2. Agenda
• Background and Overview
• Summary of Report Findings
– Maturity Ranking
– The Good (Things to be commended)
– The Bad (Issues causing concern)
– The Ugly (Serious Compliance
issues/risks)
• Recommendations
4. Context
• Data Protection Compliance = Risk
– Risk to Trust
– Risk to Revenue
– Risk to Brand
• Data Quality Issues = Cost + Risk
– Risk of wrong treatment
– Risk of underutilised resources
– Cost of checking and rechecking data
5. The Methodology
Face to Face Qualitative Interviews
Observations made while on-site
Research & Review of Best Practice
7. Summary of Findings
Some good things found.
12 areas of concern/weakness
6 critical risks to Compliance found
8. Maturity Assessment
Value Centric Management
Optimising State of the Art Practices & Outcomes
Information Value quantified and
communicated
Advanced Practices and outcomes well above
industry average
Interactions formalised for critical
processes
Data Protection Target Intermediate Transparent Investment Decisions
Basic IT Services being delivered
Basic Some interactions/processes formalised
Data Protection Maturity No formal processes
Initial Ad hoc Management
Based on IVI IT-CMF framework
10. Critical Risks
Patient file: Mr Smith
• Patient data being transferred by email without
encryption/security
• Email forwarding to external services a concern
15. Compliance Issues
Classification/Categorisation of Information
No Formal Governance framework for Data
Policies/Procedures/Process
• Absent or poorly defined
• May not reflect DP Obligations
16. Compliance Issues
No training in Data Protection
No consistency in formal training in
systems – a lot of ‘informal’ learning
The absence of “role based” access to
personal data in systems is a concern
17. Compliance Issues
No verifiable evidence of good behaviours
being followed
No formal or consistent “Leavers/Movers”
process to restrict access to records
CCTV Signage does not meet DPA
requirements
19. 12 Step Plan
Governance & Policy
Issues
Training and Awareness
Technical & Technology
Issues
20. Governance Issues
Formalise Data
Controller/Data
Processor Relationships
Implement formal
Define appropriate Information Governance
Policies, Procedures &
Metrics
Review appropriateness
of email forwarding.
Define Leaver/Movers Define clear policy
process to encompass all
systems and manual data
Conduct Audit of Manual
Data Storage/Disposal
Review existing (Clean Desk Policies)
Disclosure policies to
ensure DPA
requirements met.
21. Technology Issues
Implement Role based
access to electronic data
(where possible)
Implement Segregation
between “Data In” and
“Data Out”
Inspect Data
Redundancy (e.g.
Spreadsheets)
Assess need and secure
Review existing
Disclosure policies to
ensure DPA
requirements met.
22. Training & Awareness Issues
Implement Training on
DP/DQ to key target
audiences
Coupled with the roll out and implementation of Training,
we would recommend that supporting activities be
developed to help make culture change stick e.g.:
• “Story” development to lock in the learning
• Internal Communication plans
• Continuous Improvement
24. Governance Model 1
Advisory
External
Expert
Chair
CEO
Consultants (DPO)
HR
IT
Information Governance
Bus
Steering Group Patient
Svcs
Apps
JCI Nursing Radiology Finance
25. Governance Model 2
Chair
External
CEO Expert
Consultants
(DPO)
HR
IT
Information Governance
Bus
Steering Group Patient
Svcs
Apps
JCI Nursing Radiology Finance
26. Governance Model 3
External
Expert
Bus
Apps Consultants
(DPO)
IT
HR
Information Governance
CEO
Steering Group Patient
Svcs
JCI Nursing Radiology Finance
Effective Model for Project Management
Least Preferred Option for on-going Governance
27. Evolving from Excellent Project
to Effective Governance
Project
Governance
Governance Model 1 Governance Model 2 Governance Model 3
Project Execution Transition & Bed-in Operational & Effective
28. Summary
1. Ensure all staff know WHAT needs to be done
– (Policies, Procedures & Training)
2. Ensure all staff know WHY it needs to be done
– (Culture change, align with values)
3. Ensure all staff know HOW it needs to be done
– Governance, Policies, Training)
4. Ensure all staff know WHO is doing it
– (Governance, Policies, Contractual issues)
5. Ensure the Clinic can demonstrate THAT IT HAS been
done
– (Metrics, Governance, Reporting)
29. In conclusion....
Best efforts are essential.
Unfortunately, best efforts, people
charging this way and that way
without the guidance of principles,
can do a lot of damage.
W. Edwards Deming Think of the chaos that would come
Out of the Crisis
if everyone did his best, not
knowing what to do.
Notas do Editor
One point to make here is that by reaching the DP target, SSC would likely be considered “Advanced” in the Healthcare context because of the generally poor standards that exist in Irish Healthcare sector.The improved governance of Information will contribute to improvements in data quality as a by-product of care and attention.
This is akin to not having a fire drill and not having a hygiene policy. A process must be defined that ensures the organisation not only can tick the box of having a policy but can effectively execute the process and procedures should an incident happen.You do not wait for a fire before figuring out how to evacuate the building and who is responsible for doing what.
Policies, Procedures, Metrics and Evidence are very important and will align with objectives under other Quality Assurance criteria.