Balancing confidentiality with accuracy and accessibility using the NHS’ IGF
16488
post-template,post-template-elementor_theme,single,single-post,postid-16488,single-format-standard,bridge-core-3.0.8,qi-blocks-1.3.4,qodef-gutenberg--no-touch,qode-page-transition-enabled,ajax_fade,page_not_loaded,,qode-theme-ver-29.5,qode-theme-bridge,wpb-js-composer js-comp-ver-8.1,vc_responsive,elementor-default,elementor-kit-16383,elementor-page elementor-page-16488

Balancing confidentiality with accuracy and accessibility using the NHS’ IGF

Balancing confidentiality with accuracy and accessibility using the NHS’ IGF

Since the introduction of GDPR (General Data Protection Regulation) and the Data Protection Act 2018, UK businesses have been lawfully guided to consider privacy in the collection, processing and storage of personal data. Often this means ensuring the continued confidentiality of this data and minimising the data which needs to be processed. However, it is crucial to remember the importance of data accuracy and accessibility. This is particularly significant in sectors that deal with highly sensitive information, such as healthcare.

Nowhere is this more evident than within the NHS, where patient healthcare information must be meticulously managed. While GDPR sets the foundational standards for data protection and privacy, the NHS Information Governance Framework (IGF) provides additional, invaluable lessons. These lessons are especially relevant to the management of personal data across various sectors, ensuring that data is not only protected but also accurate, trustworthy, and readily accessible when needed.

Holistic approach

Alongside GDPR’s primary focus on data protection and privacy, the IGF developed by the NHS directs healthcare organisations to a more holistic consideration of records management, security and data quality (as well as confidentiality). This ensures all aspects of information management are considered – crucial in a sector where data accuracy and accessibility are as important as confidentiality.
 

IGF journeys

The NHS IGF embraces this holistic approach by placing a special importance on the need to structure information governance around 2 “journeys”.

These are:

  • Journey 1: Sharing personal/Confidential Patient Information (CPI) between health and social care bodies within a Shared Care Records (ShCR) for the individual care of patients or service users.”
  • Journey 2: Sharing personal/CPI between health and social care bodies across geographical boundaries for the individual care of patients or service users.”
 

By explicitly stating the specific use of special category personal data (or CPI) before sharing it, organisations can maintain trust and compliance. Just as crucial is making this information accessible at the point of care, so that healthcare professionals with legitimate relationships can access the data they need, as soon as they need it. While GDPR covers these aspects, they can sometimes be overshadowed by a heavier focus on confidentiality and security across different sectors.

Businesses in any industry can learn a lot from the NHS’s approach to managing information. By clearly explaining why they need to share specific data, organisations can build trust and ensure compliance with regulations. It’s also important to make sure the right people can access important information when they need it. While it might seem at a glance that GDPR focuses on keeping data safe and private, it’s equally important to make sure the data is accurate and available. This balanced approach not only keeps information secure from unauthorised access but also helps businesses work more efficiently and effectively and preserves patient safety with information that is correct.

Below, we look at these journeys in more detail, starting with the second:

Data Accessibility

It is true that confidentiality and privacy are paramount in data protection, however the IGF highlights the equally critical need for data accessibility, particularly in healthcare. It focuses heavily on the 7th Caldicott Principle, which states:
 
“The duty to share information for individual care is as important as the duty to protect patient confidentiality.”
 
Ensuring that patient information is available at the point of care is essential for providing timely and effective treatment. This goes beyond the requirements of GDPR, stressing the necessity of making appropriate and relevant data accessible to health and care professionals who have legitimate relationships with patients.
 
The IGF provides guidelines for ad hoc information sharing, where professional judgement and awareness of ethical rules are crucial. It mandates an effective access control model that allows proportionate access to data within an individual’s health and care record. The NHS help to facilitate this access control model through the heavy use of information governance templates. Documents such a Data Sharing and Processing Agreement are required to be in place to facilitate any kind of sharing of confidential patient information. The NHS’ IGF focuses greatly on ensuring that these are readily in place to allow access to critical information at the point of care.
 
By prioritising both accessibility and confidentiality, the IGF ensures a balanced approach that enhances patient care while maintaining data protection standards.
 

Purpose of processing

The IGF underscores the importance of clearly defining the purpose when processing data. It mandates that, for sharing special category personal data or CPI, service providers must communicate the specific use of the information. If the purpose does not fit within the definition of individual care, the Information Governance rules apply differently. This clarity ensures lawful processing and appropriate use of data, enhancing patient trust and care outcomes.
 
By focusing on the specific purpose of data processing, the IGF offers valuable lessons that go beyond the general provisions of GDPR. This nuanced approach is particularly crucial in healthcare, where data accuracy, accessibility, and proper use directly impact patient care and outcomes.
 

Lessons learned

While the IGF is focused on healthcare, its key points about data purpose and accessibility apply to all sectors. Every business should remember that making information accessible to those who need it can be crucial for effective service. However digital governance should be considered at the outset of defining these channels.   
 
Nowhere is this seen more evident than in the NHS’ IGF, which provides guidance for all healthcare organisations to demonstrate evidence of Joint Controllership, data-sharing agreements, an established lawful basis, and more.
 
 

Let’s not forget confidentiality

We have focused on accuracy and accessibility using IGF as an example. However, confidentiality is still a crucial element of the security triad. Organisations should examine security mechanisms on their systems including tight access control, encryption of data at rest and in transit, and conducting security vulnerability and testing activities on their systems and processes. Healthcare information is extremely valuable to bad actors, and it can be highly effective in social engineering, identity theft and other fraudulent activities on the general public.  
 
  • Get in touch to find out more how the IGF can be adapted to your healthcare platform or service. 
No Comments

Sorry, the comment form is closed at this time.