Medical ClinicData Protection & Data Quality Review
Agenda• Background and Overview• Summary of Report Findings  –   Maturity Ranking  –   The Good (Things to be commended)  ...
BACKGROUND & OVERVIEW
Context• Data Protection Compliance = Risk  – Risk to Trust  – Risk to Revenue  – Risk to Brand• Data Quality Issues = Cos...
The MethodologyFace to Face Qualitative InterviewsObservations made while on-siteResearch & Review of Best Practice
THE FINDINGS
Summary of FindingsSome good things found.12 areas of concern/weakness6 critical risks to Compliance found
Maturity Assessment                                               Value Centric Management                           Optim...
CRITICAL RISKS   Data Controller (??)   Data Processor (??)
Critical Risks   Patient file: Mr Smith• Patient data being transferred by email without  encryption/security• Email forwa...
CRITICAL RISKNo defined Data Security Breach Process
CRITICAL RISK     Personal and Sensitive     Personal data being     managed and transferred in     Spreadsheets
CRITICAL RISK    Little or no segregation of    inbound and outbound patient    data
CRITICAL RISKRegistry Entry for Hospital with DPC is inaccurate
Compliance Issues            Classification/Categorisation of InformationNo Formal Governance framework for Data          ...
Compliance Issues   No training in Data Protection   No consistency in formal training in   systems – a lot of ‘informal’ ...
Compliance Issues       No verifiable evidence of good behaviours       being followedNo formal or consistent “Leavers/Mov...
12 STEP PROGRAMME
12 Step Plan Governance & Policy       Issues                                Training and AwarenessTechnical & Technology ...
Governance Issues    Formalise Data    Controller/DataProcessor Relationships                                 Implement fo...
Technology Issues Implement Role basedaccess to electronic data    (where possible)                             Implement ...
Training & Awareness Issues                Implement Training on                 DP/DQ to key target                     a...
SAMPLE GOVERNANCEMODELS
Governance Model 1                                     Advisory                                          External         ...
Governance Model 2                     Chair                     External         CEO          Expert                     ...
Governance Model 3        External         Expert                                    Bus                                  ...
Evolving from Excellent Project     to Effective Governance       Project     GovernanceGovernance Model 1   Governance Mo...
Summary1. Ensure all staff know WHAT needs to be done  – (Policies, Procedures & Training)2. Ensure all staff know WHY it ...
In conclusion....                     Best efforts are essential.                     Unfortunately, best efforts, people ...
Upcoming SlideShare
Loading in...5
×

Medical Clinic - Daragh O Brien

236

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
236
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • One point to make here is that by reaching the DP target, SSC would likely be considered “Advanced” in the Healthcare context because of the generally poor standards that exist in Irish Healthcare sector.The improved governance of Information will contribute to improvements in data quality as a by-product of care and attention.
  • This is akin to not having a fire drill and not having a hygiene policy. A process must be defined that ensures the organisation not only can tick the box of having a policy but can effectively execute the process and procedures should an incident happen.You do not wait for a fire before figuring out how to evacuate the building and who is responsible for doing what.
  • Policies, Procedures, Metrics and Evidence are very important and will align with objectives under other Quality Assurance criteria.
  • Medical Clinic - Daragh O Brien

    1. 1. Medical ClinicData Protection & Data Quality Review
    2. 2. Agenda• Background and Overview• Summary of Report Findings – Maturity Ranking – The Good (Things to be commended) – The Bad (Issues causing concern) – The Ugly (Serious Compliance issues/risks)• Recommendations
    3. 3. BACKGROUND & OVERVIEW
    4. 4. Context• Data Protection Compliance = Risk – Risk to Trust – Risk to Revenue – Risk to Brand• Data Quality Issues = Cost + Risk – Risk of wrong treatment – Risk of underutilised resources – Cost of checking and rechecking data
    5. 5. The MethodologyFace to Face Qualitative InterviewsObservations made while on-siteResearch & Review of Best Practice
    6. 6. THE FINDINGS
    7. 7. Summary of FindingsSome good things found.12 areas of concern/weakness6 critical risks to Compliance found
    8. 8. Maturity Assessment Value Centric Management Optimising State of the Art Practices & Outcomes Information Value quantified and communicated Advanced Practices and outcomes well above industry average Interactions formalised for critical processesData Protection Target Intermediate Transparent Investment Decisions Basic IT Services being delivered Basic Some interactions/processes formalisedData Protection Maturity No formal processes Initial Ad hoc Management Based on IVI IT-CMF framework
    9. 9. CRITICAL RISKS Data Controller (??) Data Processor (??)
    10. 10. Critical Risks Patient file: Mr Smith• Patient data being transferred by email without encryption/security• Email forwarding to external services a concern
    11. 11. CRITICAL RISKNo defined Data Security Breach Process
    12. 12. CRITICAL RISK Personal and Sensitive Personal data being managed and transferred in Spreadsheets
    13. 13. CRITICAL RISK Little or no segregation of inbound and outbound patient data
    14. 14. CRITICAL RISKRegistry Entry for Hospital with DPC is inaccurate
    15. 15. Compliance Issues Classification/Categorisation of InformationNo Formal Governance framework for Data Policies/Procedures/Process • Absent or poorly defined • May not reflect DP Obligations
    16. 16. Compliance Issues No training in Data Protection No consistency in formal training in systems – a lot of ‘informal’ learning The absence of “role based” access to personal data in systems is a concern
    17. 17. Compliance Issues No verifiable evidence of good behaviours being followedNo formal or consistent “Leavers/Movers”process to restrict access to records CCTV Signage does not meet DPA requirements
    18. 18. 12 STEP PROGRAMME
    19. 19. 12 Step Plan Governance & Policy Issues Training and AwarenessTechnical & Technology Issues
    20. 20. Governance Issues Formalise Data Controller/DataProcessor Relationships Implement formal Define appropriate Information Governance Policies, Procedures & Metrics Review appropriateness of email forwarding. Define Leaver/Movers Define clear policyprocess to encompass allsystems and manual data Conduct Audit of Manual Data Storage/Disposal Review existing (Clean Desk Policies) Disclosure policies to ensure DPA requirements met.
    21. 21. Technology Issues Implement Role basedaccess to electronic data (where possible) Implement Segregation between “Data In” and “Data Out” Inspect Data Redundancy (e.g. Spreadsheets)Assess need and secure Review existing Disclosure policies to ensure DPA requirements met.
    22. 22. Training & Awareness Issues Implement Training on DP/DQ to key target audiences Coupled with the roll out and implementation of Training, we would recommend that supporting activities be developed to help make culture change stick e.g.: • “Story” development to lock in the learning • Internal Communication plans • Continuous Improvement
    23. 23. SAMPLE GOVERNANCEMODELS
    24. 24. Governance Model 1 Advisory External Expert Chair CEO Consultants (DPO) HR IT Information Governance Bus Steering Group Patient Svcs Apps JCI Nursing Radiology Finance
    25. 25. Governance Model 2 Chair External CEO Expert Consultants (DPO) HR IT Information Governance Bus Steering Group Patient Svcs Apps JCI Nursing Radiology Finance
    26. 26. Governance Model 3 External Expert Bus Apps Consultants (DPO) IT HR Information Governance CEO Steering Group Patient Svcs JCI Nursing Radiology Finance Effective Model for Project ManagementLeast Preferred Option for on-going Governance
    27. 27. Evolving from Excellent Project to Effective Governance Project GovernanceGovernance Model 1 Governance Model 2 Governance Model 3 Project Execution Transition & Bed-in Operational & Effective
    28. 28. Summary1. Ensure all staff know WHAT needs to be done – (Policies, Procedures & Training)2. Ensure all staff know WHY it needs to be done – (Culture change, align with values)3. Ensure all staff know HOW it needs to be done – Governance, Policies, Training)4. Ensure all staff know WHO is doing it – (Governance, Policies, Contractual issues)5. Ensure the Clinic can demonstrate THAT IT HAS been done – (Metrics, Governance, Reporting)
    29. 29. In conclusion.... Best efforts are essential. Unfortunately, best efforts, people charging this way and that way without the guidance of principles, can do a lot of damage.W. Edwards Deming Think of the chaos that would come Out of the Crisis if everyone did his best, not knowing what to do.
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×