Simon,
Thanks for the comments. They are very helpful. I would need to develop the final point. I have seen the IG toolkit and I am impressed. However, as LG it is hard to get lots of staff on it because of the concerns from NHS about supporting so many staff who are not NHS.
I have something developed but I am finding people have treated it as a tickbox exercise rather than using it to learn from it.
We have moved onto something call DP health checks which are like a diagnostic tool. I think of it as a series of questions you would ask before you called the doctor. Do you have a fever, have you taken paracetamol, has it gone down? The idea is to get the teams doing the checks to ask the questions. When did you last have training, if you are answering 18months ago, it may be time to revisit the training sessions.
Do you know how to deal with a s.29(3) request? There is a link to all of the questions so they can see what that means if they do not know. However, even clicking the link gets them to think about it.
If you are interested, I will send you a copy.
I will have to see how it goes. Thanks for the comments. The list seems very quiet recently.
Best,
Lawrence
Principal Information Management Officer
Durham County Council
Room 4/140
County Hall
County Durham
DH1 5UF
03000 268038
From: Simon Howarth [mailto:[log in to unmask]]
Sent: 30 May 2013 09:19
To: Lawrence Serewicz; [log in to unmask]
Subject: RE: [data-protection] Caldicott II and training for DPA (what are your plans to deal with the culture of anxiety?)
* First, what do you do to encourage the conversations needed to reduce uncertainty over data protection data sharing?
I speak from work done within the NHS - Local IG is constantly attempting to improve training and education and put in place a culture of openness balanced with the need to maintain confidentiality. Whilst there is a lot to be desired and more consistency is required, the overall direction of travel is to better data sharing. The Caldicott 2 report ironically, when coupled with the new Health and Social Care Act 2012, creates more confusion, although many of its points are valid.
* Second, would you say your training packages tend to be on the tick box variety or offer a worked example to develop judgement variety? (No need to answer on the list, mainly a thought question)
Google "IG Training Tool" to see the public screens of the IG Training tool as used by the NHS. It's by no means perfect and improvements could indeed be made and online only training will never provide the depth of knowledge that some staff require, but it is generally pretty good and is a tick box exercise much in the way that any training is.
* Third, do you think, in light of this review, that the ICO may begin looking at how organisations train staff on data protection?**
I hope so.
* Fourth, what do you do to encourage your organisation's culture to move from risk averse to trusting?
This is not quite the right question. If a culture is "risk averse" then it needs to move to a balanced risk environment, not "trusting". Trusting implies the other end from risk averse and can be as damaging as being risk averse. As with most things the key is the middle ground. This needs to be driven from the top down with key management involved, educated and "selling" the culture to the organisation. Information Risk Policy and procedure, an educated/trained workforce who can make informed decisions and who know where to go for further advice.
Simon Howarth MSc. MBCS CITP
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Lawrence Serewicz
Sent: 28 May 2013 10:58
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: [data-protection] Caldicott II and training for DPA (what are your plans to deal with the culture of anxiety?)
Dear All,
I was reading the Information Governance Review<https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/192572/2900774_InfoGovernance_accv2.pdf> (Caldicott II) and I came across the following regarding training and data protection.
Across the health and social care system, most staff are required to undertake annual training in information governance. The commitment to training is important and the associated training budget is a welcome enabler. However, the Review Panel discovered that the mandatory training is often a 'tick-box exercise'. One nurse told us the experience was equivalent to an annual 'sheep dip', which staff could go through without thinking.
There needs to be a fundamental cultural shift in the approach to learning about information governance. Health and social care professionals should be educated and not simply trained in effective policies and processes for sharing of information. P.16
I was wondering what others are doing to deal with this issue. I have reviewed a fair number of training packages over the years and many, but certainly not all, can appear to be tick box exercises. They offer a list of the principles and may have a quiz, but rarely do they require the person to think through what is required. In some of the better ones, there are worked examples or questions that need to be worked through to understand what needs to be done.
The report also discusses how there is a culture of anxiety around data sharing and handling of personal data.
When it comes to sharing information, a culture of anxiety permeates many health and social care organisations from the boardroom to front line staff. The Review Panel found the anxiety results from instructions issued by managers in an attempt to protect their organisations from fines for breaching data protection laws. This leads to a 'risk-averse' approach to information sharing, which prevents professional staff at the front line co-operating as they would like.
This anxiety must be changed to trust, in order to facilitate sharing on the front line. (P.35)
I think the point captures the challenge we face as practitioners. People usually have anxiety over sharing because of uncertainty. If the organisational culture encourages the uncertainty, which creates the anxiety, how do we address it? If staff have uncertainty, then their line manager (and by extension their senior management) has a responsibility to help reduce that uncertainty. One way to provide clarity is to help them train their judgement. How do you work in your organisation to reduce uncertainty and help people in the use of judgement? How do we help managers have the conversations necessary to reduce the anxiety and move beyond the tick box exercise?
Some of you may have seen the Local Government Lawyer article on the Information Governance Review (Caldicott 2: To share or not to share?)<http://www.localgovernmentlawyer.co.uk/index.php?option=com_content&view=article&id=14062%3Acaldicott-2-to-share-or-not-to-share&catid=59&Itemid=27> Their conclusion raises a similar point because the answers are not always clear cut.
Conclusion
One of the key themes of the report is the culture of anxiety that surrounds the sharing of patient confidential data. This culture is not surprising given the complexity and opaqueness of the legal issues that those on the ground need to navigate. Getting to grips with the law of confidentiality, the Data Protection Act and human rights considerations under Article 8, is not easy. In many cases there is no clear-cut answer to the question "To share or not to share?" and it is a case of balancing different interests against one another to arrive at a practical conclusion.
If training does not include the conversations and it is treated as a tick box, it will fail. If it is treated as a chance to have a conversation with staff about their DPA awareness, it will raise awareness and educate staff about what is to be done, it will have a better chance at success.
I would be interested in your response to the following questions.
* First, what do you do to encourage the conversations needed to reduce uncertainty over data protection data sharing?
* Second, would you say your training packages tend to be on the tick box variety or offer a worked example to develop judgement variety? (No need to answer on the list, mainly a thought question)
* Third, do you think, in light of this review, that the ICO may begin looking at how organisations train staff on data protection?**
* Fourth, what do you do to encourage your organisation's culture to move from risk averse to trusting?
Best,
Lawrence
**I am aware that they will ask about training and reliability of staff (per Principle 7), but do you think there will be a more overt push on training and asking what an organisation does in terms of its training i.e. showing concern that training is a "sheep dip" in light of the Review?
________________________________
Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.
________________________________
All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):
* Leaving this list: send leave data-protection to [log in to unmask]<mailto:[log in to unmask]&BODY=LEAVE%20data-protection>
* Suspending emails from all JISCMail lists: send SET * NOMAIL to [log in to unmask]<mailto:[log in to unmask]&BODY=SET%20*%20NOMAIL>
* To receive emails from this list in text format: send SET data-protection NOHTML to [log in to unmask]<mailto:[log in to unmask]&BODY=SET%20data-protection%20NOHTML>
* To receive emails from this list in HTML format: send SET data-protection HTML to [log in to unmask]<mailto:[log in to unmask]&BODY=SET%20data-protection%20HTML>
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]<mailto:[log in to unmask]>
Any queries about sending or receiving messages please send to the list owner [log in to unmask]<mailto:[log in to unmask]>
(Please send all commands to [log in to unmask]<mailto:[log in to unmask]> not the list or the moderators, and all requests for technical help to [log in to unmask]<mailto:[log in to unmask]>, the general office helpline)
________________________________
________________________________
Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
