Updated: 13th January 2021
Information governance is about how we manage and share information appropriately.
Click here to read a letter from Welsh Government on the request for processing of confidential patient information for COVID-19 purposes.
Click here to read a further letter from Welsh Government (August 2020) regarding the processing of confidential patient information for COVID-19 purposes.
Click here to read a letter from Ifan Evans (February 2021) on COVID-19 COPI request extension to health boards GPs and local authorities.
The health and social care system faces significant pressures due to the COVID-19 outbreak and, in the current circumstances, it could be more harmful not to share health and care information than to share it. The Information Commissioner has confirmed that she cannot envisage a situation where she would take action against a health and care professional clearly trying to deliver care. You can read the statement from the Information Commissioner's Office, alongside their Q&A resource. Health regulators have also published a joint statement.
We are all responsible for looking after personal information and the important thing, as always, is to consider what type of information we are sharing and with whom. During this period, where clinical need demands it, we may need to work in different ways from usual. Our focus should be on what information we need share and who we share it with, rather than how we share it. We should always limit the use of personal or confidential patient/service user information to the minimum required to meet the specific purpose. Use approved processes, systems and applications where it is effective to do so.
This advice has been developed by the NHS Wales Information Governance Management Advisory Group and is endorsed by the Information Commissioner’s Office and Welsh Government. It sets out some of the tools that can be used to support individual care, share information and communicate with colleagues during this exceptional time. Appendix A provides some further practical tips.
Mobile messaging can be used to communicate with colleagues, patients and service users. Commercial, off-the-shelf applications can be used where there is no practical alternative and the benefits outweigh the risks; for example, you would not otherwise be able to communicate with, or provide timely advice to, patients or colleagues. NHS Wales endorses the use of Hospify available via https://www.nhs.uk/apps-library/hospify/ for professional to professional messaging containing personal identifiable information / clinical pictures.
Although they are not designed for business purposes, and are not recommend for this purpose, in the current crisis period only, off the shelf consumer applications, such as WhatsApp, can be considered where you urgently need to contact colleagues, staff members or patients if alternative channels are not available. You should avoid messages containing personal identifiable information / clinical pictures in apps that have not been officially assessed and approved for this purpose.
Be mindful that communicating from device to device using consumer applications is likely to expose the details of that device (such as the telephone number) to patients and colleagues. Try to utilise devices provided by your employer or, if the technology allows, mask the device or personal details. Remember that using your personal device could present risks to the security of that device and your personal data.
Further detail on possible messaging solutions will be provided in due course.
The use of videoconferencing to carry out consultations with patients and service users could help to reduce the spread of COVID 19 and may be useful in some clinical scenarios.
The Health Minister has confirmed that AttendAnywhere will be urgently rolled out to all GP practices across Wales as a national video consultation platform.
In the meantime use existing applications, or other interim solutions made available by your employer as you see fit.
Although they are not designed for business purposes, and are not recommend for this purpose, in the current crisis period only, off the shelf consumer applications, such as FaceTime and WhatsApp, can be considered where you urgently need to have a video consultation with a patient, and if alternative channels are not available.
Consider the clinical risk of not conducting a video consultation against any potential risk of using these types of consumer-focused services. Please be aware of the considerations, described above, regarding the visibility of your device details, such as telephone number, and your personal information.
Please remember that any information you collect during this type of consultation MUST be placed in the appropriate care record.
Also please be mindful that, although the organisation will not be recording the consultation, the patient may be doing so (the patient does not need our consent to do this for their private use).
You may well need to work from home - for example, to reduce potential contact or when self-isolating without symptoms.
Where available, use work devices and associated security measures.
If using your own equipment, check that your internet access is secure and that any security features are in use. If possible, use a Virtual Private Network (VPN) and avoid the use of unsecure networks, such as, public wi-fi.
When travelling or at home, ensure the security of any physical documents that contain personal or confidential patient information, service user or staff information. Please refer to your own organisation’s policy and guidance, where available, for further advice. See Appendix A for practical hints and tips.
Using your own device
You may have to use your own device to support video conferencing for consultations, mobile messaging and home working where there is no alternative; i.e. you can’t access your normal work device(s) because you are unable to access your normal place of work. Note the previous comments regarding exposure of device and personal details.
Reasonable steps to ensure your device is safe to use for work purposes include, setting a strong password; using secure channels to communicate e.g. tools and apps that use encryption; not storing personal or confidential information on the device unless necessary and appropriate security is in place. Please refer to your own organisation’s policy and guidance, where available, for further advice.
Agreements and risk assessments
The current environment in which we are working is fast moving and subject to change. As such, we believe efforts are best focused on finding practical solutions to ensure that appropriate care and treatment can be provided to those that need it. During this period of pressure, take a risk-based approach to the development of agreements and data protection impact assessments (DPIAs). You may need to prioritise the provision of care and treatment.
There is a clear lawful basis for the necessary disclosure and sharing of information between partners including GPs, Health Boards, Social Care Departments and Public Health Wales and the absence of agreements or DPIAs should not restrict the sharing or disclosure of data. It is good practice to keep a record of decisions you make (for example, save email strings) and to revisit assurance activity, such as agreements and DPIAs, if temporary ways of working develop into more permanent arrangements.
Arrangements involving third party suppliers processing personal data on your behalf need to be underpinned by a legal agreement. You will need to seek advice from your Data Protection Officer or Information Governance lead before entering into any such arrangement.
For all video or teleconference consultations, please ensure that ALL information is recorded in the appropriate care record (as you would normally do). Ensure any personal information stored on your own device, or obtained through a video or telephone conversation, is safely transferred to the appropriate health and care record as soon as it is practical to do so. Delete any personal information, including back-up data, from your own device – being mindful of automatic backups that might be enabled. Apply your own relevant professional standards, as you would normally. Also remember that data protection rights and rules apply to any personal data stored on your personal device.
Speak to your own Information Governance lead or Data Protection Officer if you require assistance or have any queries about this advice.
Appendix A - tips for digital communication with patients and using your own device
Wherever possible, use approved processes, systems and applications in your dealings with colleagues and patients. Where the current situation means that you need to work differently, consider the following hints and tips.