience and expertise allows it to extend Registration Authority services beyond the health sector.
Helen McNae says:
“Our link with the NHS really cements our reputation as being leaders in this field, because of the size of our footprint. We are the provider of choice for many organisations and our reputation has been sealed through word of mouth recommendations.”
THIS provides two levels of RA service – gold and silver. Irrespective of level, at the outset a customer organisational sponsor must be identified to support the Smartcard registration process by specifying the level of access an individual should be granted. There may also be a need for a Local Smartcard Administrator who can provided non-urgent help and advice.
THIS’ service desk provides an additional, single point of contact for staff within a customer organisation experiencing problems that cannot be resolved by their organisational sponsor.
As the quality and volume of patient data continues to increase, so too will the concerns of the public, organisations and policy-makers about how best to govern this valuable resource.
The power of data for healthcare organisations is set to play a significant role in the digital transformation of healthcare and is seen as a critical element of a successful and sustainable future for the sector. As the uses and applications of patient data grow and adapt to an ever-changing landscape, how this information is stored and who has access to it is deserving of the very best practice.