Skip to content

A simple matter of trust

When people share personal information with a healthcare professional, they do so because they know it is an important part of the patient - professional relationship. They also recognise that such information is likely to be used - with appropriate safeguards in place - to help develop preventions, treatment and care for the whole population, current and future.

When people share information they presume that we will keep it safely and confidentially. It is not surprising, therefore, that people become concerned when they read or hear stories about health information being lost or shared by mistake.

Information governance refers to the practice of handling information in a confidential and secure manner following appropriate ethical and quality standards. Information governance for healthcare systems is about putting in place the types of safeguard that helps us all -individuals, the community, professionals, politicians - retain trust in services. Balancing the need for information to improve care with the requirement to maintain confidentiality means we must use a 'strong rules' based approach to ensure safe storage and transfer of the information collected. Current services have been shaped by what previous patients and health professionals said and did. We also have to be aware of our own duty of trust to those who will follow on from us. Future health professionals and patients expect us to collect, analyse and apply information about the population's health needs and the best way to address them so that they, in turn, will benefit.

Understanding the rules

NHS Scotland collects and uses considerable quantities of information for prevention, treatment, teaching, research, planning and administration. All of these activities contribute to the services patients receive1. Information handling, however, must be undertaken in line with legal and regulatory requirements. These include:

  • The Data Protection Act (1998) 2;
  • European Convention on Human Rights 3;
  • Re-use of Public Sector Information regulations 4,
  • Scottish Government: NHS Code of Practice (Scotland) Records Management 5.

There are also professional and ethical codes of conduct and guidance. These enable disclosure and sharing of information in appropriate circumstances while complying with, for example, the NHS Code of Practice on Protecting Patient Confidentiality6. Together these codes, rules and regulations provide a set of underpinning principles or information governance standards. These are used by NHS Lothian in its approach to information governance. This is illustrated in Box 1. NHS Scotland has published six high level information governance standards monitored on a regular basis by both the NHS Information Governance team at the Information Services Division (ISD) and Quality Improvement Scotland (QIS)7.

[ Box 1 ] Underpinning principles for information governance
  • Openness about and access to data stored.
  • Limiting collection of data to what is needed.
  • Limiting use of information.
  • Storing and retaining information appropriately.
  • Appropriate disclosure.
  • Controlling secondary usage of data.
  • Security of information.
  • Compliance with the rules.
  • Accountability.

Adherence to information governance standards is one of the ways that the health service can retain the trust of the public. These standards ensure that the arrangements for the recording, storage and transfer of confidential information within and between professionals, services and organisations are effective and secure (see Box 2).

[ Box 2 ] Consent and confidentiality

Health and social care workers have to cope with what seem like conflicting objectives:
the right to access information about individuals and the need for protection of personal data. Guidance exists to help professionals take decisions about what information can and should be stored. Professionals are required, however, to make the judgements necessary to provide safe, effective care and retain the trust of the public. Professionals and organisations providing health services are expected to comply with the Caldicott principles8. These can be summarised as:

  • There is a justification for using patient data;
  • Patient identifiable information will not be used unless it is absolutely necessary;
  • Only the minimum necessary patient identifiable information will be used;
  • Access to patient identifiable information should be on a strict need-to-know basis;
  • Everyone should be aware of their responsibilities to maintain confidentiality; and
  • Everyone should understand and comply with the law, in particular the 1998 Data Protection Act.

Data Protection Act.

Supporting and advising staff to help resolve the dilemmas around gaining and understanding consent that staff face are a feature of the current and future work of the Director of Public Health's role in protecting patient confidentiality.

Consent workshops for community staff, including health and social care teams, show the difficulties in understanding the need for consent, the different types of consent and exceptions to the rules, particularly in relation to child protection and vulnerable adults. More workshops are planned and will continue to be a key part of the education and training for NHS Lothian staff and those in partner organisations.

Information governance in Lothian

In Lothian as in all Scottish NHS Boards there is now a governance structure for the management of information that brings together health service and other agencies into joint agency working groups. This is illustrated in Figure 1.The groups have detailed action plans to meet agreed information governance standards. The system also monitors information governance incidents (such as the loss of personal data on a removable storage device).

[ Figure 1 ] The organisation of information governance

The organisation of information governance

What information can be shared across agencies is governed by Information Sharing Protocols (ISP). These were first developed in Lothian in 2005. These are reviewed at least annually and when new legislation is enacted. The current protocols are shown in Box 3.

The Pan Lothian Information Sharing Protocol Review Group monitors and evaluates breaches of these protocols. Further development of shared information protocols continues with the development of Information Sharing Protocols for Drug and Alcohol Services and Voluntary Agencies at an advanced stage.

[ Box 3 ] Current Information Sharing Protocol
  • General protocol for sharing Information.
  • Data sharing agreement governing the receipt and disclosure of personal information.
  • Information sharing agreement for access to information on the Edinburgh and Lothian's Child Protection Register via shared server.
  • Data sharing agreement for single shared assessment.
  • Data sharing agreement for information relating to carers in East Lothian.

New directions in information governance

Over the past months NHS Lothian has worked hard to further develop its approach to supporting and protecting patient information. NHS Lothian is recognised as a leader in its use of encryption software as a way of protecting patient information.

During the next 18 months NHS Lothian will be working alongside other Health Boards to develop and implement systems that clearly signpost what health information can be accessed by which type of healthcare professional. This rulebased approach will only allow professionals with specific types of health role access to information on patient-based information systems.

A very basic requirement of healthcare provision includes accurate and clear recording of the care a patient receives. The Lothian Information Governance Working Group is working on ways to ensure data quality through implementation of good housekeeping programmes that will keep our patient based electronic systems fully up to date.

Above all, they will be electronic and human systems in which we all can trust.

Key Messages

  • Sound information governance is essential to effective healthcare delivery
  • Security of information - collected, stored or shared - is a matter of trust: the NHS must build and maintain such trust
  • NHS Lothian is already seen as having a progressive and proactive approach to information governance
  • A continuous improvement approach is being taken to developing better, more robust information governance of health information systems.