Privacy and Data Security

Introduction

Cheshire and Merseyside Local Authorities requested the Public Health Institute, Liverpool John Moores University, to implement a data monitoring system for local treatment providers. This involved the development of a dataset specifically tailored towards individuals with issues around substance use in conjunction with a robust database enabling timely recording of treatment, outcomes and wellbeing data by relevant agencies. The data is supplied to the Public Health Institute via the secure IMS website either by data entry or through a secure file transfer protocol.

Why does this data need to be collected?

Local areas require surveillance to determine the distribution, determinants and efficacy of interventions for the substance using population. As several non-structured and structured services may be involved in the care of a substance user simultaneously or consecutively, this integrated monitoring system, provides robust attributable data to describe the nature and journey of individuals presenting for treatment interventions. When analysed with NDTMS data care pathways and onward referral to structured treatment are identified. Data reporting will facilitate policy formulation and will support the development of efficient commissioning systems at a local level.

Which providers should report to the monitoring system?

Services who provide non structured treatment interventions, including the provision of open access facilities and outreach which deliver: substance-specific advice, information and support; extended brief interventions to help drug and alcohol users reduce substance-related harm; and assessment and referral of those with more serious substance-related problems for care-planned structured treatment.

What data is to be collected?

In summary the main data items include the following information:
    •  Attributer: Composed of initials, date of birth and gender, used to identify individuals at agency level and across services – used for treatment journey monitoring
    •  Geographical: Recording of table linked postcode information allowing reporting by postcode of residence to DAAT and Local Authority.
    •  Intervention: Date and type of intervention accessed
    •  Outcome information: Fields regarding accommodation, employment and wellbeing information
    •  Referral information: Data relating to referral source to treatment and referral destinations to partner and external organisations and associations

The collection of client details

It is necessary that the individual’s actual initials, date of birth and sex (attributer), rather than a pseudonym attributer is reported by the provider. From a statistical perspective this will eliminate double counting and will ensure reporting systems are based on individuals.

Treatment journeys

The attributor is vital when mapping client treatment journeys. If an individual accesses treatment interventions in provider A, B and C, the initials, date of birth and sex are used to identify the movement between services; if an individual uses a pseudonym at each provider an efficient treatment system cannot be evidenced, as the client’s treatment journey cannot be linked. The ‘true’ attributer can be used to substantiate service coordination and provide support to an effective recovery system.

Attributable data and research

Data are collected for statistical, service planning and research purposes. These data are not made available in a form that identifies data subjects.

Initials, date of birth and sex are obtained primarily to remove double counting of individuals. This is the minimum necessary personal data for research purposes. The main factor influencing the amount of personal data collected is the need to identify duplicate records. This requires the individual’s first and last initials, date of birth and sex.

Postcode has been requested to assign individuals to local geographies. Ethnicity and nationality are also required for general monitoring, planning purposes and trend analysis. These data items are vital to service planning and to meet the information needs of service providers and commissioners.

Data sets are not disclosed outside the Public Health Institute in attributable format other than for the purposes of data matching with the National Drug Treatment Monitoring System (NDTMS) held by the Department of Health and Social Care (DHSC) so that local authorities can discern the total number of individuals in contact with any level of treatment delivery in their area. DHSC will not hold the data once the match has taken place. Data otherwise are only disclosed in the form of reports and manuscripts in which the data are aggregated in summary.

Between 1st April 2013 and 30th September 2021 Public Health England (PHE) was an executive agency of the Department of Health and Social Care (DHSC). From 1st October 2021 NDTMS data matching previously completed by PHE will be delivered by the NDTMS team within the Department for Health and Social Care (DHSC).

Principles for processing personal data - General Data Protection Regulation (GDPR)

•   It is lawful, fair, and transparent.

The IMS system is a registry of any individual in contact with 'Needle and Syringe Programmes' (NSP) and other treatment services. The legal basis by which IMS data is processed is for reasons of public interest in the area of Public Health. Patient registries play a key role in ensuring high standards of healthcare and in advancing knowledge of diseases and treatment.

•   It is specific, explicit and legitimate.

The IMS data collection tool is a modular system which allows services to capture only activity which is relevant to the need and operation of that service.

•   It is adequate, relevant and not excessive.

A full list of data fields is available from the IMS data set & reference documentation page. This is reviewed annually to ensure data is captured to meet the reporting needs of both service providers and commissioners, and to remove fields which are no longer relevant.

•   It is accurate and kept up to date.

The IMS system is a live and updatable database, whereby system users may add, edit, or delete data as required, or where support is required to action this, users may request data is updated by the IMS team.

•   It is kept for no longer than necessary.

IMS data is used for longitudinal surveillance to map the provision and demand for NSP services, and to identify client demographic changes over time. This means that data is not subject to a date of destruction. However individuals may at any time choose to withdraw their 'consent for data processing' or request the deletion of personal data, which will be applied retrospectively to all relevant data.

•   It is processed securely.

Access to the IMS online tool requires use of a username and password. Users must change their password every sixty days. The new password is validated to ensure a sufficiently complex combination of characters is used. The IMS online tool uses data views, which secure against vulnerability to attacks using SQL injection. The IMS webpage uses the HTTPS (RSA 2048-Bit) protocol to establish a secure encrypted link between the LJMU servers and the client’s computer. All IMS data is stored in SQL on Windows 2019 servers which are members of a domain and secured via the active directory. Windows servers are fully patched each month. Access to each file share is restricted to named users, using role based access and least privilege in terms of accounts connecting. The data is backed up every night. The LJMU firewall stops anyone from outside of LJMU accessing the particular fileserver in question. It also stops people logging onto the domain. Fileshares use NetBIOS over TCP-IP (NBT) which encrypts the data.

Rights of individuals - General Data Protection Regulation (GDPR)

•   The right to be informed

Individuals have the right to be informed what data we are collecting about them and how this data will be used. ‘Information sheet 5 - Information for Clients/Individuals’ can be found on page 11 of the IMS Privacy and Data Security guide, and this should be made available for individuals.

•   The right of access

Individuals have the right to access their data. The IMS user reports function includes a 'Client Detailed Record' which may be used to obtain a summary of client data. For more detailed data you should use the 'Create Extract, >> Local Extract' option to download your data, then filter this to obtain data for the specific individual.

•   The right to rectification

The IMS system is a live and updatable database. IMS users may add, edit, or delete data as required. When support is required, this may requested from the Public Health Institute, Liverpool John Moores University. Where support is requested, data update requests will be completed within five working days.

•   The right to erasure

IMS users may edit and delete client details and activity as required. However you should also be aware that IMS client data is securely backed up daily, and is also held within data audit tables. Therefore if a client wishes to exercise their right to erasure, you should contact us and quote the client’s unique IMS ID number. This is a unique and anonymous code which will allow us to delete all relevant data and we will confirm that the client has been erased from the IMS system.

•   The right to restrict processing

The client details screen contains a ‘consent to process data' question. This must be completed when the client is first entered on the IMS system, and may be updated at any time. Where this item is marked as 'No', data relating to the individual will only be viewed by staff within the specific service and will not be used for any reporting or data analysis by the Public Health Institute, Liverpool John Moores University. Where this question is updated, any change will be applied retrospectively to any data relating to the individual.

•   The right to data portability

Individuals have the right to their own data, for example if they wish to transfer their data to another treatment provider. To obtain detailed client data you should use the 'Create Extract, >> Local Extract' option to download your data, then filter this to obtain data for the specific individual.

•   The right to object

Individuals must be informed how their data will be used; this is set out in ‘Information sheet 5 - Information for Clients/Individuals’ on page 11 of the Privacy and Data Security guide. Where the individual objects to use of their personal data you should use the ‘dummy attributor’ with initials “X X” and date of birth “05/05/1955”. As with clients who respond 'No' to the 'consent to process data' question, data recorded with these client details will not be subject to any further data processing.

•   Rights in relation to automated decision making and profiling

IMS data is processed for reasons of public interest in the area of Public Health. It is not used in relation to automated decision making or profiling.

Exercising rights of access

In most instances the individual client should contact the specific treatment service provider, who will fulfil their request.

However in some circumstances this may not be possible;

•   Some providers record client data via a separate client data system (for example NexWebstar Health, PharmOutcome, or CRiIS). In these situations data is extracted from the relevant system and uploaded to IMS. Where this is the case, the provider will be given a user login and password for the IMS system which enables them to access their data in the same way as services who use the ‘direct data entry’ method.

•   Due to recommissioning and other changes in service providers the original service provider may no longer exist. Where this is the case, the individual may contact the Public Health Institute LJMU directly with their request.

Data relating to IMS users

In order to maintain an IMS user account it is necessary to provide your full name and a valid email address. This information is required to use the IMS system. In addition we may also send you occasional emails with information such as reports and updates relating to IMS or other relevant Public Health information from the Public Health Institute.

If you wish to check or update your personal information, or unsubscribe from emails, this can be done on the IMS user account details page. If you are unable to access IMS or wish to delete your user account please contact us with your request.

Data relating to deceased individuals

The UK General Data Protection Regulation (GDPR) only applies to information which relates to an identifiable living individual. Information relating to a deceased person does not constitute personal data and therefore the data contained within IMS’s Drug Related Deaths (DRD) surveillance system is not subject to the UK GDPR. [see ICO guidance]

However the Public Health Institute and all parties participating in the review process have a duty of care with this information which can often be sensitive and highly personal, and accordingly access is granted solely for the purpose of reviewing deaths in order to improve future care and service planning, and will not be disclosed to anyone outside of the membership of a local authority area.

For professionals who are not members of a local DRD review panel but who contributed to an individual’s care while living and are able to contribute information to a case, access will be granted solely to that individual’s case. Under all circumstances, disclosure of a deceased person’s health data will not take place if there is a risk of serious harm to a living individual.


Drug Related Death review panel - Confidentiality Statement

A copy of the DRD review panel Confidentiality Statement can be downloaded here.

The Chair of the meeting reminds all concerned of the purposes outlined within the Drug Related Death Monitoring Terms of Reference, and reminds all those in attendance of their obligations regarding the management of information shared via the panel.

  • All attendees must declare any conflict - or potential conflict - of interest relating to any case to be discussed at the panel today. This includes (but is not limited to) any personal connection with a deceased client to be discussed.
  • Information discussed by the attendees and accessed via the IMS for the purpose of the Panel meetings and discussions, within the remit of this panel, is strictly confidential and must not be disclosed to any third parties outside of the attendees at this panel, without the prior written agreement of the attendees, and in particular the agency to whom the information relates, and then only where it is lawful to do so.
  • Discussions at this panel should focus on the circumstances surrounding each clients’ drug related death (defined below), and for avoidance of doubt, a clear distinction should be made between fact and professional opinion. Personal opinion shall not be asked for, nor provided.
  • Formal minutes will not be taken at the panel in order to encourage open and honest participation from all attendees, but notes of key points discussed and outstanding actions will be circulated following the panel. All attendees should ensure that any note they take do not allow identification of the deceased clients, staff members or any third parties. Access to panel notes and documentation should be restricted in a manner befitting the information contained within, ensuring any confidential information is only accessible on a need-to-know basis by individuals with a legitimate and lawful basis to view it.
  • All processing of information, both during and after this meeting, must be lawful and in adherence to the Common Law Duty of Confidentiality (regarding both living and deceased individuals to be discussed) and Data Protection legislation (regarding living individuals to be discussed) and not least in a manner demonstrable with reasonableness, necessity and proportionality.

The purpose of the meeting is as follows:

  • To share information regarding drug related deaths in a confidential, constructive, and respectful manner with the aim of reducing drug related deaths in the future
  • Drug related deaths are understood by panel attendees to mean:
    • Any death where a Coroner has concluded a death was drug and/or alcohol related, or
    • Any death (regardless of cause of mortality) where a client is, or has been within the 6 months prior to their death, a client of a drug and alcohol service
  • To discuss circumstances surrounding each Drug Related Death with a no/fair blame approach
  • To improve agency accountability
  • To provide mutual support to staff involved in the management of Drug Related Deaths, and share knowledge and expertise
  • The responsibility to take actions agreed at the panel rests with individual agencies; responsibility is not transferred to the panel, or its attendees

Drug Related Death review panel - Terms of Reference

A copy of the standard DRD Terms of Reference can be downloaded here.

Individual Local Authority areas may choose to use an appended version of this Terms of Reference documentation in order to meet local requirements, but the documentation will as a minimum include the points from the above standard template.

Information about time commitment and engagement for those involved in the DARD panel review meetings:

  • What we expect from you:
    • You or a relevant colleague updates any new DARD records on IMS with a brief summary of relevant case details prior to the data submissions deadline.
    • If you’re not able to attend the panel but there are cases which involve your sector, could you please provide a deputy to cover the meeting.
    • Please ensure you can attend for the duration of the panel where possible since we won’t do justice to all cases heard if relevant attendees leave for other meetings.
    • If you feel that you are not the most appropriate person for the panel or that you are not able to support them because of capacity, please let us know.
  • What you can expect from us:
    • We are happy to provide training for you/your service on using the IMS system either online via Teams or in person.
    • Where possible, we will schedule panel meetings for between 2 and 2½ hours maximum.
    • We will give you good notice of panel dates throughout the year.
    • We will make intelligence briefings for your area available 4 times a year in order to share the findings of the panels.

Privacy & Data Security guide

A copy of the IMS Privacy & Data Security guide can be downloaded here.

This document contains all the information presented on these pages, as well as the following information sheets;

•   Sheet 1 - Sharing Data with the Public Health Institute

Local confidentiality policies may differ due to the different needs and practices of treatment services but, in the case of information collected and shared with the Public Health Institute, Liverpool John Moores University this sheet provides guidance.

•   Sheet 2 - The type of information collected, and why it is needed

Why the Public Health Institute collect information, and the type of activity collected.

•   Sheet 3 - How information is handled

More information about the Public Health Institute, Liverpool John Moores University and the way in which they handle and use IMS data.

•   Sheet 4 - Rights of Individuals - GDPR

The GDPR (General Data Protection Regulation) legislation sets out important rights for the individual, this sheet explains how these rights may be exercised in relation to IMS.

•   Sheet 5 - Information for Clients/Individuals

The information on this sheet should be used to inform clients/individuals. It can be adapted, as necessary, by your treatment service and included as part of your own service policy.