Practical issues to consider to achieve safe data sharing across an ICS

Information governance (IG) is a fundamental requirement for safe data sharing. While compliance with legislation such as the UK Data Protection Act (DPA) 2018 and the use of NHS security standards and procedures such as HSCN/N3 are essential, the practicalities of safe data sharing can make a significant difference to both IG teams and data users.

Ross Williams, Senior Project Manager at ReStart, explains. 

A patient-centric approach to safe data sharing

For the past decade, many NHS organisations feel they have been walking the tightrope between providing more access to patient data to support clinicians in delivering better outcomes and managing the escalating data security and compliance demands. Certainly, the General Data Protection Regulation (GDPR) arrival in 2018 focused the attention of anyone involved in data sharing and collaboration – with the UK’s DPA 2018 setting out near-identical data protection requirements.

Security requirements are fulfilled through HSCN/N3 access, but it is also important to consider national opt-out requirements, which come into force in September. Has a patient opted out of sharing their personal information, and do you have this logged so that it’s easily visible to clinicians at the point of care?

Over the past year, attitudes to data sharing have evolved. The value of collaboration and better access to patient information across diverse locations has been proven during the pandemic. The government’s innovation of Control of Patient Information (COPI) rules to support the fight against COVID-19 and protect citizens facilitated a high level of information sharing. Indeed, the need to use digital information when many paper records were removed as part of infection control, has won over many clinicians who previously had reservations about a more open data culture.

In a post-COVID world, the emphasis is firmly on delivering the information required to improve patient outcomes. Rather than justifying why an individual needs access to patient data, the question now is ‘why not?’- an attitude, somewhat ironically, akin to that adopted in Europe for some time.

Having said that, each NHS organisation will retain its own data culture, and many, especially those delivering mental health services, will be far more cautious. As such, there are several practical issues to consider to achieve safe data sharing.

1. Create data sharing agreements

For any organisation within the NHS looking to share data, a data-sharing agreement is essential. Every Trust and ICS has different IG skill sets and expertise – and some organisations may need help with the completion of documents, including the relevant technical information. It is important to remember that it will always be the organisation’s responsibility to get the right agreement in place with every partner organisation.

2. Define role-based data access

The most important principle of data sharing is to ensure the right people get access to the right data.  While the focus now is on providing as much relevant patient data as possible to improve outcomes, it is important to avoid oversharing. There is no point in giving people access to data they simply don’t need. Administrative staff, for example, do not require access to all clinical information.

With the IMX-IR Interoperability Record, we can provide a vast array of data to individuals across multiple health and care settings, including community and social care. To control this access, we create a detailed, role-based matrix that defines which roles need access to which data – and the specific functionality available to each individual. Taking this process right down to individual data items provides a level of data granularity that ensures individuals have access to the right data – without being overloaded with unnecessary information.

3. Revisit the matrix with every data addition

Taking the time to sit down and work out this role-based matrix is an essential step in safe data sharing. It provides the foundation for adding any new data, organisation or individuals – with every change, it is important to revisit the matrix and review the roles/data access rules.

Typically, we advise organisations to err on the side of caution when it comes to the amount of data being shared to avoid oversharing – it is easy to change the matrix and extend user access to data over time. Actively collecting user feedback during a pilot IMX-CR deployment will feed into the matrix for the full roll-out.

4. Set additional controls for sensitive data

Sensitive data – including mental and sexual health information – requires special consideration, especially regarding access. Is the data remaining within the hospital or being shared with the wider community?

Suppose it is being shared within the hospital via point-to-point integration or an integration engine interface. In that case, data access is restricted by the end system rather than an integration solution. If a interoperable care record such as IMX-IR is being used, that data can only be accessed by users with specific permission or by making an additional request to see sensitive data.

Adding a ‘break glass’ option ensures individuals think about their data requests and have to make a conscious decision to see sensitive information.

5. Automate alerts and audit

The entire data sharing process is audited and can be alerted. Depending on the IG processes within each organisation, an alert can be raised whenever an additional information request is made for sensitive information, for example. Detailed reporting ensures the Trust or ICS has a complete record of who is accessing sensitive information and when.

Automating alerts and audit provides an essential layer of control over existing processes for data sharing which are often based on personal phone calls. Many Trusts have set processes in place for recording how, when and where patient information is received. However, in the heat of front-line service delivery, it is hard to enforce compliance.  Using technology such as IMX-IR transforms the ease with which individuals gain access to data across one or more organisations and helps to enforce data sharing and security policies.

Conclusion: Safe data sharing

With the extension of data sharing across health, community and social care settings, organisations face an ever-expanding IG role. With the right approach, the process is not more complicated, just larger. With a role-based matrix, an organisation has a robust, rules-based foundation that can rapidly expand to support new end users and data sets.

By safely delivering the right data in the right detail, an organisation can also build up data confidence for each individual. Proving the value of collaboration and showing the levels of control over who can access data can help overcome any remaining islands of ‘data ownership’ and build great momentum for data sharing strategies.

If you need help with the deployment of your shared care record, or if you need help joining up systems, new or existing – get in touch. We’ll connect you with one of our technical experts for free discovery consultation.

For more information about how interoperability is helping organisations across the NHS meet data sharing objectives download our eBook: An essential guide to sharing any data across any care setting.  Including a free checklist to assess the level of data sharing within your organisation.

Ross Williams, Senior Project Manager, ReStart

By Ross Williams

With over 17 years of experience in solving interoperability challenges within the NHS, Ross has unparalleled expertise in the health and care ecosystem as a respected senior project manager. Ross is known for putting the customer at the heart of any plan.