South London HIV Partnership: The Data Protection Challenge

1
South London HIV Partnership The Data
Protection Challenge
Dr. Nathaniel Williams NAW Solutions
Limited South London HIV Partnership
(SLHP) Monitoring, Verification, and Evaluation
(MVE)
2
South London HIV Partnership (SLHP)?

• c9,391 HIV people in South London
• Community health services for people living with
  HIV (PWLH) in South London
• Supports clinical services
• Multi-agency approach statutory, voluntary, and
  private sectors
• Funded by 23 local authorities and Primary Care
  Trusts (PCTs)
• Innovative model central access assessment
  point , integral specialist services, service
  user feedback function
• Supported by a shared data network backbone

3
The SLHP Delivery Model

• Five core services
• First Point (The Metro Centre) Assessment
  referral
• HIV Health Support (THT) Treatment other
  information
• Advice Advocacy (THT) Welfare Advice
• Counselling (Terence Higgins Trust (THT))
  One-to-One and couples support
• Peer Support (TBC) Group-based support

4
Information Sharing Foundation of the SLHP

• Identifying care and other needs
• Referrals - internal external
• Collaboration and coordinating care
• Follow-up care
• Feedback about service quality
• Management Information outcomes data

5
Information Sharing The Prize

• Assured quality of care for service users
• Improved service user experience
• Robust information to drive
• Service improvements
• Service development (including new services)
• Equality of access
• Better outcomes for all stakeholders

6
Data Sharing Challenges I

• Fear stigma related to HIV status -
  disclosure still an issue
• Engaging excluded groups transience/fear of
  agencies
• High profile personal data losses HMRC, Zurich
  Insurance
• Partnership environment shared values on
  personal data?
• High cost of getting it wrong ! loss of
  confidence, loss of service users

7
Information Sharing Challenges II

• The Data Protection Act 1998
• Caldicott Principles (NHS)
• European Commission/Charter on Human Rights
• Health Records Act 1990
• Local PCT/Local Authority Governance
• Maintaining a service user focus
• Changes to SLHP partners and services

8
Information Sharing Solutions I

• Clears roles responsibilities at all levels
• Leadership, implementation, compliance, and
  verification,
• Partnership, partner, service, and individual
  levels
• Plan using available resources - start with key
  principles
• Sector guidance toolkits (www.ico.gov.uk)
• Training (appropriate)
• Decide on what information to share and review
  against key principles
• Adopt a Total approach- it is everyone's
  responsibility

9
Information Sharing Solutions II

• Develop deploy an internal audit framework for
  data protection
• Partnership-wide polices protocols (involved
  approach)
• Risk register includes data protection
  confidentiality
• Internal audit includes document systems
  reviews, and and staff interviews
• Post-audit development plans
• Serious sanctions breach of contract

10
Information Sharing Solutions III

• Consent is key - involve the service user
• Mutual understanding concerns vs. purpose
• Focus Groups
• Document Reviews clear and easily understood ?
• Outcome New consent form design
• Outcome New data protection information
  sharing FAQ

11
Information Sharing Solutions IV

• See data protection governance as an enabling
  framework not as a barrier to information sharing
• Use technology as a tool and not a solution to
  data protection- dont forget the basics !
• e.g. filing cabinets, interview space etc.
• If you are not sure ask the Information
  Commissioners Office (ICO)

12
Information Sharing Simple Perspective

• Always recognise personal data as a someone's
• personal property and treat it as such.

13
Thank You
e nathan.williams_at_naw-solutions.co.uk t 07966
119 660
The South London HIV Partnership www.slhp.org.uk
14
Resources
Data Protection Act 1998 Basics Original Link
http//www.ico.gov.uk/what_we_cover/data_protectio
n/the_basics.aspx Tinyurl http//tinyurl.com/4fj2
yw Good Practice Guides Original Link
http//www.ico.gov.uk/tools_and_resources/document
_library/data_protection.aspxdetailed_specialist_
guides Tinyurl http//tinyurl.com/yldzcap Caldic
ott Principles Original Link http//www.dh.gov.u
k/en/Publicationsandstatistics/Publications/Public
ationsPolicyAndGuidance/DH_4006467 Tinyurl
http//tinyurl.com/yjmn6dg Useful Data
Protection Summary (City of London) Original
Link http//www.cityoflondon.gov.uk/Corporation/L
GNL_Services/Council_and_democracy/Data_protection
_and_freedom_of_information/Data_protection_act.ht
m Tinyurl http//tinyurl.com/ygocpf7 Human
Rights Act Original Link http//www.direct.gov.u
k/en/Governmentcitizensandrights/Yourrightsandresp
onsibilities/DG_4002951 Tinyurl
http//tinyurl.com/6haqd6
15
Data Protection Act (1998)Principles

• Data should be
• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Not transferred to other countries without
  adequate protection

16
Caldicott Principles

• 1 - Justify the purpose(s)
• 2 - Don't use person-identifiable information
  unless it is absolutely necessary
• 3 - Use the minimum necessary person-identifiable
  information
• 4 - Access to person-identifiable information
  should be on a strict need-to-know basis
• 5 - Everyone with access to person-identifiable
  information should be aware of their
  responsibilities
• 6 - Understand and comply with the law

17
Schedule 2 - Conditions for processing personal
data

• One of the following conditions must be met for
  processing personal data
• Consent has been given by the data subject
• It is for entering or performing a contract with
  the data subject
• The data controller is under a legal obligation,
  other than under contract
• It is to protect the vital interests of the data
  subject
• It is for the administration of justice,
  exercising functions under an enactment,
  exercising of government functions, or the
  exercise of any other functions of a public
  nature in the public interest
• It is for the pursuit of the legitimate interests
  of the data controller

18
Schedule 3 - Conditions for processing sensitive
personal data

• One of the following conditions listed in
  Schedule 3 must be met
• Explicit consent has been given by the data
  subject
• It is for the exercise of rights or obligations
  in connection with employment
• It is to protect the vital interests of the data
  subject or anyone else
• It is part of the legitimate activity of a not
  for profit organisation
• The personal data have already been made public
  by the data subject
• It forms part of legal proceedings, including
  obtaining legal advice, and exercising or
  defending legal rights
• It is for the administration of justice, or
  exercising functions under an enactment, or
  exercising of government functions
• It is for medical purposes
• It is for the purpose of monitoring equality of
  opportunity

19
Information Sharing The future and SLHP

• Service user log-in areas
• Making referrals
• On-line Subject Access Request(s)/view own data
• On-line interaction with other service users-
  On-Line Peer Support
• Review and enhancement of partnership protocols
  at all levels