Ensuring Good Practice & Compliance in Health & Social Care
Christopher Fincken, Former Chair (2012-2017) UK Caldicott Guardian Council
Christopher Fincken is an independent member of the UK Council of Caldicott Guardians (UKCCG) and was its Chairman from 2012-2017, working closely with the office of the National Data Guardian. He is currently involved in several collaborative initiatives, including working with the Information Governance Alliance, the Centre of Excellence for Information Sharing, The Home Office and the Police.
Christopher gave a basic introduction on GDPR and said: "Evolution not revolution of our old data protection act This is a balancing act with duty of care with gdpr and common law of confidence Fair processing/privacy notices Must have up to date details of people Retention period - minimum retention periods but how useful will this be in the future? Demonstrating compliance - the role of caldicott guardian- is this an oversight? Need to think about your subject access request No one owns the data, you own the book but you don’t own the content in the book Data protection stops at the point of death Challenges- big issues- should we be recording unsubstantiated intelligence from 3rd parties? Large data sets are needed for artificial intelligence"
Ensuring information flows have a sound legal basis and are compliant with the law
André Bywater, Partner, Cordery Legal Compliance
André Bywater is based in London and works as a commercial lawyer with a focus on regulatory compliance, processes and investigations. A key focus of his work at Cordery has been working on data protection matters, especially more recently assisting clients, including those in the healthcare sector, with a wide GDPR compliance matters. Assisting and advising on data security breaches have been a major area of work in particular and to this end André and colleagues have developed a special tool to manage breaches called Cordery Breach Navigator. He was previously Brussels-based for many years focusing on a multitude of EU issues, during which time he also worked on EU-funded projects building the expertise and capacity of government ministries and agencies in Central and Eastern Europe and further afield.
1. lawful, fairness and transparency 2. purpose of limitation 3. Data minimisation 4. accuracy 5. storage limitation 6. Integrity and confidentiality You shouldn’t be keeping data for a long time, unless you have a reason and justify it. 1. Make your consent request stand out 2. Transparency and consent withdrawal 3. Active opt in 4. Granular options 5. Keep records 6. Make consent withdrawal easy 7. Review and refresh consents when things change 8. Build regular consent reviews into processes"
How to ensure demonstrable compliance with GDPR in practice
Barry Moult, Information Governance Consultant, Chair Eastern Region Information Forum Former Chair, Regional Strategic Information Governance Network (East of England) DPO and IG Lead, IG Consultant for NHS England
Barry is Head of IG at West Suffolk Hospital and latterly at Colchester Hospital as Head of IG and Health Records and was recently on a secondment to the local STP looking at information sharing and GDPR for Health & Social Care. Recently ran a number of GP training workshops for NHS England in the Midlands. Key note speaker at national conferences, with a down to earth pragmatic approach to Data Protection/IG and delivers training for a number of training companies in health & social care. Now working as an IG Consultant, providing IG and Data Protection Officer support for a number of health care organisations and public authorities.
"If its complicated staff wont do it! GDPR has to be workable. Document, document, document!"
Barry then did an interactive exercise with delegates about what to do in different situations/companies.