Recent moves by the Department of Health to tighten up on data management mean that healthcare service providers must meet the international quality standard, ISO27001.
This requirement is a response to a wider Government initiative to enhance enforcement of data protection regulations, which has recently led to the Information Commissioner’s Office being given new powers to fine organisations up to £500,000 for breaches of the Data Protection Act.
How are service providers responding to the data protection challenge?
Patient care is always the main priority, but data protection is also a key concern and our organisation has put in place processes to ensure that we can continue to meet the highest standards. Having achieved ISO27001 earlier this year, we believe there are now opportunities for organisations like ours to lead the way by sharing best practice among other service providers.
How do you establish a culture that respects data management?
We employ about 340 people in the UK and everyone, from medical equipment engineers to qualified nurse advisors and managers are required to attend data management forums regularly to make sure that best practice principles are maintained as a priority. These forums aim to personalise data management issues for each employee, so they understand exactly what is at stake. Gaining an appreciation of how important data security is to everyone helps us to respect the information that belongs to others and maintains the focus on our individual responsibilities.
How do you control the flow of information when providing services to patients at home?
Effective data management is all about controlling the flow of information. When delivering a home-based healthcare service, data is particularly vulnerable as it may need to be transferred several times between field operatives, the central administration office and NHS clinics. To address this, where information is transferred to and from personal digital assistants, encryption and strict permissions controls are in place. All data handlers follow strict data management procedures and are also provided with guidance and advice about security control of data transmissions. As a guiding principle, everyone is encouraged to ask before they act.
How do you make sure effective data management processes are maintained?
We maintain a risk register of all our ‘data assets’, which takes account of how each piece of information is used, stored and transmitted. The key threats and vulnerabilities associated with each asset are evaluated, proactively monitored and risk factors mitigated with continuous corrective and preventive actions. As an example, our system security protocols ensure that firewalls, set up to block unwanted access, are tested quarterly by independent assessors to support the security of our data as it flows around our network.
The electronic transmission and storage of information is an important part of our data protection strategy, as minimising the use of paper records helps to mitigate the risk of data exposure.
We operate a stringent internal audit process, which is resourced by a network of 20 Healthcare internal auditors, reviewed by our corporate Audit and supported by in-house Healthcare personnel. The internal audit processes we have in place are thorough and this gives us confidence in our information security management systems and means we can concentrate on giving patients a quality service that will help to improve their quality of life.
Sue Briscall is data protection manager at Air Products Healthcare