The Department of Health has issued guidance for organisations working in shared records environments saying they are data controllers “in common."
It recommends that each shared record community create an information governance steering group to establish “effective (information governance) arrangements for the shared record.”
This group should be chaired by a Caldicott Guardian and make sure that each organisation complies with minimum IG standards, as weak or ineffective IG controls in one organisation “present a risk to the whole shared record community.”
The Information Governance Toolkit website says that in some areas a shared record environment has been created where data is held, but where there is no single data controller, for example areas using TPP systems.
In these areas, each NHS organisation contributes some or all of its records to the shared environment, but does not relinquish any control over its contributions.
“By recording patient information to the shared environment information an organisation is, in effect, disclosing information to other organisations operating within the shared environment,” the guidance says.
“Provided they are involved in a patient’s care, these other organisations may view and copy this data and use it for their own purposes.
“There is no single data controller responsible for the shared environment - participating organisations are therefore data controllers in common for the information within the shared environment.”
The guidance says organisations need to ensure that all data protection requirements are being satisfied.
It proposes that local health communities establish an information governance steering group and create framework agreements describing the governance arrangements for the shared record environment.
These groups should include representatives from each of the organisations party to the shared record, and should be chaired by a Caldicott Guardian.
The ITK checklist includes questions about whether patients are fully informed about the shared record environment and understand the circumstances in which staff working in another organisation might access their medical record.
It adds that organisations need to have written contracts with their system suppliers to say that they may not extend access to the shared record to new organisations without prior approval.
© 2012 EHealth Media.
EHealthInsider: Latest news on EHI Surrey builds Rio interface for EDT Hub - A Surrey community provider has built an interface ou... http://t.co/Gs2HJRNyum
7 hours 29 minutes
ago
EHealthInsider: Who can resist free merch? RT @EHICCIOCampaign: Only 9 more follows to go to get this artistic #ccio bag of greatness http://t.co/W1QjvK91tJ
17 hours 1 minute
ago
EHealthInsider: RT @EHIAwards: Vote for YOUR Healthcare IT Champion of the Year now http://t.co/WKWj9tlJJS #ehiawards #healthcare
17 hours 11 minutes
ago
EHealthInsider: Latest EHI Insight Push me, pull you - Justin Graham does not claim to be an expert on healthcare IT and informati... http://t.co/zdwERK5RWk
18 hours 11 minutes
ago
EHealthInsider: Latest news on EHI All trusts to get some of £260m fund - All acute trusts are expected to get some money from ... http://t.co/W90xAxW0OX
19 hours 28 minutes
ago
