Across Devon and Cornwall, a programme of digital work is underway to deliver a new system called the Devon and Cornwall Care Record (DCCR) that will transform the way we provide services to patients.
The Devon and Cornwall Care Record enables authorised health and care staff to see details held by a wide range of health and care providers across Devon, Cornwall and the Isle of Scilly in a single record – giving them a more complete view of a patient’s history. It is part of a national programme to transform information sharing across health and social care.
Each month we provide an update for everyone interested in how the programme is developing. In this month’s issues, we have featured a focus on information governance, to highlight how the programme manages and shares data safely.
Engaging health and care providers
We have continued to host webinars to provide our primary care colleagues with more information about the DCCR and let them know how they can participate. The most recent webinars were held on June 14 and June 22 with more than 40 practices attending.
There is a further webinar planned for July 12, 12pm-1pm – if you would like to attend, please email the team at email@example.com
Although the DCCR does not radically change the care process, it is vital that patients and service users understand how care providers manage their data. Therefore, public engagement is a key aspect of the programme.
With this in mind, we have produced a communications toolkit which will support organisations to inform their patients or service users about the programme.
The toolkit contains a suite of bespoke resources that convey the key points of the DCCR, including how it will improve their care and how data is kept safe and confidential. The resources include a poster, leaflet, patient email, infographic and digital graphics.
Data sharing agreement
To participate in the programme, all stakeholder organisations must sign a data sharing agreement (DSA). Once we have held conversations with organisations to get them onboard, we send them the DSA via an electronic document system called DocuSign.
To date, 78 organisations have signed up. This includes 68 General Practices, which is 38% of the total number of General Practices across Devon, Cornwall and the Isles of Scilly. You can see a list of the participating organisations on the DCCR website.
If you would like your organisation to participate in the DCCR, please contact us.
The programme team has developed a training website to support staff in the use of their data sharing platform. The site, which includes user guides and short videos, can be found at https://elearning.cornwall.nhs.uk/?p=site/m/devon-and-cornwall-care-record
Members of the DCCR communications team have attended a national workstream with other shared care record teams from across the country. This regular webinar enables programmes to share best practice with regards communication and engagement strategies.
Testing of the DCCR system is ongoing as the programme moves towards the launch of the system in the summer. A phased roll out is being planned to onboard organisations to the system.
June focus – information governance
While the benefits of information sharing in the DCCR are clear, there are understandable concerns about the potential misuse of such data and who would be responsible should it occur.
Here, Adam Horton-Tuckett, the DCCR Information Governance Consultancy Lead, addresses some of the most common concerns relating to information governance and shared care records.
If an organisation provides data to the DCCR and that data is misused by someone working elsewhere, is the organisation responsible?
While there are several aspects to consider here, the short answer – assuming the misuse is not by their member of staff – is no, the organisation is not responsible and should not suffer any punitive action.
Who is in control of the DCCR?
An organisation is a controller of the patient records that it uses to provide its services.
If the organisation agrees to share data into the shared care record, control of the data is handed to the ‘joint controllers’ who compile and make the shared care record available to other trusted partners. (Joint controllers are defined as members of the DCCR programme board.)
Partners whose staff access the system are then responsible for their employees’ use of the shared care record.
How does the DCCR reduce the risk of data misuse?
A number of controls are in place to help prevent misuse:
- Limiting which records a user can see (in context launch).
For example, a patient is selected in the organisation’s Electronic Patient Record and the user then accesses the DCCR for that patient. They are not able to search the DCCR for the patient as they only need to see records for patients that their organisation is responsible for.
- Limiting the detail users can see.
A role-based access control system will be in place that limits the amount of detail a user can see on a record they can access.
- Audit trails.
Every time a shared record is accessed, it is recorded in an audit trail.
- Common baseline of data protection and security.
All partners signing up to use the DCCR will be expected to achieve a common baseline of assessed security controls. This includes requirements on staff training and employment contract terms.
What happens after an allegation of data misuse?
If an allegation of data misuse is made, it would be investigated thoroughly. Any organisation receiving such an allegation (whether it concerns their staff or other users) would have DCCR Information Governance support. As a regulator, the ICO can act against a controller or controllers and action can range from guidance to large fines. The ICO can only act against a controller deemed to be at fault. If someone else misuses data, the ICO would act against that organisation or employee.
However, it’s worth noting – from the experience of the many shared care records that are already running across the country – that these events are rare and generally specific to the circumstance.
- The joint controllers would likely be responsible for any systemic failure of controls in the system.
- If there is a procedural failure by a partner (e.g., allocating the wrong role or other access control procedure), the partner would likely be responsible.
- If appropriate system controls are in place but a member of staff breaches the terms of their employment contract by misusing data, it is likely that member of staff would be responsible.
- If a patient still considered their organisation to be at fault in any of these instances, the organisation has a defence under Article 82, section 3 of the GDPR (related to compensation and liability) where they can show the organisation was not responsible.
Adam will be available to answer your information governance queries at the next primary care webinar on July 12, 12pm to 1pm. Get in touch if you would like to attend.
Spread the word and get in touch
Please forward this email to any colleagues who might be interested in knowing more about the Devon and Cornwall Care Record. And if you have any questions about the programme or would like to find out more, please email the team at firstname.lastname@example.org