Information for Caldicott Guardians and data protection officers
PatientView is an initiative of the Renal Information Exchange Group (RIXG), a group representing Renal professional and patient associations interested in healthcare information. In 2004 RIXG secured funding from the Departments of Health of England, Scotland and Wales to trial a service for renal patients and their GPs to access their electronic patient records, with linked explanatory information. This funding was linked to the implementation of an action relating to care planning in the Renal National Service Framework Information Strategy published in 2004. Following the success of the pilot project in 4 units (Leeds, Birmingham Heartlands, Glasgow Royal and Cardiff), in mid 2005 it was decided to extend the project more widely, and it is now offered by the majority of UK Renal Units and an increasing number of other specialties.
In 2009 formal governance responsibilities were transferred from RIXG to the UK Renal Association, www.renal.org. From 2013 reporting for the UK Renal Registry, the Rare Renal Diseases Registry and PV has been through the Renal Association’s Information Governance Board, which endorses IG policies.
How the Caldicott Guardian requirements are met
PatientView introduces a new information flow that contains patient identifiable information: from the local clinical information system to the website www.patientview.org so that patients can access relevant and appropriate elements of their patient record.
Here we outline how this new information flow will be kept both confidential and secure.
We consider that these protocols are in keeping with national guidance, policy and law. Integral to our approach is the explicit informed consent of the patients involved. The patient briefing and request form can be downloaded here.
How the data protection requirements are met
Following are statements of how the PatientView service meets the requirements of the Data Protection Act.
|Fairly and lawfully processed||Subjects will request the service in the manner agreed.|
|Processed for limited purposes||The purposes are clearly defined in the sign-up process.|
|Adequate, relevant and not excessive||Only a selected, relevant dataset will be downloaded from the comprehensive clinical database kept in the renal unit.|
|Accurate||Data is derived from the existing clinical information system which has ongoing policies for data quality assurance. Patients are able to report errors back to the originating unit.|
|Kept no longer than necessary||The longitudinal patient record will be held on the website accessed by the patient for their use only. If the patient wishes no longer to use the PatientView service then their patient record will be deleted from the website.|
|Processed in accordance with the data subjects rights||Subjects will make an explicit request, as agreed with the Caldicott Guardian. The purpose for processing is for the patient to have access to their record.|
|Secure||Security features are provided below.|
|Not transferred to countries without adequate protection||Registered users may view the selected data which they have permission to see from anywhere with internet access. Otherwise data will not be exported without additional consent from patients.|
Justification and configuration
A necessary feature of the Service is that patients are able to access their records outside of hospital or other NHS sites. Consequently, the solution when implemented involves sending extracts of information from the patient records of enrolled patients on at least a daily basis from a clinical information system resident in the Hospital Trust or another offical data store. This data is then processed and made available through www.patientview.org
The security precautions we have taken we believe are consistent with current policy. We originally consulted with the Security team at the NHSIA and with representatives of national authorities in Scotland and Wales. Since then we have taken note of further developments in data security standards in the NHS and more widely, and continue to keep this under regular review. The security features implemented in the solution are detailed below.
The key features are:
- Only consented and registered users have access. Access for individual patients is restricted to their data
- Data security policy is designed to ISO/IEC 27001/27002 (BS7799) standards
- The website data and applications are in a secure physical location with limited access
- All data transferred across networks is encrypted using a minimum of 256-bit encryption
- Security risks are analysed and reviewed regularly, and any appropriate additional measures identified and implemented
- Security will be monitored and audited
The server is securely hosted by AIMES (www.aimes.uk), an ISO 27001 Certified data centre specialising in the hosting of systems for the NHS. ISO 27001 facilities mean that data is extremely secure and the n+1 resilience of the facilities provide the highest levels of up-time and ensure continuity. AIMES meets the NHS criteria for information security and governance. PatientView has multiple physical servers – one securely connected to the NHS N3 network, and a second, the patient facing one hosting the PatientView website itself with a secure connection to the Internet.
Within Hospital Trusts, Health Boards or other information sources, the system sending the data is within the control of the sending body.
Outgoing files from hospital Trusts or other information sources are delivered securely either via SFTP or HTTPS. Data may be further encrypted using PGP® solutions built on the recognised OpenPGP (RFC 2440 & 3156) standard. Each sending party is assigned a unique login (and an additional API key in the case of HTTPS delivery). All attempted data imports are logged and can be audited on demand within the PatientView administrative interface.
When a patient requests the service in the agreed manner, the local clinical IT system is configured to send their data to PatientView. The demographic data for the patient must include an agreed unique identifier (e.g. NHS/CHI Number). The system administrator then creates a login for the patient. This username and password is given to the patient or sent to their registered address.
The patient subsequently uses the username and password but must change the password on first use so that it is not known to members of staff on the unit. The patient only sees his/her data (except in the case of parents being able to view their child’s data).
If the patient subsequently decides to no longer use the website they may request deletion of their data from the website, and secession of data transmissions. In the case of suspend, no new data is sent to the website. In both cases, the system administrator disables the login and password on behalf of the patient.
PV has no direct employees – its administrative support including financial accounting is provided by employees of the UK Renal Registry (www.renalreg.org). Renal Registry-employed staff are experienced at handling patient data and trained in data protection, completing the specified modules of the Information Governance Toolkit from the Health and Social Care Information Centre (HSCIC) annually.
An external contractor involved in data management is subject to a Service Level Agreement with the Renal Association. Any additional contractors are subject to the same agreement. RIXG is registered under the Data Protection Act as the data controller. This is shortly to be changed to reflect PatientView itself as the data controller (Summer 2016).
The application security features applied to the website:
- SSL implemented
- IP tables firewall implemented
- Unnecessary services shutdown
- Inward messages via HTTPS
- Software tools updated to include latest patches: pertinent software includes httpd, nginx, Tomcat, openssh, openssl, Java.
Security testing is undertaken by an independent external penetration testing company. Repeat testing is undertaken periodically, and after every major software upgrade. A copy of the most recent security report is available on request.