20 January 2021
If you work in healthcare, it is often the case that the mere mention of information governance (IG) can provoke a shudder, and not in a good way.
On the one hand, there is widespread understanding of how important confidentiality, privacy and information security is. The shared care record systems we deploy at Graphnet hold extremely valuable and confidential patient information and it is essential that this information is cared for and managed correctly. Having the right IG systems and structures in place is paramount. As many in the NHS have discovered, a project will fail unless it can provide cast-iron reassurance that patient data is secure and managed appropriately.
Yet at the same time, IG also gets a very bad press. It is too often perceived as an area which is burdensome, bureaucratic and a blocker to getting things done. GDPR & The Data Protection Act 2018 are not barriers to justified information sharing. They provide a framework to ensure that personal information about living individuals is shared appropriately and IG exists to mitigate risks, not to have an adverse effect on individual's health and wellbeing.
When I first started at Graphnet, during an introduction at one of my first meetings someone said to me, “Information Governance, the most hated profession in health”. I was not surprised; I have worked in IG for 15 years now. Changing that perception is challenging but I feel like a breakthrough is on its way.
Part of the reason for this optimism is the important role that health tech is playing during the Covid-19 pandemic, and the new understanding about how important and powerful information sharing is. The introduction of the COPI notice - to help ensure information could be shared for the purposes relating to Covid-19 with appropriate controls and safeguards in place - was a massively important moment. Myriads of decisions every day are taken on the basis of the insights provided by data sharing – from prioritising elective care to deciding who to call and recall for vaccination – and the impact on public health protection is played out night after night on our news bulletins.
We, in the health and care system, are also becoming better at managing information governance.
As a supplier, at Graphnet we place enormous emphasis on safeguards, and keeping our wide range of IG protective measures under regular review, focusing in particular on clear role-based access controls, robust audit provisions, appropriate encryption, strong and tested security.
We have also made a great effort to help customers break through that ‘burdensome IG’ perception. We work very closely with customer IG and project leads and have developed a (continually growing) range of processes, documentation and templates to help customers deploy a shared care record in the safest way possible. This includes documentation to assist with the Data Protection Impact Assessments, Information Sharing Agreements and Risk Registers, as well as guidance as to how all areas of IG can work in a shared care record environment. This can take months off the deployment cycle.
Within our own organisation, we like to mirror the approach that the NHS sets out for Information Governance. We adhere to the Data Security and Protection Toolkit and have a management structure which includes a Senior Information Risk Owner and Caldicott Guardian. In addition, we have an information security team which focuses on making sure we can keep our systems secure. We have Cyber Essentials Plus and ensure we run regular scans and penetration tests on our systems. Our compliance team works continually to ensure we meet our Information Security and Data Quality ISO standards.
Perceptions never change overnight, but there is undoubtedly a growing understanding of the importance of data protection in all areas of our lives.
For us at Graphnet and for our customers, data protection requires us to have a ‘privacy by design’ approach: the security and protection of some our most sensitive and confidential information should never be an afterthought. IG isn’t a burden; it must be at the heart of what we do.