Category: IG Health

Apprentice Case Study – Meet Natasha

In 2022, Act Now Training teamed up with Damar to support their delivery of the new Data Protection and Information Governance Practitioner Apprenticeship. The aim is to develop individuals into accomplished data protection and information governance practitioners with the knowledge, skills and competencies to address future IG challenges. Two years on, over 130 apprentices are currently on the programme with the first cohort about to undertake the end point assessment.

Data Protection and Information Governance Apprentice, Natasha Lock, is an integral part of the Governance and Compliance team at the University of Lincoln. With the Data Protection and Digital Information (No.2) Bill set to make changes to the UK data protection regime, Natasha talks to us about why this is a great area to work in and how the apprenticeship route has been particularly beneficial for her.

How did you get onto the apprenticeship?

“I was already working at the university as an Information Compliance Officer when the opportunity for a staff apprenticeship came up.

“The process was swift and straightforward, and I was enrolled on the Data Protection and Information Governance Apprenticeship within three months of enquiring.”

How has the apprenticeship helped you?

“I started with a good understanding of the UK Data Protection legislation but my knowledge has grown significantly, and now I’m coming to the end of my level 4 apprenticeship, I’ve gained so much more insight and my confidence has grown.

“As a university, we hold vast amounts of data. My apprenticeship is allowing me to solve the challenge of data retention and implement better measures to retain, destroy and archive information. I have developed a greater understanding of the legislative requirements we must adhere to as a public sector institute and how to reduce and assess data protection risks.

“I love the fact that I can study whilst still doing my job. The flexibility works for me because I can go through course materials at my own pace. I really feel like I have a brilliant work/life/study balance.

“The University of Lincoln and Damar Training have been fantastic in supporting me. I get along with my coach, Tracey, so well. She is very friendly and personable and has enabled my creativity to flow.

“The course is very interactive, and I’ve found the forums with other apprentices to be a very useful way of sharing knowledge, ideas and stories.

“I’m enjoying it so much and people have noticed that my confidence has grown. I wouldn’t have had that without doing this apprenticeship. I’ve now got my sights on doing a law degree or law apprenticeship in the future.”

Abi Slater, Information Compliance Manager at Lincoln University, said: “It has been great to see how much Natasha has developed over the course of the apprenticeship. I believe the apprenticeship has provided Natasha with the knowledge and skills required to advance in her data protection career and the support from her coach at Damar Training has been excellent.

“I would encourage anyone with an interest in data protection and information governance to consider this apprenticeship.”

Tracey Coetzee, Coach at Damar Training said: “The Data Protection and Information Governance Apprenticeship was only approved by the Institute of Apprenticeships in 2022, and its delightful to see apprentices flourishing on the programme.

“From cyber security to managing data protection risks, this programme is upskilling participants and adding value to both private and public sector organisations and we’re thrilled to see the first cohort, including Natasha, approach the completion of their training.”

If you are interested in the DP and IG Apprenticeship, please see our website for more details and get in touch to discuss further.

UK Hospital Trust Reprimanded for GDPR Infringements 

The University Hospitals of Derby and Burton NHS Foundation Trust (UHDB), was recently issued a reprimand (30/10/23) by the Information Commissioner for multiple infringements of the UK General Data Protection Regulation (UK GDPR). This decision highlights significant concerns regarding the management and security of patient data. 

Background of the Case 

UHDB, formed by the merger of the Derby Teaching Hospital NHS Foundation Trust and Burton Hospitals NHS Foundation Trusts in July 2018, operates five hospitals across various locations.
The infringement was initially detected at The Florence Nightingale Community Hospital in Derby. 

The issue revolved around UHDB’s handling of patient referrals for outpatient appointments. These referrals, containing sensitive health data, were processed via an electronic referral system (e-RS). The system, however, was plagued with a critical flaw where referrals would disappear from the worklist after a certain period, resulting in significant delays and data loss. 

Key Findings of the Investigation 

The investigation into UHDB’s practices uncovered several alarming facts: 

Data Subjects Affected: Approximately 4,768 individuals were directly impacted, with over 4,199 experiencing delayed medical referrals. The delayed response potentially caused distress and inconvenience to patients, some of whom waited over two years for treatment. 

Organisational Failings: UHDB was found lacking in implementing adequate organisational measures to prevent accidental data loss, especially concerning special category data. 

Inadequate Processes: The reliance on manual processes and email communications for managing referral drop-offs was deemed ineffective and insecure. 

Lack of Formal Oversight: There was no formal oversight ensuring the effective management and reinstatement of referrals onto the worklist. 

Absence of Risk Assessments: No risk assessment was conducted in relation to handling referral drop-offs, a measure that could have identified and minimised data protection risks. 

Remedial Actions and Recommendations 

In response to the reprimand, UHDB has taken several remedial steps, including conducting full internal and external reviews, contacting affected patients, creating a new Standard Operating Procedure (SOP), and introducing robotic process automation to reduce human error. 

The Commissioner recommended further actions for UHDB, emphasising the need for continuous support to affected data subjects, assessment and monitoring of new processes, and sharing lessons learned across the organisation to prevent future incidents. 

Implications and Conclusions 

This case serves as a stark reminder of the critical importance of data protection in the healthcare sector. It underscores the need for robust systems and processes to safeguard sensitive patient information and the potential consequences of failing to comply with GDPR regulations. 

UHDB’s commitment to rectifying these issues is commendable, yet the incident raises broader questions about data management practices in the NHS and the healthcare sector at large.

Free Information Governance Briefings for the Health Sector

FreeIGBriefing

Act Now Training is pleased to announce a series of free Information Governance briefings for the health sector.

The IG landscape has changed dramatically in a relatively short space of time. Healthcare professionals are facing new challenges in the form of the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and the Data Security and Protection Toolkit.

In each free briefing, we will explain what these changes mean in practical terms and dispel some of the myths associated with the new legislation. Time has been allocated for questions, discussion and networking. Participants will leave with an action plan for compliance.

These briefings are ideal for Information Governance Leads in General Practices, pharmacies, Clinical Commissioning Groups, dentists, care homes and other healthcare providers.

The speakers are Ibrahim Hasan, a solicitor and director at Act Now Training, and Craig Walker, Data Protection Officer at St Helens and Knowsley Hospitals NHS Trust. Both are well-known experts in this field with many years of experience in training and advising the health sector. Other members of the Act Now team will also be on hand to answer participants’ questions over a complimentary lunch.

Agenda

9.45am – Registration

10am – Start

  • The General Data Protection Regulation (GDPR) and the health sector
  • Data Protection Act 2018 – What does it mean for me?
  • Data Security & Protection Toolkit – Overview and summary of key changes
  • National Data Guardian (10 Data Security Standards) – What are they and why are they so important?
  • Data Protection Impact Assessments – When and Why?
  • Subject Access Requests – Looking at separating the facts from fiction – to charge or not to charge
  • Data Breach Prevention – What can we do to minimise the likelihood of breaches occurring
  • Cyber Security Basics – What to be on the lookout for
  • The role of the Data Protection Officer – Do I need one and what is their role?

12.00pm – Open Forum and Lunch

There are limited places available on each briefing so please book early to avoid disappointment.

These briefings are part of a series of courses specially designed for the health sector. This includes our GDPR workshops and the Certificate in Information Governance.

 

Act Now Launches New Certificate in IG for Health and Social Care

Act Now Certificate in Information Governance

Today ANT launched a new style of certificate course. It’s not a one day course, it’s not a practitioner certificate – it fits in between the two and is intended as a primer in all aspects of information law for the Health and Social Care sector.

The course runs for a period 3 months and uses blended learning. Students can work online and in their own time (either at home or at work) by submitting written assignments and doing online tests. There is no final exam. The course uses continuous assessment to determine the award.

There are 3 teaching days which are each followed by an online knowledge check and an assignment. Subjects covered include Data Protection (GDPR), Freedom of Information, Records Management, Cyber Security, Incident Management, Training in IG and demonstrating compliance. A detailed course structure is available on our website.

The course was developed after consultation with Blackpool Victoria Hospital and a well known NHS expert and consultant, Paul Couldrey, who will be delivering the training. Victoria Hospital have made a significant contribution to the syllabus from a user perspective.

Paul is seen as an NHS leader in Information Governance compliance.  He is the former Head of IG for NHS Central Midlands Commissioning Support Unit (CMCSU), which supports over 10 CCG and overseas health authorities to comply with legislation. He is qualified in information law at Masters level, and has spoken at numerous national conferences about information governance.  He was also the Black Country contributor to the Caldicott Review published in June 2013.

We expect demand for this course to be high. IG in the health sector places a heavy workload on IG teams. Newcomers in the sector need to be brought up to speed as quickly and effectively as possible. This course provides that opportunity and also a certificate to demonstrate competence. The first public course starts in late April with the teaching days in Manchester in May, June and July. The course can also be delivered in house.

Take a look at the new IG cert on our website.

Act Now Training runs many courses in all aspects Information Governance. With courses starting from as little as £20, we have a range to suit all requirements. From e-learning, full hour webinars, all the way up to expert level Practitioner courses that are accredited, we have something to suit your requirements. All our courses are flexible and can be delivered in house at your premises. Please get in touch for a bespoke quote.