You are here: Home Services & Applications Summary Care Record (SCR) SCR information for NHS Staff Implementing Summary Care Records Information governance Information Governance Guidance for Privacy Officers and Caldicott Guardians
 

Information Governance Guidance for Privacy Officers and Caldicott Guardians

In addition to understanding the basic information on SCR and IG, Privacy Officers and Caldicott Guardians will need to understand:

Audits and alerts


Every organisation that has access to SCRs must have a nominated person that is responsible for monitoring the SCR viewing activity of their users. This person is known as the Privacy Officer and will be given the access rights on their Smartcard to perform the activities necessary to manage alerts and audit SCR viewing activity. Alerts are generated by end users when they override one of the information governance controls that are in place. Therefore, activities that will trigger an alert include:

  • When a clinician self claims a  legitimate relationship  - Create LR (Self Claimed) Alert 
  • Emergency access of SCR (i.e. without gaining permission e.g. patient unconscious or confused) – Dissent Override Alerts( for integrated systems) and SCR Dissent Override Alerts (for SCR Application or SCRa).


In order to receive notifications when alerts are generated in the organisation, the Privacy Officer will register themselves on the Spine using the Spine User Directory (SUD). Instructions on how to do this can be found in the document 'How to register for alert notifications on the Spine User Directory' (PDF, 44.4kB).


These alert notifications should prompt the Privacy Officer to review the alert and establish if the access was justified or if it was potentially inappropriate. There is no patient or user identifiable information contained within the notifications, just an alert reference that can be used to search for that specific alert for further information.


Details on individual alerts can be found by accessing the Alert Viewer (via the Spine Portal). This tool allows alerts to be managed for individual organisations and information documented relating to specific alerts e.g. outcomes of investigations. The e-mail notifications can be switched off via the SUD if the Privacy Officer prefers to run regular reports of their organisation's alerts instead. These reports are available in the Alert Viewer and can also be used to report on your organisation’s alerts status to your Caldicott Guardian if required. In organisations where high levels of alerts are expected, the reports may be more practical to avoid multiple notifications, whereas organisations expecting infrequent alerts may prefer to use the notifications to highlight when alerts are generated.


The Alert Viewer is available to Privacy Officers and Caldicott Guardians who have the necessary Role Based Access Controls (RBAC) on their Smartcards and have received the appropriate training.

The 5 animated clips below can be used as quick user guides on how to use the Alert Viewer:

Logging on and navigation

Searching for an alert

Updating an alert insert

Updating multiple alerts

Running an alert extract

For more information on how to access and use the Alert Viewer, please read the full Alert Viewer User Guide (PDF, 1.8MB).

Notes:

  1. If your organisation is using the Summary Care Record Application (SCRa), there is a known defect on the system whereby two alerts are generated for every Emergency Access (SCR Dissent Override Alerts). Therefore, Privacy Officers only need to consider one of these as part of their investigations and both can be closed at the same time on the Alert Viewer once validated. Work is underway to rectify this issue.
  2. Patient Seal Access Alerts are not in use and therefore, none should be generated.
  3. Stop Noted Record Access Alerts have been suppressed and are no longer valid. If an organisation has these types of alerts live in the Alert Viewer, they can be closed and no more will be generated.

    Back to the top

How to investigate an alert 

On receipt of an e-mail notification, or when the organisation's regular reports from the Alert Viewer are completed, the alert details must be checked and validated to ensure that the SCR accesses are appropriate.

For self claimed LR alerts, the Privacy Officer must confirm that the patient had requested treatment from their organisation and that the healthcare staff member therefore had a valid reason to look at their SCR as part of their treatment. This 'reconciliation' of the alert can be done against a Patient Administration System (PAS) or other record of patient attendence.

This Alerts Reconciliation Spreadsheet (XLS, 7.7MB) is an example of how the reconciliation process might work. Instructions can be found on the first sheet in the workbook. It relies on the input of an alert report from the Alert Viewer, as well as a report for the same time period from the local PAS to match NHS numbers and identify any alerts where the SCR has been viewed but the patient cannot be found on the PAS. These anomalies will need further investigation. (N.B. If the NHS number is not known on the PAS, then a match will not be found and the reconciliation must be done manually or using an alternative method). This is not the only way to reconcile self claimed LR alerts and, as long as the alerts are dealt with appropriately, the method can locally decided.

For Emergency Access alerts, the Privacy Officer should review the pattern of alerts at regular intervals to spot anomalies. For example, if a doctor in an acute assessment unit in a hospital was generating three times more Emergency Access alerts than other doctors, this might raise a query with the Privacy Officer to ask further questions. It may be that the doctor is simply using the SCR more than other colleagues and all accesses were appropriate. In this case, the Privacy Officer would make a note in the alerts as an audit trail. If any alerts raise questions on the authenticity of the access, they should be referred back to the user for further explanation or their line manager for investigation.

NHS organisations may wish to arrange regular reports on Emergency Access alerts (or self claimed LR alerts if necessary) to be delivered to the clinical leads of departments that are viewing SCRs, in order for them to track viewing and verify accesses. This process is a local decision and should be undertaken between the Privacy Officer and the clinical team in the organisation.

If there are anomalies from either of the alert processes above and an SCR access is thought to be inappropriate, the case should be escalated through the appropriate channels within the organisation for investigation in case there has been a confidentiality breach. The outcome of this investigation may lead to disciplinary procedures if the access was unauthorised but, in most cases, the alert can be closed on proof of a valid legitimate relationship or reason for Emergency Access. This process should already be in existence in all organisations to support the local confidentiality clauses in employment contracts and wider professional codes of conduct to professional bodies such as the Royal College of Nursing or Emergency Medicine.

Back to top

Auditing SCR Viewing Activity

 As well as being able to monitor and track alerts generated by SCR viewing, it is also possible to produce audit reports on more general SCR viewing activity to support current audit procedures within an organisation and also to support the commitments of the NHS Care Record Guarantee (PDF, 129 Kb).

The twelfth commitment of the Care Record Guarantee states:

"If you believe your information is being viewed inappropriately we will investigate and report our findings to you. If we find that someone has deliberately accessed records about you without permission or good reason, we will tell you and take action. This can include disciplinary action, which could include ending a contract, firing an employee or bringing criminal charges."

In addition to these commitments, a patient may request information about who has accessed their SCR as part of a wider Subject Access Request (SAR). These requests are usually submitted to the Caldicott Guardian or IG Manager of an organisation whose records the patient wishes to query. Subject Access Requests, as defined by the Data Protection Act 1988, allow patients to request a copy of all information that is held about them. However, patients may combine these requests and ask an organisation on what they hold and who has accessed their records.  Organisations should respond only to the specific questions they have been asked. SCR audit reports are not an automatic component of SARs.

As each NHS organisation already has procedures in place to deal with SARs, it is their responsibility, as part of SCR viewing implementation, to update their processes and policies to include SCR auditing when requested by the patient.

Back to the top

Auditing SCR Viewing Activity - Processes for SCR Viewing Organisations

In order to fulfil these patient requests, there is a central and local facility to run reports on SCR viewing activity using either:

  1. The Enhanced Reporting Service (ERS) – this provides an audit trail for organisations using the SCR Application.
  2. Audit report functions of systems that have integrated SCR viewing capability e.g. Adastra, Ascribe Symphony, TPP SystmOne.

The following reports are available in ERS for Privacy Officers and are named Subject Access Reports in the system. The same reports are available in integrated systems but may be titled differently.

Users who have accessed a Specific Patient’s Record: this report shows key details about users that have accessed a specific patient’s record by using an NHS Number on which to base the search. This report will be particularly useful to fulfil commitment 12 of the Care Record Guarantee as noted above, where a patient wants to know who has accessed their record.

Patient Records Accessed by a Specific User: this report shows key details of a specific user's activity, including demographic tracing and viewing of clinical information. This includes the patient identifiers (NHS Number) of the records the user has accessed and dates/times. This is useful in a scenario where there are suspicions of inappropriate accesses by a user. For example, if a patient complaint had been raised that was found to be valid; the organisation may wish to further investigate the user's SCR viewing history to ensure there are no more anomalies. The organisation's privacy officer can check what records that user has accessed and confirm if any further investigation is required using this report.

Patient requests must be addressed appropriately and within a reasonable timeframe. Once a request has been received, the NHS organisation is responsible for verifying the identity of the patient before they are able to proceed with the query. This can be done by requesting one of the following documents listed below. The document should be returned once the request is completed.

  • Photocopy of passport  
  • Original copy of electricity bill
  • Original copy of gas bill
  • Original copy council tax bill
  • Original copy of any other bill in your full name

N.B Bills should not be more than six months old.

When validating a patient’s identity, an NHS organisation should establish why the patient believes their information has been accessed inappropriately, by who and in what time period. In this way, the correct information can be found to respond to the request.

As the reports contain information on individual NHS staff, in order to protect their rights and privacy (as per the Data Protection Act) the request should be as precise as possible to enable the NHS to answer the patient’s exact query rather than supplying a blanket report. If the patient does request a report on all staff who have accessed their SCR however, the NHS organisation should consider carefully how to respond in order to satisfy the patient as well as protect the NHS staff information within any reports. The best option is to provide the patient with a report of all the organisations that have accessed their SCR and then take the query from there to establish if their record has been accessed inappropriately.

Once the patient’s identity has been validated and the details of the request understood, the NHS organisation can put in a request to get a report for the patient via the SCR IG Mailbox (scrig@nhs.net), stating that the identity has been validated and how, plus the timescales of the query and what the patient is looking for.

A report will be returned detailing who has accessed the patient’s record in the time period specified with a breakdown of all the activities (e.g. demographics viewed, SCR viewed, GP details viewed).

Where the national application has been used (SCR Application), information on individual users will be available.

Where accesses have been made via an integrated solution (e.g. Adastra, Ascribe Symphony, TPP SystmOne etc), only the organisations’ name will be available. In order to obtain individual staff names that have accessed the SCR in these organisations, the patient must contact them directly, as this information can only be accessed from within that system, by the specific organisation.  

The process below details the steps involved in processing a patient request:

patient requests process

 

 

Back to top

The Data Protection Act (DPA) 1988

This Act regulates the processing of personal data, held manually and on computer. It applies to personal information generally and not just health records.  Personal data relates to a living individual that enables that person to be identified either from that data alone or from that data in conjunction with other information in the data controller's possession including demographic and clinical information.

Each trust should have its own policies and procedures on complying with the DPA and responding to complaints which are normally the responsibility of the Caldicott Guardian and the Information Governance department.

Who is the Data Controller?

The Data Controller for Summary Care Records is the Secretary of State for Health, as part of the Department of Health. GPs are the data controllers of their detailed care records (from which SCRs are created) but once the SCR has been uploaded to the Spine, the Data Controller becomes the Secretary of State for Health.

Compliance with the Data Protection Act 1998

The Information Commissioner’s Office has confirmed that proposals for the roll out of the Summary Care Record comply with the Data Protection Act 1998 (DPA). The creation of a Summary Care Record is clearly a medical purpose as defined in the Data Protection Act, Section 68(2) and, as long as patients are informed about the proposals, there is no requirement in law for explicit consent to be obtained for their creation.

There are eight principles in the Data Protection Act from which the Summary Care Record information governance model was created. These principles are detailed in the compliance with the Data Protection Act 1998 section of the SCR website, with specific references to how the SCR meets the DPA.

Back to top

Role Based Access Controls (RBAC) for Privacy Officers

The RBAC role for Privacy Officers is R0001 and contains the following activities:

B0016 - Receive Self Claimed LR Alerts
B0015 - Receive Emergency View Alerts

The R0001 role also includes access to both the Alert Viewer, in order to manage alerts, and the Enhanced Reporting Tool (ERS), to allow auditing of SCR viewing activity.  

Back to the top