Information Governance and Assurance
The delivery of digitally enabled solutions, whether initiated directly in response to COVID-19, an expansion of provision, or an entirely new initiative, has been facilitated by underpinning activities around information governance.
The work has been made possible in a context of being able to work remotely and in a truly collaborative manner with our partners.
In addition to providing essential practical solutions, efforts have focused on establishing a more strategic approach to data that can be implemented across Scotland. Key steps undertaken to support and facilitate the scale of our digital health and care response to COVID-19 are outlined in this section.
Contributions to the COVID-19 response
- From March 2020 onwards regular updated guidance was provided via the COVID-19 Information Governance Advice website.
- This resource became a key reference point for staff working to deliver services. Including:
- COVID-19 Privacy Statements and Privacy Notice updates.
- Guidance on text messaging.
- Guidance on using email and video consultation.
- Information Sharing Accord.
- Records Management Code of Practice.
- In March 2020, a simplified tool the COVID-19 Rapid Data Protection Assessment form and associated guidance were circulated.
- A (short life) National Health and Care Information Governance (IG) contact centre was put in place to respond to IG issues arising.
- Rapid IG Assessments and Data Protection Impact Assessments were devised and carried out to support developments.
Whilst data sharing agreements had been established between organisations, there was no common agreement or associated Data Protection Impact Assessment (DPIA).
Senior management from across the Scottish Government, Local Government and Health worked together to enable the 'joining up' of data across sectors through two key activities.
- Establishing the Data & Intelligence Network supporting the implementation of data linkages across sectors.
- Strengthening of cyber security and network monitoring. A regular Cyber Resilience Notice was produced. For business organisations, public sector organisations, charities and the general public, raising awareness of measures to be safer and more resilient online.
Supporting New Facilities and Initiatives
By collaborating with multiple partners, a 'privacy by design and by default' approach has been deployed across all stages of the COVID-19 response, including:
- The COVID-19 Hubs, Testing and Assessment Centres.
- The NHS Louisa Jordan Hospital.
- Supporting vulnerable groups who were shielding.
- Advance Care Planning for end of life.
- Supporting the delivery of the 'Connecting Scotland' initiative to reduce digital exclusion.
- Developing our Test, Trace and Isolate and the Protect Scotland app solutions.
- Vaccination systems.
Supporting the Workforce
Information Governance principles and approaches have underpinned initiatives to support the workforce including:
- A self-reporting service.
- Remote working.
- The recruitment portal.
- Supporting staff wellbeing and learning resources for COVID-19.
At the outset of the COVID-19 response the roll-out of Microsoft Teams and wider support for remote working was accelerated as part of the O365 Programme that was already underway. By the end of March 2020, the majority of the 160,000 NHS Scotland workforce was able to access Microsoft Teams and work remotely.
The accelerated roll out has had a major impact across NHS Scotland and the wider Public Sector. Completion of the NHS mail migration at pace was a major achievement.
A new Enterprise License Agreement is in place for the next four years.
The benefits of using MS Teams to support teams to connect and continue working remotely include:
- Using MS Teams supported dispersed teams to connect remotely and provided a single platform for all members of the team (and invited guests) to connect.
- Access to collaboration tools to facilitate programme continuity and development, including voice, and video calling.
- Access to shared folders to host and share up to date project materials.
- Immediacy – access to colleagues on line status and availability.
- The removal of interoperability/multiple platform challenges.
- The ability to record updates and necessary content to provide access on demand.
In addition to the national programme of work to support remote working and project-specific calls, within the Directorate, a weekly 'all team call' was initiated using MS Teams. This relatively small step has provided a forum for discussion, allowed for spotlight presentations on new work, increased understanding of the breadth of the work underway and strengthened relationships across the team.
Ethical Processing of Data
The combination of rapid tools and processes allowed a focus on core ethical and compliance requirements. Speeding up data-sharing or processing of data considerably while ensuring data controllers can rapidly assess data protection and privacy risks and assure that due diligence has taken place.
As noted above, COVID-19-specific guidance has been issued with support from the Information Commissioner's Office and all regulators, making it clear that it could be more harmful not to share information (with the agreed governance) than to share it.
Other significant steps taken to support the overarching information governance and assurance work and associated ethical processing of data include:
- Revised guidance to determine data controllership roles in complex health and care settings.
- Revised template for DPIAs, particularly advisable when wide publication is intended rather than for internal experts' use.
- A Toolkit to determine DPIA and Privacy Notice compliance.
- A Toolkit for automated decision making.
- Enhanced guidance on data protection risk assessments and management.
- To reflect and record digital ethics considerations on digital and data measures taken during COVID-19. The tool is available online.
- An ethics framework.
- Revised criteria for IAO (Information Asset Owners) of NHS national information assets (systems and data).
- A new CHI Management Board with a governance structure, which incorporates lessons learned from the management requirements of national information systems during COVID-19, is now in place.