Examples of how commissioning bodies are approaching the task of becoming accredited safe havens for patient data - and the benefits this brings them. HSJ reports, in association with Capsticks

Wandsworth CCG

Wandsworth Clinical Commissioning Group began the process to become an accredited safe haven (ASH) last summer, following a review of their information needs as commissioners.

While PCTs could access data from secondary care, this was not routinely available to CCGs, potentially limiting commissioners’ ability to fulfil key corporate objectives.

“We carried out an extensive exercise to map our functions and data access requirements,” explains information governance manager Charity Mutiti. “We realised we would need to be an ASH to fulfil our ambitions of transforming models of care across different settings.

“Becoming an ASH would give us access to weakly pseudonymised data and we felt this would help us to meet our aims.”

‘We might not be seeing the light at the end of the tunnel yet, but we’re getting there’

Following agreement from the board, the CCG expressed an interest in July and received acknowledgment, along with a list of requirements. These included working through the information governance toolkit and achieving the required standard (level 2) in all categories.

“We had to do this by 30 September, and if there was any area where we didn’t achieve level 2, we had to put a plan in place to address that,” says Ms Mutiti.

After passing this stage successfully, in November, the CCG had to sign a data sharing agreement. This detailed the type of data they would be receiving and what it would be used for.

“That was good news for us, because it was another step in the right direction,” says Ms Mutiti. “There was a lot of work involved, over a short period of time, and a lot of consultation between the IG team and senior management at the CCG. We also had support from the local London lead at the Health and Social Care Information Centre, which was very helpful.”

The HSCIS had to make sure that the data sharing agreement would pass muster (under the May 2013 guidance note on section 251 of the NHS Act 2006, covering confidentiality) and that the type of data, and the purpose to which data would be put, fell within the parameters of section 251.

In January, the CCG was told it had been approved as a stage 1 ASH. “That was so far so good,” says Ms Mutiti. “We felt it was a good achievement.”

Good starting point

Although the application process involved a lot of work, the CCG started out from a good position. “A lot of the requirements involved the sort of things we’d be expecting to do in any case, such as meeting standards on data protection and confidentiality. But the process meant that we had to demonstrate that we were doing it.”

Being a stage 1 approved ASH means that the CCG now receives pseudonymised information with one identifier. Is this enough? “Yes,” says Ms Mutiti. “When we were a PCT we did a lot of our commissioning work based on one identifier - the NHS number - anyway. We find it works well because we don’t need names, what we actually need are numbers.”

The CCG will be able to use secondary care pseudonymised data and match it up with primary care data to test the impact of transformation programmes. For example, if a new service to implement an aspect of care for people with diabetes is set up in the community, the pseudonymised secondary care data could be examined to see if hospital admission patterns change in the light of the new service.

“We can link secondary care activity with primary care, to see the impact across the pathway,” she says.

ASH status also means that the CCG is allowed to set up a controlled environment for finance (CEfF) that allows it to use information for invoice validation - crucial in managing budgets and the commissioning process.

For Wandsworth CCG, the process hasn’t stopped with stage 1 ASH accreditation. The organisation will have to keep demonstrating that it is meeting requirements and standards, and that it is monitoring what it is doing in a satisfactory way. There is also a likelihood that requirements will change as the whole process develops.

For Ms Mutiti, however, the hard work is beginning to pay off. “We’re making progress,” she says. “We might not be seeing the light at the end of the tunnel yet, but there’s some good light, which suggests that we’re getting there.”

Central Midlands CSU

One of the biggest challenges of the new healthcare information environment has been getting information about the changes over to commissioners.

It’s all the more tricky because it’s a fluid situation, constantly developing and redeveloping. Getting consistent information to CCGs in a timely fashion is vital.

It’s an issue for CCGs, also for those charged with helping them, and it’s something which isn’t likely to be set in stone either in the short term or in the future.

This is something that Central Midlands Commissioning Support Unit is taking very seriously, says senior information governance officer and primary care lead Andy Thompson. But he acknowledges it isn’t easy.

“The main issue is that some people in CCGs still think they can get access to the same level of data that they had in PCTs,” he says. “That’s now been restricted, but getting that message across that they can’t have the data is quite a challenge.”

‘The new Caldicott principle on the duty to share information where it is in patients’ best interests requires a change of mindset’ and possibly a change in practice’

The CSU is addressing this in various ways, including tailored training and ongoing support for CCGs. But it’s also about creating the right expectations in commissioners faced with the new restrictions on data.

“Some CCGs have applied to be accredited safe havens, and we are supporting them in that, but even if they get ASH status there will still be a lot of data that they won’t have access to,” he says.

Around 75 per cent of the area’s CCGs have applied for ASH status, but are still waiting to be approved. The application process is thorough, says Mr Thompson, and is aimed at ensuring that information governance becomes embedded in organisations year-round.

Meanwhile, the CSU itself has achieved stage 1 ASH status, which means it can receive weakly pseudonymised data from the Health and Social Care Information Centre. “We have access to the data ourselves but we also have a regional office of the HSCIC locally, which receives all the data. We’ve got staff seconded in there, so they can provide support to commissioners in making their commissioning decisions. We’re very fortunate in that respect.”

Bespoke training

As well as providing training to CCGs, the CSU can deliver bespoke training to GPs if they request it. But keeping commissioners up to date with the latest moves in information governance is a constant task.

There is, agrees Mr Thompson, still some uncertainty about how information governance and information sharing will work in the future, and changes are happening all the time.

He cites the decision to allow CCGs to set up a controlled environment for finance (CEfF), which means they can use information for invoice validation. Although those CCGs with ASH status can now do this, the provision only lasts until autumn of this year, and it’s unclear about what will happen after that.

This changing landscape makes the CSU’s role as a provider of expert support and guidance all the more important, and communication is a big part of that.

That includes ensuring there is high awareness among commissioners of the changes brought about by Caldicott2, for example, which have a real impact on the way that information is shared.

While previously commissioners, and others, might have defaulted to keeping data to themselves if they were in doubt about whether it could be shared, the new Caldicott principle on the duty to share information where it is in patients’ best interests requires a change of mindset, and possibly a change in practice.

But as well as supporting people with information about legislative and other “hard” changes to information governance, the CSU also has an important role in helping to promote the right culture for respectful use of personal information.

Getting people to think seriously about how they use - and share - data is really important, says Mr Thompson: “In training, we’ll always say to people to think about how they would like their personal information to be handled. It’s an important thing to keep in mind when you’re using patient information. You wouldn’t want your information to be left lying around, or shared inappropriately. You’d want it to be treated with respect, so that’s the way you should treat other people’s data.”