Statutory mandatory training booklet 2020-2022
1
Welcome Dear colleague, Welcome to our core statutory mandatory training booklet. If you are new to The Princess Alexandra Hospital NHS Trust (PAHT), reading this booklet forms part of your induction. If you are an existing colleague, you can use this booklet to update your core statutory mandatory training. Please take your time to read this booklet and sign the compliance form at the end to ensure that you are up to date with your training. Not all training topics are covered within the booklet, you may be required to complete additional and face-to-face training sessions at an advanced level, depending on your job role. If you are unsure which statutory mandatory training, you have left to complete, please log onto MyESR, our electronic staff record system or speak with your line manager. If you are new to PAHT, your line manager will explain any additional training that you are required to complete when you start. It’s important that you keep your training compliance up to date at all times to ensure the safety of our patients, visitors and people. If you would like to leave feedback about our training booklet, please email the training team at paht.training@nhs.net.
Thank you
The executive team
2
Contents Training
Page
Guidance on using the booklet
4-5
Frequently asked questions (FAQs)
6-7
Our values and behaviours
8 – 10
Conflict resolution
11 - 14
Counter fraud, bribery and raising concerns
15 - 18
Dementia awareness
19 - 23
Equality, diversity and inclusion
24 - 31
Fire safety (level one)
32 - 35
Health and safety
36 - 39
Infection, prevention and control
40 - 48
Learning disabilities awareness
49 - 53
Moving and handling – care of the back (level one)
54 - 57
Safeguarding vulnerable adults (level one)
58 - 63
Safeguarding children (level one)
64 – 71
Information governance and data security awareness (level one)
72 - 105
Information governance and data security awareness: assessment
105 - 111
3
Guidance on using this booklet Please remember that you are responsible for ensuring that your statutory mandatory training is up to date and that it is understood. You can sign the form at the end of the training booklet to say that you have understood and read the training content, certifying yourself as compliant against that particular training topic. You will need to sign your initial against every individual training topic that you confirm you completed, before signing the declaration at the bottom of the form. When completing your information governance training, you will also need to complete a short assessment at the end of the booklet. You can fill in your answers to the multichoice questions on the reverse side of the compliance form. Once your training compliance form is complete, please scan both sides of the form and email it to our training administration team at paht.training@nhs.net. You can also put the form in the internal post to the following address: The Princess Alexandra Hospital NHS Trust Training Team at Harlow College Building C, Velizy Avenue Harlow, Essex CM20 3EZ It is recommended that you have a scanned copy of your compliance form as evidence that you have completed your training. If you have any further questions about a particular training topic, you can discuss with your line manager who will be able to assist you. If you or your line manager feel as though you would benefit from attending a face-to-face training session to cover one or more of the topics again, please visit the training zone Alex page and book onto one of our courses. If you are a member of staff with clinical duties, you will also need to complete a range of level 2 and 3 face to face training sessions – please log onto MyESR to view your outstanding training and compliance status.
My ESR If you do not have your log in details to MyESR, please contact the training team at paht.training@nhs.net. Once you have received your log in details:
Go to the training zone on Alex and click onto log in to e-learning under the related links section.
Enter your log on details and select ‘e-learning user’ and click on e-learning. You will be redirected to your training summary, which shows your training compliance.
4
Guidance for managers and clinical leads
If a member of your team requires level one / basic level core statutory / mandatory training, please print this booklet and ensure that they have a personal copy. If you need electronic copies, please email paht.training@nhs.net.
This booklet does not cover level two and three training – this level of training requires a face-to-face training session or it can be completed via MyESR.
Staff are responsible for signing off their own level one training tests - you do not need to counter-sign a core/level one training compliance record for a member of your team.
You should check your teams training compliance regularly – you should receive a monthly training compliance report, please email paht.training@nhs.net if you are not receiving this report.
If the training compliance report has members of your team missing or those who are not in your team, please complete a payroll change form to make the necessary changes.
If you think that the training requirements for your team are incorrect, please contact the Alexandra Anyanwu, head of core training and development at AAnyanwu@nhs.net. Staff training profiles have been set by the relevant subject matter experts, so please bear with the team to resolve any queries.
If you are concerned that a member of your team does not have the language or reading skills to understand the training course, please email AAnyanwu@nhs.net who can organise alternative training sessions.
If members of your team are not able to complete the training within their working hours, you are authorised to grant time off in lieu or additional hours to enable them to do this. Please speak to your own line manager if you need to discuss further.
Please remember, it is important that we all complete and keep up to date with our statutory mandatory training to ensure the safety of our patients, staff and visitors. We are striving to improve and maintain our core statutory mandatory training compliance above our target.
5
Frequently asked questions 1. I am new to the trust; do I need to do all the training in this booklet? Answer: Yes, you need to complete all of the training within the booklet. 2. I am an existing member of staff. Do I need to do all the training in this booklet? Answer: You may find it easier to update all of your level one training compliance; however, you are only required to complete your core statutory mandatory training in the subject areas where you are currently non-compliant. 3. I am an existing member of staff. How do I check my training compliance record to see what I need to complete? Answer: You will need to log onto your e-learning profile on MyESR and will need a username and password. If you do not already have one please email the training team at paht.training@nhs.net.Once you have your login details, follow the steps below:
Go to the training zone Alex page and click log in to e-learning under the related links section.
Enter your login details, select e-learning user, and then click on e-learning. You will be redirected to your training dashboard, which shows your outstanding training and compliance status.
The red status indicates that your training has expired and that you need to complete your training again.
Click on the search function next to the training that is showing as expired (red) to take you through to the delivery methods available for this training, these will be either by classroom or online, you will then be able to enrol onto an online course or book into a classroom session where necessary
Complete the training online or sign up for a training course.
4. Do I still need to complete e-learning and read the training booklet? Answer: You can gain your basic level one training by reading this booklet, completing e-learning training or attend face-to-face training sessions - the choice is yours. 5. I have completed my basic level one safeguarding children, however my job profile says that I need to complete the level 3 training. What do I need to do now? Answer: You will need to sign up to complete the level 3 course via the training zone Alex page. 6. My training record is currently incorrect – how can this be corrected? Answer: It is your responsibility to ensure that your training record is up to date. If you have previously completed your statutory mandatory training, it will not show on your compliance record. Please complete the form at the end of this booklet to help you to update your training record. 7. Is there an assessment for every subject? Answer: No, the assessment is only applicable to information governance 6
training. 8. Is there a pass mark for the information governance assessment? Answer: Yes, we expect you to achieve an 80% pass rate in the assessment. 9. What happens if I do not achieve the information governance assessment pass mark? Answer: Your assessment answers will be passed onto the information governance team who will be able to assist you in achieving your compliance. 10. Is my job at risk if I do not achieve the pass mark? Answer: No. However, you will still need to complete your information governance training and you find a method that suits you, to ensure that you are compliant. 11. I’m a line manager – how do I sign off a member of my team as compliant? Answer: Individuals are able to sign off their own compliance form – you do not need to countersign the compliance form. 12. I am complaint with my training; however, my compliance runs out in a few weeks’ time. Can I complete all of my core statutory mandatory training at once and get a new compliance date for all topics? Answer: Yes, if you complete your core statutory mandatory training early it will be valid from the date you have completed it for the specified period. Please note, if you complete your training three months early, you will be compliant for the specified period from the date of completion only. 13. I do not have time to complete my training as I am too busy in my role –what should I do? Answer: Please be reminded that keeping your core statutory mandatory training record up to date is a requirement for your job role. Please speak to your line manager about how you can make time to complete your training. 14. How can I feedback on the booklet? Answer: The training team are keen to hear your views, please email them with your feedback at paht.training@nhs.net
7
Our values and behaviours Our values Our values are at the heart of everything we do; they are a guiding compass that determine our everyday behaviours and unite us around a common purpose. Our values were initially developed with our people and patients during an In Your Shoes workshop and signed off by the trust board. Our values guide us to provide high quality care and experiences, act with compassion, support our colleagues protect the most vulnerable people in our community when they need us the most.
Understanding the behaviours that underpin our values We demonstrate that we are living our values through our behaviour at work. Here are our values and the behaviours that we associate with them (below) Remember, living the values applies to our interactions with colleagues, as much as our patients do.
8
9
10
Conflict resolution Course overview Sometimes we find ourselves in difficult situations with other people that can become confrontational. The ability to identify potential causes of conflict and to know how to respond to them will help you to deal with these difficult situations and how to diffuse them. This will make your job easier and will ensure a better experience for our patients. This section covers:
Effective communication
Understanding behaviour
Impact factors
The law
Effective communication There are two models contained within the conflict resolution workbook from NHS Protect* that you can use to achieve better communication with your patients and service users. They are: S – Stand back A – Assess the situation F – Find help if you need it or you are unsure of what to do E – Evaluate what is being asked of you and what you can and cannot do R - Respond And: C – Confront the conflict U – Understand what is causing the conflict D – Define the situation and the cause S – Search for a solution A – Agree on what needs to be done to resolve the situation *NHS Protect is the operating name for the NHS counter fraud and security management service. Its role is to protect NHS staff and resources from crime. Understanding and recognising different types of behaviour in others There will be situations when people you come in to contact with will demonstrate one of the following behaviours:
Compliance – the person will offer no resistance and complies with your request
Verbal resistance and gestures – the person refuses to comply either verbally or with their body language
Passive resistance – the person will either sit or stand and will not move
Active resistance – the person pulls away or pushes you, but makes no attempt 11
to strike
Aggressive resistance – the person physically attacks you
Serious or aggravated resistance – the person causes serious injury and may use weapons
People will normally progress through these stages, but could suddenly become more aggressive without warning. Recognising these patterns may assist you in deciding on an appropriate response. Warning and danger signs The lists below help you to identify some of the physiological changes people will undergo, which ill indicate that they are becoming aggravated and may assist you with your response:
Direct prolonged contact
Facial colour may darken
Head is back
They are standing tall
Kicking the ground
Large movements close to people
Breathings accelerates
Behaviour may stop or start abruptly
Danger signs – if it has not been possible to diffuse the situation and you may need to think of an escape plan:
Fists clenching and unclenching
Facial colour may pale
Lips tighten over teeth
Head drops to protect throat
Eyebrows droop
Hands rise above waist
A sideways stance is adopted
Stare is now at intended target
Lowering of body to launch forward
Impact factors In order to decide how to deal with a conflict situation, you need to consider the impact factors, which can be anything that makes a situation potentially more dangerous. Impact factors can relate to the people involved in the situation, objects present and the 12
environment in which you find yourself. Examples of impact factors are listed below: People Gender, age, size of person. Mental state, mood, tiredness. Numbers of people present: ‘more’ does not always mean ‘safer’. Objects Alcohol or drugs. Potential weapons. Offensive weapons. Environment Time of day: daylight or evening. Safe exits for escape. Distance and space. If you are able to assess the impact factors it will help you answer the question: “Should I deal with this person, or is the better course of action to remove myself from the situation and then raise the alarm?” Distance and space can be considered to be key impact factors when dealing with conflict. If you leave sufficient distance between yourself and the other person you will have time to think and then react, this may include moving quickly away from the situation. Space in this context relates to how close you can get to someone before they feel uncomfortable. You may have heard it referred to as “personal space”. You will naturally allow certain people closer than others for a number of different reasons. Remember, there will also be cultural and religious differences between some people; within the work environment, caring for someone often means invading their personal space and it is important to remember that this can make them feel uncomfortable or anxious. Each situation should be risk assessed and controls put in place to mitigate them. Activity: Think about what the word ‘conflict’ means to you. Have you experienced conflict before? What would you do differently? If you have not been in a conflict situation previously, do you feel you understand what you would need to do if you were? Reporting All conflict situations are classed as incidents and must be reported onto our reporting system, Datix. This information helps us to learn from incidents and put additional preventative measures in place where possible. The law In the unlikely event where you do have to use force to defend yourself, you must do so within the law. Section 3 of the Criminal Law Act 1967 states that you must use force that 13
is “reasonable in the circumstances” – only the law courts can decide what is classed as reasonable. Relates trust policies and further advice Our risk management strategy includes the risk policy, procedures and details the risk assessment process. You can use the risk assessment to assess the potential conflict risk within your department / area. The detail in this subject reflects the Conflict Resolution Training guidance as provided by NHS Protect (2013), now superseded by the NHS Counter Fraud Authority. You can read more by visiting: https://cfa.nhs.uk/
Current legal or relevant expert guidance • NHS Protect (2013), Conflict Resolution Training: Implementing the learning aims and outcomes • Care Quality Commission: The fundamental standards/safety • NHS Violence Reduction Strategy • The Restraint Reduction Network Training standards 2019
14
Counter fraud, bribery and raising concerns Course overview This course provides you with important information from our counter fraud and corruption policy which is located in the corporate Alex page. This reflects our goals to create a culture of best practice in anti-fraud, anti-corruption and anti-bribery measures. You are required to report any breach or potential breach of this policy. If anyone is found to have breached the policy, they may be liable to disciplinary action, including summary dismissal; some offences may also warrant criminal action. The counter fraud service The NHS Counter Fraud Authority (NHSCFA) is a special health authority who lead the fight against fraud, bribery and corruption in the NHS. Locally, each NHS body is required to have an accredited local counter fraud specialist (LCFS). They are responsible for the prevention, detection and investigation of any allegations relating to fraud, corruption or bribery. What is fraud? Fraud is deception carried out for personal gain, usually for money. Fraud can also involve the abuse of a position of trust. By ‘NHS fraud’ we mean any fraud where the NHS is the victim The Fraud Act 2006 makes it an offence for someone to make a false representation, fail to disclose information, or abuse a position, in order to make a financial or other gain or cause. Examples of common frauds within the NHS are: Staff, contractors or agency workers falsifying timesheets or expense claims Staff going sick from their trust post and working elsewhere during their period of sickness Job applicants/existing employees using false qualifications, references or work history on applications and working whilst on sick leave Patients altering prescriptions or receiving free NHS care to which they are not entitled
Duplicate or overinflated invoices submitted by suppliers, suppliers engaging in price fixing and suppliers falsifying performance records to inflate invoice value. Decision makers failing to declare an interest in a firm competing for a contract. Fake invoices submitted by fraudsters, fake/fabricated companies, etc. Watch the video below for another example of NHS fraud, involving a procurement fraud committed by an NHS manager and two of her organisation’s external contractors Video: What is NHS fraud.The ingredients of fraud As the video shows, there are a number of ‘ingredients’ to fraud:
15
making a false representation, failing to disclose information, or abuse of position – these are the three main ways of committing fraud as defined in legislation (Fraud Act 2006), dishonesty, and the intention to make a gain for oneself or someone else or cause a loss to someone else.
There is an additional ingredient to ‘NHS fraud’, or fraud affecting the NHS: the NHS is the victim of the fraud. In other words, by carrying out the fraud the criminal intended to obtain NHS money, or cause a loss to the NHS. The law The Bribery Act 2010 defines a bribe as “a financial or other advantage” offered or received in return for “performing a relevant function improperly”. It is a criminal offence to accept, promise, offer or make a bribe. Some examples of reasons for bribery payments: to secure or keep a contract / order to gain an advantage over a competitor to turn a blind eye to prescribe or favour a particular drug or medical equipment supplier. to queue-jump waiting lists
It is a corporate offence if the trust cannot demonstrate they had “adequate procedures in place to prevent a bribe” How to raise concerns If you have any suspicions or concerns about fraud, bribery and corruption affecting the NHS, report them to the NHSCFA. You can report online or call 0800 028 4060 (available 24/7). All reports are treated in confidence and you have the option to report anonymously. Do not worry if you are not sure whether fraud or another economic crime is happening or has happened. If something makes you suspicious or concerned and you think it may be fraud, bribery or corruption affecting the NHS, report it immediately. We will look into whether it may be fraud (or another economic crime) and should be investigated. The definitions and examples provided in this booklet and elsewhere on the counter fraud website are intended to help you spot fraud, bribery or corruption. If you know what fraud looks like, you are more likely to notice it and report it. It is important to keep in mind that the vast majority of people, who use, work in or have business or other relationships with the NHS are honest. It is only a small minority who commit fraud. However, because fraud is so often a hidden crime, it is particularly important to be vigilant and know how to spot it. Do 16
Raise your concerns immediately Trust that your calls with be dealt with in the strictest confidence
Don’t
Ignore your concerns Be afraid of raising your concerns Approach or accuse individuals Try to investigate anything yourself
Your responsibilities You have a responsibility to prevent, detect and report concerns of bribery. You must:
Follow the governance manual on the policies and guidelines Alex page and associated policies and procedures
Raise purchase orders to ensure appropriate authorisation before engaging with services and purchasing goods Declare all offers of gifts and hospitality and actual gifts and hospital over £25 to your line manager and to the head of finance
Ensure that any claims you make, especially for payment, are correct and supported with documentation where required
Maintain your own personal standards – do not cut corners or compromise your duties and responsibilities Take responsibility to ensure others don’t cut corners Maintain accurate records
Raise concerns about loopholes or system weaknesses to your manager Declare all conflicts of interest Always abide by the Nolan principles of public life: selflessness, integrity, objectivity, accountability, openness, honesty and leadership
If in doubt, seek advice from the local counter fraud specialist or finance team
How to raise concerns about non-financial matters You may notice concerns about non-financial matters and should report them to your line manager, log the concerns on Datix, or report them to the guardian of safe working at GuardianSWH@nhsemployers.org. Further details can be found in the Freedom to Speak Up: Raising Concerns at Work policy on Alex, or you can contact the people information team. Do not worry about being mistaken when you have raised a concern or reported a potential fraud. If you genuinely believe something is not right and you are acting on this belief in good faith, it does not matter if the concern or potential fraud has not been committed. 17
The table below provides some pointers where you can report other issues: Fraud against individuals, or against organisations other than the NHS (including any frauds in which you are the victim) Theft, including theft of property belonging to the NHS Whistleblowing
Report it to Action Fraud
Report it to the police by calling 101. NHS whistleblowing helpline: 08000 724 725
All calls are dealt with in the strictest of confidence and callers may remain anonymous.
18
Dementia awareness What is dementia? The term dementia describes a set of symptoms, which include loss of memory, mood changes, and problems with communication and reasoning. Dementia is progressive, which means the symptoms will gradually get worse. How fast dementia progresses will depend on the individual person and what type of dementia they have. Each person is unique and will experience dementia in their individual way. A person’s dementia is not usually the main reason for them to come into hospital. However, coming into hospital for a person with dementia can be a very stressful and frightening experience. They may feel more confused and may become agitated or upset. It may also be a very worrying time for the carer of a person with dementia. To improve the experience for people with dementia and their carers whilst they are in hospital, we can: Understand the person It is important that you and your colleagues are aware when a person has dementia, so that you can take this into account when communicating with them. It is essential that you know as much as possible about the persons preferences, usual routine and how their dementia affects them. For example, what do they like to eat, what time do they usually get up, what name do they like to be called by, what kind of things do you need to help them with. It is important to remember that a person with dementia is still a unique and valuable human being. Even in the most advanced stage of dementia there is still a way of communicating with the person, often the part of the brain responsible for emotions is still intact. The people closest to them, including their carers, health and social care professionals, friends and family, need to do everything they can to help the person to retain their sense of identity and feeling of self-worth. Their carers may be able to suggest things that they would usually do at home that they could still enjoy doing in hospital. Having familiar items such as their own clothes, photographs from home or a favourite blanket can help provide reassurance and may also help people find their bed or room more easily. If a favourite cup improves the patient’s comprehension of the need to drink, then please remember to use their favourite cup. Communicate with the person who has dementia There are some important points to remember when communicating with a person with dementia:
Always stand where they can see you clearly and ensure they can hear you, make sure heading aids are working and glasses are clean
Be aware of your body language as people with dementia ill find this easier to understand than the words you say. Always introduce yourself and tell the person 19
why you are there and what you are going to do
Be prepared to repeated things as often as necessary
Always explain fully what is happening and why – it may seem obvious to you, but it will not for the person with dementia. If they understand what is happening and why, they are more likely to help you with whatever you need them to do.
Listen carefully to what the person is telling you, interpret their body language and be prepared to take more time to communicate with them
Never talk over their head as if they are not there, especially if you are talking about them. Include them in any conversations that they can hear or see taking place
Avoid scolding or criticising them
Look for the meaning behind their words, evening if they do not seem to be making much sense. The detail of what they are saying is usually how they are trying to tell you how they feel.
Try to imagine how you would like to be spoken to if you were in their position. Ask yourself the question “how do I appear and sound to this patient?”
Work with carers When a person with dementia is staying in hospital, it is important to involve their friends and family. They should be made to feel part of the care team and encourage being involved in providing care for the person as they would at home, if this is what they want to do. This includes assisting the person with dementia at meal times, helping with their personal care or just sitting with the person to reassure them and engage them in conversation and activities. Families should be kept informed about their progress and should be actively involved in the discharge planning and told the likely date of discharge in advance, so that they can organise their return home. Please encourage the patient’s family to complete the tool This Is Me, which is aimed towards people living with dementia or experiencing delirium and are receiving professional care. We support Johns Campaign, which is a movement to help NHS staff to recognise the importance of working with families they promote that “carers should not just be allowed, but be welcomed”.
20
Types of dementia There are many types of dementia, however the ones that you are most likely to come across are Alzheimer’s disease and vascular causes. There are similar changes, which include: Memory loss Difficulty undertaking everyday skills Word finding difficulties Impaired reasoning Recognition problems Changes in mood Spatial awareness difficulties Unpredictable behaviour Changes to personality Lack of insight and empathy Disinhibited behaviour Obsessive and repetitive behaviours Changes to eating habits Confusion Hallucinations Nightmares Language difficulties
Behaviours and what they mean Taking the above into account, you should:
Try to understand the cause of the behaviour. Talk to relatives/carers about triggers/stimulants. Ensure pain is assessed and adequately controlled Consider underlying physical illness.
Try to see things from the person’s perspective. Be aware that aggressive behaviour is often a resistance to a perceived threat. If possible, give the person space to calm down. Use a calm tone of voice. Always maintain the safety of yourself and others.
Support on the ward If you require support with caring for a person with dementia whilst they are in hospital, you can contact the following:
The dementia clinical nurse specialist / dementia lead nurse 21
Your ward or healthcare group matron Clinical site team Your ward or dementia / delirium champion
Delirium Delirium is characterised by acute onset (hours or days) and a fluctuating course of decline in mental functioning, which is triggered by acute illness of the body or brain, acute injury or drug intoxication. Illness, surgery and medications can all cause delirium. Often starting suddenly it usually resolves when the condition causing it gets better. It can be frightening not only for the person who is unwell but for those around them too. Delirium is a serious medical emergency; statistics suggest that the prevalence of delirium in people on medical wards in hospital is about 20-30%. People who develop delirium often stay in hospital longer, have more hospital acquired complications, such as falls and pressure ulcers, be more likely to be admitted to long-term care and are more likely to die. There are three types of delirium Hyperactive Hypoactive Mixed Who is at risk of delirium?
Older people/older people taking multiple medicines, People with dementia People who are dehydrated People with an infection Severely unwell people Post-surgery/especially hip surgery People nearing the end of their life Sight or hearing difficulties Raised temperature, constipation or urinary retention
How can I help someone with delirium?
Talk to them in short simple sentences, remain calm Try not to agree with any unusual or incorrect ideas, tactfully disagree or change the subject Remind them of the date and time Make sure they can see a clock or calendar Make sure they have their glasses and hearing aid Offer help to eat and drink
22
The impact of delirium on a person with dementia Dementia is the strongest risk factor for delirium, and the risk of getting delirium rises as a person’s dementia progresses. A person with dementia who enters hospital and develops delirium may no longer return to their normal baseline. Drugs should not be routinely given for symptoms of delirium. They should only be considered if the person is at risk of harm to themselves or others. Delirium screening tools/criteria Nice guidance (2010) suggests that patients who are Over 65yrs, have an underlying cognitive impairment, previous hip fracture should be screened for delirium on admission. In patients also who have a sudden change in alertness or cognitive function. Use of the 4AT is the recognised screening tool. Please see NICE Guidance (2010), SIGN 157 Guidance (2019) Eating and drinking People with dementia may experience problems with eating and drinking. There are many reasons this might happen. They might: Forget to eat and drink Experience difficulties preparing food or having drinks Have difficulty recognising food items Have a change in sense of taste and smell Things to consider:
Make food that looks and smells appealing Look for opportunities to encourage the person to eat. For example, if the person with dementia is awake a lot of the night, then night-time snacks may be a good idea Give the person food they like. Try not to overload the plate with too much food small and regular portions often work best Try different types of food or drinks, e.g. milkshakes or smoothies Food tastes may change, so try stronger flavours or sweet foods Do not stop someone eating dessert if they haven't eaten their savoury meal. They may prefer the taste of the dessert If you do consider pureed food, seek advice from a dietitian or speech and language therapist to make sure it's nutritious and has enough flavour Try to give the person encouragement and gentle reminders to eat, and of what the food is If the person refuses food, try again a bit later. If they continue to refuse food, speak to the family/dietician about future care planning decisions
Further information For further information, the Alzheimer’s society Dementia UK have arrange of factsheets designed for health professionals and carers: www.Alzheimers.org.uk or www.dementiauk.org 23
Equality, diversity and inclusion Course overview This course aims explain what we mean by equality, diversity and human rights and why they are important. It explains how policies and the law can help us create a more inclusive workplace, what we mean by ‘health inequalities’ and how they can be reduced in the workplace. It will raise your awareness of the nine protected equality, diversity and inclusion characteristics, understand the different types of discrimination and how beliefs, attitudes and values drive behaviour. It also sets out individual and organisational responsibilities to achieve best practice in all aspects of our working lives
Introduction Equality is about creating a fairer society where everyone has the opportunity to fulfil their potential. Diversity is about recognising and valuing difference in its broadest sense. Inclusion is about an individual’s experience within the workplace, in wider society and the extent to which they feel valued and included; investing in a diverse NHS workforce allows us to deliver more inclusive and improved services to our patients. We have a diverse workforce and serve a diverse community with a population that is recognised for inequalities in health outcomes between the different protected characteristic groups. It is through the active and effective understanding of equality, diversity and human rights that the health sector will be able to recruit and retain a workforce that is more reflective of and sensitive to the population it seeks to serve. As a healthcare provider and a major local employer, we recognise our important role in the wider community to promote equality and eliminate discrimination. We aim to reduce inequalities in health and improve experiences for both our people and patients, underpinned by a commitment to human rights, equality and inclusion. The Equality Act 2010 Equality legislation and best practice guidance have been significantly strengthened to ensure that our people, patients and the public are protected from all forms of discrimination, harassment or victimisation and that they have equal access to health services and employment opportunities. The Equality Act 2010 coordinated all former discrimination law and aims to create “a society built on fairness and respect where people are confident in all aspects of their diversity.” The Equality Act 2010 applies to everyone, including providers of services and employers. We live in a complex society made up of people from diverse backgrounds and with a range of needs and requirements. This means someone may be seen as advantaged in some areas and, at the same time, disadvantaged in others. Healthcare 24
services need to reach those that need them effectively, regardless of their social status or protected characteristics. Equality, diversity and inclusion continue to be at the heart of the NHS strategy; each year public bodies are required to publish equality information. Every four years, all public bodies are also required to publish their specific equality objectives. This is crucial in working towards the elimination of health and other inequalities and for ensuring that staff working in healthcare are supported to deliver the best possible health outcomes for patients. The Equality Act strengthens the law in a number of key areas by:
Creating a general public duty for all public sector organisations (see below). Extending the range of lawful positive action to overcome or minimise a disadvantage arising from a protected characteristic Extending the circumstances in which a person is protected against discrimination, harassment or victimisation because of a protected characteristic Allowing employment tribunals to make recommendations in discrimination cases which apply to the whole workforce
The ‘general public duty’ which all public authorities must enforce, is to:
Eliminate discrimination, harassment and victimisation Advance equality of opportunity between persons who share a protected characteristic and persons who do not share it
Foster good relations between persons who share a protected characteristic and persons who do not share it
The Equality Act 2010 gives legal protection to nine 'protected characteristics' - which we will now look at. Protected characteristics We aim to promote equality and inclusion for every one of our people and patients. People with protected characteristics are a key focus when we are designing policies and processes to ensure that we are inclusive. The nine protected characteristics are: Age Means a person belonging to a particular age group. Disability (physical or mental impairment) A person is deemed to have a disability if they have a physical or mental impairment, and the impairment has a substantial and long-term adverse effect on the person’s ability to carry out normal day-to-day activities. Someone who may have had an impairment or condition such as cancer is also covered by this legal definition of disability. Gender reassignment 25
Preferred gender is stated but there is no requirement to be undergoing a medical process. Marriage and civil partnership People who are married or in a civil partnership have this protected characteristic. Pregnancy and maternity (including breastfeeding) Maternity refers to the period after the birth. Maternity discrimination is linked to maternity leave in employment. In the non-work context, protection against maternity discrimination is for 26 weeks after giving birth, and includes treating a woman unfavourably because she is breastfeeding. Race People who have or share characteristics of colour, nationality or ethnic or national origin can be described as belonging to a particular racial group. Religion or belief People, who have a religion or religious or philosophical belief, or a lack of religion or belief, share this protected characteristic. Sex Being a man or a woman. However, it should be noted that, although not acknowledged in the Equality Act, some people may recognise themselves as non-binary or intersex.
Intersex people are individuals whose anatomy or physiology are different from the typical definitions of male and female Those with non-binary genders do not see themselves as exclusively male or female
Sexual orientation (lesbian, gay, bisexual, transgender or heterosexual) A person’s sexual orientation may be towards:
People of the same sex as him or her (in other words the person is a gay man or a lesbian)
People of both sexes (the person is bisexual)
People of the opposite sex from him or her (the person is heterosexual)
Definition and examples of discrimination - There are four main types of discrimination Direct discrimination Direct discrimination is when someone is treated less favourably than another person because they have a protected characteristic.
26
Example – disability: Sam, a nurse, provides advice to the public. Sam refuses to provide advice to Denise, a patient with a learning disability, as he assumes that Denise will not be able to understand due to her disability. Example – sexual orientation: Jack interviews Mary for a job that has been advertised internally and would be a promotion for her. Mary is the strongest interviewee but Jack decides not to offer her the job because Mary is a lesbian and Jack knows that some people in the team she would be managing have made homophobic remarks and he thinks they will not respect Mary. Jack’s actions are direct discrimination and he is breaking the law. Jack also should have already challenged his colleagues’ homophobic remarks to help to create an inclusive workplace Discrimination by association Discrimination by association is against a person because they associate with someone who possesses a protected characteristic: Example – race: Ann is a resident of a care home. A member of staff learns that her partner, John, is black. As a result, Ann is now treated less favourably by staff compared to other service users.
Perception discrimination Perception discrimination is against an individual because others think they possess a particular protected characteristic. It applies even if the person does not actually possess that characteristic. Example – religion: Carol’s colleagues know that her brother is part of a religious order. She is treated less favourably because they assume that she shares her brother’s faith, although she does not. Indirect discrimination Indirect discrimination can occur when there is a condition, rule, policy or even a practice that applies to everyone but particularly disadvantages people who share a protected characteristic. For example, saying that applicants for an administrative position need ten years’ experience of working as an administrator. Unless the employer can lawfully justify why candidates need ten years’ experience, this is likely to be indirect discrimination against young candidates who can demonstrate that they are qualified and capable but do not have ten years’ experience because of their age. It is illegal to discriminate against a person because of a protected characteristic We encourage you to read our equality and inclusion policy for more details. Harassment and victimisation 27
Harassment is unwanted behaviour related to a relevant protected characteristic, which has the purpose or effect of violating an individual’s dignity or creating an intimidating, hostile, degrading, humiliating or offensive environment for that individual. Example: Gita, an Asian woman, hears two members of staff making racially abusive comments. This makes her feel humiliated and degraded. Victimisation occurs when an employee is treated less favourably because they have either made or supported a complaint or raised a grievance under the Equality Act; or because they are suspected of doing so. Example: Tim raises a grievance against a colleague. The complaint is being resolved through the trust’s grievance procedures. However, an acting-up opportunity becomes available and Tim is not told about it. Tim is victimised by being denied opportunities that are being made available to other team members.
Reasonable adjustments Reasonable adjustments are either about making changes when a disabled person is at a significant disadvantage, when services are being provided or in the workplace. A failure to make reasonable adjustments counts as unlawful discrimination. Three areas must be considered:
Making changes to the way things are done, such as changing a practice or policy.
Making changes to the built environment, such as providing access to a building.
Providing auxiliary aids and services, such as providing special computer software or providing a different service.
Working in an equal and diverse environment If we are successful in creating an equal and diverse workplace, we will see the following benefits:
A fair, moral and inclusive society
Better recruitment and retention of staff
Fewer complaints
High staff morale directly linked to better patient care and service delivery, which means patient satisfaction is higher and mortality rates are lower
Reduced bullying and harassment cases and associated sickness rates which result in improved productivity
A better reputation as an organisation
Greater success with organisations meeting their legal obligations
28
Better access to services for everyone and better experiences when using the services. This is directly linked to the long-term sustainability of health and social care organisations
What are the trust’s responsibilities?
Ensure that all colleagues are aware of equality diversity and inclusion issues and understand the expectation that everyone is treated with respect. Provide service information in accessible and appropriate formats / languages. Deal with complaints promptly.
Collect equality data from service users and staff for monitoring purposes. Ensure that the environment and services are accessible to all service users, particularly people with disabilities.
Involve service users in trust consultation processes where new services are being developed. Ensure new policies processes and services are equality impact-assessed for potential adverse effects on people with protected characteristics.
Equality analysis (equality impact assessment) The equality impact analysis (EIA) is a tool aimed at improving the quality of local health services by ensuring that individuals and teams think carefully about the likely impact of their work on different communities or groups. The assessments help us to ensure that our policies procedures and services are not having a potential adverse effect on some of our service users or employees. It is also a way of identifying where we might be able to improve on promoting equality of opportunity for all. When should an equality analysis be carried out?
Equality analysis is best used at the early stages of policy or service planning. Development so that any mitigating actions can be introduced before a decision is made or the policy or service change is implemented. It can also be used retrospectively for policies, projects already approved, and services already in operation, but should never be considered as a “tick box exercise” to complete the project development process. You will need to complete an equality analysis when: o Creating new policies, services, procedures or guidance. o Making changes to existing policies, services, procedures or guidance. o Ratifying all trust board decisions and proposals. o Reviewing or amending a strategy or service (every three years or sooner if required).
Equality delivery system
29
We are implementing the refreshed NHS Equality Delivery System (EDS) framework to improve our equality performance. The EDS framework is grouped under four objectives:
Better health outcomes for all.
Improved patient access and experience. Empowered, engaged and well supported staff. Inclusive leadership at all levels.
We have an established equality and inclusion steering committee and have equality champions for all nine protected characteristic. The equality champions act as role models for equality diversity and inclusion. They place a high value on diversity and actively support efforts to make the work environment inclusive resulting in a positive atmosphere. They recognise that equality diversity and inclusion is fundamental to the success and performance of the trust, as well as improving and maintaining patient services. We welcome your involvement and helping the equality groups to promote best practice. To find out more email the equality and inclusion group via paht.equalityandinclusion@nhs.net How to challenge prejudice, discrimination and unfairness It can be difficult to challenge a colleague’s inappropriate behaviour. The following suggestions will help:
Have the conversation face to face rather than via email
We are all responsible for building an inclusive environment and making it clear that we do not condone discriminatory or stereotypical remarks. It is also important that we do our best to support anyone on the receiving end of a discriminatory remark
Avoid blame. Confront the issue rather than the person. Your aim is to help the person you are speaking with to understand why their behaviour/remark is not OK (remember that it may not have been deliberate) and to work out how to behave differently in the future
As in any effective conversation, you should aim to do as much listening as talking. Sometimes we can work out how to do better for ourselves without being told
You can get advice before the conversation from: o
Your line manager
o
A human resources (HR) representative
o
An equality and diversity champion
You can also get advice or report any concerns in confidence through the Freedom to Speak up Guardians. 30
The most common reasons for staff seeking support from a Freedom to Speak Up Guardian is usually about poor workplace culture, this is often because there is divisive or discriminatory behaviour against some members of the team. The Freedom to Speak Up Guardians in the Trust can be contacted via email: freedomtospeakup@nhs.net or you can contact the NHS Whistleblowing Helpline on 08000 724 725. If you do not feel able to challenge a colleague, then report the matter to your manager.
Further information Please take the time to read the quality and inclusion policy and procedure and check out our website https://www.pah.nhs.uk/equality-and-diversity. You can also ask your line manager, HR advisors or trade union representative for further guidance relating to equality and diversity in the workplace.
31
Fire safety (level one) Course overview Fire safety falls under the wider umbrella of health and safety in the workplace. The fire safety law changed in October 2006 with the introduction of the Regulatory Reform (Fire Safety) Order 2005. This fire safety course covers:
Basic principles of fire safety in the workplace.
The chemistry of fire. How to put small fires out safely. Emergency evacuation procedures.
Note that only training, constant practice, vigilance and awareness can lessen the risk of fire happening in your workplace. Introduction We have a legal responsibility for the health and safety of our staff, patients, visitors and contractors from other organisations who work on our premises. Therefore, it is essential that we have arrangements in place to prevent a fire from starting and to initiate the correct response if a fire does occur. These arrangements include mandatory annual staff training, structural fire protection within buildings, fire alarm and firefighting provisions and equipment to aid evacuation. Action in the event of a fire If you discover or suspect a fire:
Raise the alarm by breaking the nearest fire glass call point. Call your emergency number for fires; this is x 2222 for the PAH main hospital site on Hamstel Road, for all other sites please call 999. Evacuate in accordance with your practiced local plan.
Close doors and windows if it is safe to do so.
Fight the fire – only if it is safe and you are trained to do so.
The chemistry of fire There are three essential requirements for a fire:
Oxygen (e.g. natural oxygen, medical oxygen)
Heat (any source of heat energy e.g. friction, lasers, electrical equipment, kitchen appliances)
Fuel (solids, liquids and gases).
Removing any of the above three components, the fire will be extinguished.
32
The fire triangle
Types of fire extinguishers
Operating a fire extinguisher You must only use fire extinguishers if you have been trained to use one and feel confident. If you are in doubt, please do not approach the fire. If you have been trained and feel confident to use the fire extinguisher, please use the PASS method below to remind you how to use the fire extinguisher.
33
Fire doors and fire alarms The quickest, most effective and easiest way to prevent the spread of smoke and fire is to close all doors and windows. Fire doors are constructed of materials that will withstand smoke and fire for a specified time, usually 30 minutes (door code FD30) or 60 minutes (door code FD60) - they are only effective when closed. Do not wedge fire doors open as this prevents them from closing and will cause smoke and fire to spread further. A fire alarm will sound once if it is manually activated from a fire alarm point or if the installed smoke/heat sensors detect smoke or heat. You could hear two different fire alarm sounds in the main hospital: Continuous sound – potential fire in your area/ward department. Intermittent sound – potential fire in an adjacent area/ward department.
Personal Emergency Evacuation Plan (PEEP) The Regulatory Reform (Fire Safety) Order 2005 requires all people working in a building to be provided with adequate means of escape in the event of a fire, regardless of their ability. A Personal Emergency Evacuation Plan (PEEP) must be created by the head of departments so that colleagues can leave the building quickly and safely in an emergency. If in doubt, consult the fire advisor who will help you to draw up a suitable PEEP for yourself or your colleague. For example, mobility impairment individual may require the individual to use an evacuation chair (pictured below) which should be clearly identified in the PEEP.
34
Related policies and further advice Our risk management strategy includes policy and procedural aspects of risk and describe the process for risk assessment, which can be used when assessing fire safety within the workplace. For further advice, Please contact Dave Clarke, fire advisor at dave.clarke3@nhs.net or call x 7581. For all fire training, please contact mihai.georgios@nhs.net
35
Health and safety Course aims and objectives This course will provide you with up to date information on risk management and health and safety issues. It will inform you of the risk factors and steps that you can take to minimise the risk of injury and point you towards relevant policies and further information. Objectives
To raise your awareness of health and safety at work. To apply this information to your job role and workplace. To enable you to prevent incidents and accidents and improve the safety of the environment for patients, staff and visitors.
Introduction Safeguarding the health, safety and wellbeing of our patients, staff and visitors is paramount to ensure we deliver a first class service. Policies, guidelines and procedures Make sure that you pay attention to the following in your own work area and around the hospital:
Health and safety posters on health and safety noticeboards. Health and safety publications posted on health and safety notice boards. Newsletters and bulletins about safety matters.
Team briefs provided by your manager.
The law relating to health and safety at work The foundation of the health and safety law can be found within the Health and Safety at Work Act (1974), which aims to prevent people getting injured or suffering illness caused through work and encourage high standards of health, safety and welfare. The law clearly states that:
You have a right to a safe workplace. Your employer must keep you safe at work.
You also have responsibility for your own safety and that of others who you can effect (other colleagues, patients and visitors).
We must:
Take responsibility for their own health, safety, and that of others who may be affected by their acts or omissions.
Be familiar with and follow policies, procedures and instructions. 36
Report any accidents, damage, unsafe acts or conditions, near misses, or loss as soon as reasonably possible. Report immediately any condition that may affect their ability to work safely. This includes exposure to highly infectious diseases outside work. Co-operate with health and safety issues, including attending health and safety related training.
Identifying hazards that could cause harm and the associated risks It is important to know about the hazards and risks in your workplace, your manager can help you to identify them. Please remember to control the risks to avoid harm or loss and ensure that the risks stay controlled through ongoing evaluation to the effectiveness of the control measures in place. Needles and sharps injuries Healthcare workers are at risk from sharps injuries that can expose them to blood borne viruses such as HIV, Hep B and Hep C. If standard precautions are followed, sharps injuries are preventable. All needle stick/sharps incidents or contamination with blood or body fluids must be reported immediately to the staff health and wellbeing department on x7015. If the department is closed, you must attend A&E immediately and leave a message on the staff health and wellbeing department’s answer phone, so that your incident can be followed up. Slips, trips and falls Slips, trips and falls can happen anywhere and can have serious consequences. They are the biggest cause of serious injuries to health care workers, service users and others. You can help prevent them by following the steps below:
Keep the workplace tidy and remove all possible floor obstructions. Clean up all spillages immediately. Report any potential hazards.
Wear all personal protective equipment provided.
Restrict access to high-risk areas. Ensure regular and systematic cleaning. Report flooring maintenance issues promptly. Post warning signs in areas of risk and remove after use (this includes spillages).
Ensure adequate lighting for all areas.
Display Screen Equipment (DSE) Display Screen Equipment (DSE) is a device that has an alphanumeric or graphic display screen, regardless of the display process involved. DSE includes both conventional display screens, laptops, touch-screens and other similar devices. 37
Computer workstations or equipment can be associated with neck, shoulder, back or arm pain, as well as with fatigue and eyestrain. The Health and Safety Display Screen Equipment Regulations 1992 aim to protect the health of people who work with DSE. Breaking up long spells of DSE work helps prevent fatigue, eye strain, upper limb problems and backache. Managers will need to plan so users can interrupt prolonged use of DSE with changes of activity. Organised or scheduled rest breaks may sometimes be a solution. Immediate action to take: If you regularly use DSE, you should have already completed a DSE workstation checklist. If you have not done so, please action this as soon as possible with your line manager. You can refer to our DSE policy and workstation checklist located on Alex. Control of substances hazardous to health regulations (COSHH) 2002 A hazardous substance is able to cause harm to health. It is important to control these substances at work so that they do not cause ill health. Hazardous substances must be marked with an appropriate hazard-warning label and a safety data sheet provided. Wards/departments will have COSHH assessments for all hazardous substances used. You will be made aware of the control measures (safe system of work) required for the substances. Exposure to hazardous substances can be prevented by:
Find out if the substances you are using present a hazard to health. You can find this out by reviewing the COSHH risk assessment in full before use and keep yourself up to date when the COSHH assessment is reviewed each year.
Remove or substitute the substance with safer alternatives. Comply with control measures to reduce harm to health. Be prepared for emergencies in line with the COSHH risk assessment.
Stress Stress, including work related stress, can be a significant cause of illness and is linked with high levels of sickness absence, staff turnover and potential errors at work. We have an Attendance Management Policy available that includes the management of stress, manager and employee responsibilities, measures for completing stress risk assessments and managing stress related illness. You can find the policy on Alex. Physical and verbal abuse Unfortunately, physical and verbal abuse is common in the NHS and other public facing services. However, the following behaviours are unacceptable:
Excessive noise, e.g. shouting. 38
Threatening or abusive language involving excessive swearing or offensive remarks. Derogatory racial or sexual remarks.
Malicious allegations relating to members of staff, other patients or visitors. Offensive sexual gestures or behaviours including physical contact. Threats or threatening behaviour. Actual violence.
Control measures We have a “No to Verbal and Physical Abuse (Dealing with Aggression) Policy” located on Alex - it is important to familiarise yourself with this policy and the associated guidance. You have a responsibility to report any incident that you are involved in or are aware of using Datix, our online reporting system. If you need immediate security whilst working at the main hospital site on Hamstel Road, Monday – Friday, 9am – 5pm, please call the security team on x 3294. If you require security out of hours during evenings and weekends, please bleep 388. If you are working in the community and are in a situation of potential aggression, please withdraw from the situation immediately. Reporting incidents and near misses Why you should report incidents and near misses:
To prevent and minimise risks and incidents by sharing the learning and introducing appropriate changes.
To ensure patient safety and a safe working environment. To comply with legislation (RIDDOR – Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013). To comply with our policies To maintain a record of events and actions.
To identify trends in incidents and near misses. To encourage openness. Reporting procedures
Please report all incidents promptly on Datix. If you do not know how to report an incident, please speak to your line manager or the patient safety and quality team.
If there is an immediate risk to safety, please escalate the manager/senior staff member in the area the incident took place or your line manager. Take action to protect others, for example create an informal cordon around the area.
39
Infection prevention and control (level 1) Course overview This course is intended for both clinical and non-clinical staff and will cover our role and standard principles in infection prevention and control, including:
Healthcare-associated infections Chain of infection Hand hygiene
Isolation precautions Personal protective equipment (PPE) Management of blood and body fluid spillage Management of occupational exposure Management of the environment
Management of care equipment
All of us, in all care settings, must apply these principles, whether the infection is known to be present or not, in order to ensure the safety of our patients, people and visitors. Our role We all have a duty of care to provide the safest possible environment for our patients, visitors and colleagues and to contribute towards maintaining the high standards of infection prevention and control practice. Duty of care means the legal obligation that we have to take in order to avoid causing harm to another person. This includes the prevention of healthcare associated infections by complying with expected standards of care. The Code of Practice (Health & Social Care Act 2008, updated 2015) supports this and makes infection prevention control everybody’s business.
We are all required to know our role in adhering to safe infection control practice, regardless of whether you have direct contact with patients. Healthcare associated infections (HCAIs) Healthcare Associated Infections (HCAIs) are acquired because of healthcare interventions. They can affect both patients and healthcare workers. If a patient gets an HCAI, it may:
Make their existing medical condition worse.
Make their stay in hospital longer.
Cause them pain, depression and stress. 40
Lead to a loss of earnings. On occasions, it can reduce their chances of successful recovery.
Numerous factors increase the risk of acquiring an infection and could be caused by poor practice / standards of infection prevention and control. Example: contaminated hands of healthcare workers; contaminated medical devices; and a failure of staff to comply with local policies, procedures and guidelines. Maintaining high standards of infection prevention and control minimises the risk of HCAIs occurring. The chain of infection
The chain of infection is a series of six steps linked together and shows how infections can spread. Each link must be present and follow the sequence shown in the diagram for an infection to occur. The links are:
Infectious agent
Reservoir Portal of exit Mode of transmission Site of entry Susceptible host
The infectious agent (pathogen) is any microorganism with the ability to cause disease. They can be bacteria, viruses, fungi or parasites. The reservoir is the site where infectious microorganisms live and multiply. This can include people, equipment, animals, water, food and soil. The portal of exit provides a way for a microorganism to leave the reservoir. For example, a microorganism may leave the reservoir through the nose or mouth when someone sneezes or coughs. Other examples of portals of exit are breaks in skin, blood, vomit and any other bodily substance. Transmission is the method of transfer which the microorganism moves or is carried from one place to another. The principal routes of transmission are: 41
Direct contact: human to human contact for example through touching, kissing, and sexual intercourse or from a pregnant woman to her foetus through the placenta Indirect contact: contact with contaminated surfaces touched by the infected person, or where droplets of bodily fluid have landed Droplet transmission: respiratory particles that are coughed or sneezed out and settle fairly quickly, before they can travel far Airborne transmission: when respiratory particles that potentially carry pathogens are suspended into the air Blood exposure Consuming contaminated food/water Vector-borne transmission- transfer of micro-organisms by insects, flies, rats or other vermin
The entry is the site which the microorganism enters its new host and causes infection. Infectious agents can enter the body through various portals such as inhalation, ingestion, sexual contact, breaks in the skin, medical devices such as tubes placed in body orifices (e.g. catheters, needles, IV). Patients, staff and visitors can all be susceptible hosts. Some individuals have poor physical resistance and are more susceptible due to low immunity. Factors include age (very young or old), poor nutritional status – obesity or malnourishment, underlying disease, poor personal hygiene, medication, surgery, metabolic disorders, genetic abnormalities and not being vaccinated. Understanding the characteristics of each link provides healthcare staff with knowledge to put prevention strategies in place in order to break the chain and stop infection spreading. Many organisms live in and on our bodies and they are generally harmless or even helpful, but some organisms under certain conditions may cause disease. Isolation precautions You must know about three types of isolation precautions in hospitals:
Contact isolation Respiratory isolation Protective isolation
Please see below for further details.
42
Hand hygiene 

Approximately 80% of all healthcare acquired infections are thought to be transmitted by hands (WHO, 2009). Therefore, it is very important to comply with hand hygiene requirements to help prevent the spread of infection. Instead of washing your hands, you can use alcohol hand gel on visibly clean hands. However, there are some microorganisms (bugs) that are not killed by alcohol hand gel. Norovirus and Clostridium difficile are two of them - both can 43
cause diarrhoea and/or vomiting. If you have been in contact with a patient with diarrhoea and/or vomiting, it is important that you wash your hands with soap and water, rather than use the alcohol hand gel. When you wash your hands, it is important to use the correct technique (pictured below) so that you do not miss any areas. If you have direct contact with patients, you should look at the five moments of hand hygiene (pictured below).
It is equally important to know when you should perform hand hygiene. Some examples are:
Before preparing, handling or eating food. After visiting the toilet. Whenever hands are visibly dirty. After removing gloves.
Before entering and after leaving ward areas.
Before entering and after leaving a patient’s room/bed space. 44
Before and after any patient contact.
Personal protective equipment (PPE) Before undertaking any procedure, you should assess any likely exposure against the associated risks and ensure that you are wearing the appropriate PPE. All PPE should be:
Located close to the point of use. Stored to prevent contamination in a clean/dry area until required for use (expiry dates must be adhered to). Single-use only items unless specified by the manufacturer. Changed immediately after each patient and/or following completion of a procedure or task. disposed of after use into the correct waste stream i.e. healthcare waste or domestic waste. Reusable PPE items, e.g. non-disposable goggles/face shields/visors must have a decontamination schedule with responsibility assigned (see SOP for re-use and decontamination of goggles/face shields).
PPE may include:
Gloves Aprons / gowns Face Masks Protective eyewear
Please note that this is not an exhaustive list. It is your responsibility to use PPE in accordance with our policy, the instructions and PPE training. Management of blood and body fluid spillage Spillages of blood and other body fluids may transmit blood borne viruses. Trained staff must decontaminate spillages immediately and safely. Responsibilities for the decontamination of blood and body fluid spillages should be clear within each area/care setting. Appropriate personal protective equipment (e.g. gloves, apron, eye/face protection) must be worn when dealing with blood and other body fluid spillages. Detergents and disinfectants such as chlorine releasing agents e.g. must be prepared in accordance with manufacturer’s instructions. Waste materials such as contaminated paper towels must be disposed of as clinical waste after use.
45
Management of occupational exposure A significant occupational exposure is:
A percutaneous injury (e.g. injuries from needles, instruments, bone fragments, or bites that break the skin.
Exposure of broken skin (abrasions, cuts, eczema, etc.). Exposure of mucous membranes including the eye from splashing of blood or other high-risk body fluids.
There is a potential risk of transmission of a Blood Borne Virus (BBV) from a significant occupational exposure. You must understand the actions you should take when a significant occupational exposure incident takes place. In line with the Health and Safety Executive (HSE) advice, if you, a colleague or a patient suffer an injury from a sharp which may be contaminated you should:
Encourage the wound to gently bleed, ideally holding it under running water. Wash the wound using running water and plenty of soap. Do not scrub the wound whilst you are washing it. Do not suck the wound. Dry the wound and cover it with a waterproof plaster or dressing.
Seek urgent medical advice, as effective prophylaxis (medicines to help fight infection) are available. Report sharps injuries in line with local reporting procedures/policies.
All needle stick/sharps incidents or contamination with blood or body fluids must be reported immediately to the staff health and wellbeing department on x 7015. Out of hours, you must attend A&E immediately and leave a message on the staff health and wellbeing department’s answer phone, so that the incident can be followed up afterwards. Management of the environment A dirty or contaminated clinical environment is one of the factors that may contribute to HCAIs. Although the environment may look clean, invisible microorganisms are always present, some potentially harmful. Cleaning and decontamination of the environment are key infection prevention and control measures. It is the responsibility of the person in charge to ensure that the care environment is safe for practice (this includes environmental cleanliness/maintenance). The person in charge must act if this is deficient. The care environment must be:
Visibly clean, free from non-essential items and equipment to facilitate effective cleaning. 46
Well maintained and in a good state of repair. Routinely cleaned in accordance with our policy. Special precaution should also be taken in high-risk areas and with high risk patients.
Management of care equipment Care equipment is easily contaminated with blood, other body fluids, secretions, excretions and infectious agents. Consequently, it is easy to transfer infectious agents from care equipment when treating a patient. Care equipment is classified as either: Single-use equipment, which is used once on a single patient and then discarded. This must never be reused, even on the same patient. Needles and syringes are single use devices. Single patient use equipment, which can be reused on the same patient. Reusable invasive equipment, used once then decontaminated e.g. surgical instruments. Reusable non-invasive equipment (often referred to as communal equipment) - reused on more than one patient following decontamination between each use e.g. commode, patient transfer trolley. Before using any sterile equipment, remember to check that:
The packaging is intact
There are no obvious signs of packaging contamination The expiry date remains valid
Decontamination of reusable non-invasive care equipment must be undertaken:
Between each use
After blood and/or body fluid contamination At regular predefined intervals as part of an equipment cleaning protocol Before inspection, servicing or repair Adhere to manufacturers’ guidance for use and decontamination of all care equipment.
All reusable non-invasive care equipment must be rinsed and dried following decontamination and then stored clean and dry.
Key responsibilities to remember
All employees, clinical and non-clinical, will be personally accountable for their actions and are responsible to comply with infection prevention and control 47
policies. You must understand your legal duty to take reasonable care of your health, safety and security and that other people may be affected by your actions.
You must understand your legal duty to report untoward incidents and areas of concern.
As healthcare workers, you are responsible for identifying infectious conditions and circumstances that may lead to outbreaks of infection and require specific controls to protect yourself, our patients and others. During an outbreak, if you experience relevant symptoms, you must report this to our staff health and wellbeing team on x 7015 and appropriate advice must be followed. You are responsible for notifying the infection prevention and control team of such circumstances and ensuring that you utilise safe working practices, outlined in infection prevention and control policies. Any breach in infection prevention and control policies or practice will place our people, patients and visitors at risk. Subsequently, the completion of a clinical incident form will be required.
Further reading materials The following policies are available on the infection prevention and control Alex page:
Hand hygiene policy Isolation policy Standard infection control precautions policy Risk management strategy Management of MRSA policy
Management of clostridium difficile policy
Useful contacts
Director of infection prevention and control: x 3101
Consultant microbiologist: x 3101 Infection prevention and control head nurse: x 2117 Infection prevention and control nurses: x 7136 and x 7139 Infection prevention control information analyst: x 2142
48
Learning disability awareness What is a learning disability? A significantly reduced ability to understand new or complex information or learn new skills (impaired intelligence, usually IQ <70), with; A reduced ability to cope independently (impaired social function) which started before adulthood and has a lasting effect on a person’s development. There are degrees of learning disability ranging from mild, moderate, severe and profound.
What causes a learning disability?
Genetic conditions (e.g. down syndrome)
Maternal illness in pregnancy. Lack of oxygen at birth. Infections. Some learning disabilities have an unknown cause.
A learning disability is not:
A learning difficulty, for example dyslexia. Attention deficit hyperactivity disorder (ADHD) and hyperactive disorders. Emotional difficulties that may have an impact on learning. A mental health illness.
Head injury (unless in early childhood).
What is autism? Autism is a lifelong developmental disorder and affects how a person makes sense of their world, processes information and how they interact with others. Autism is characterised by the need for routine and sensory sensitivity. Autism may be associated with a learning disability but can occur in non-learning disabled people as in Asperger’s syndrome. People with autism may have difficulties with:
Social interaction: people with autism find it difficult to understand ‘unwritten social rules’. Social imagination: people with autism find it difficult to interpret other people’s feelings. Social communication: people with autism take a literal understanding of verbal language. They find it difficult to read and understand facial expressions or understand euphemisms and jokes. 49
Over or under sensitivity to sensory cues.
Diagnostic overshadowing Research shows that the way in which a person with a learning disability behaves can negatively impact the judgments and decisions made by a clinician. It is often assumed that the behaviour a person is displaying is due to their learning disability, rather than the behaviour being a manifestation of a physical or medical condition. When a person with a learning disability or autism presents with a different behaviour to their norm, this should be escalated. Clinicians should think about:
Physical causes: pain, ear infection, toothache, constipation, visual or hearing changes. Psychiatric causes: depression, anxiety, and dementia.
Social causes: bereavement, abuse.
Health needs People with learning disabilities have up to two times more health needs than people without a learning disability. They are 58 times more likely to die before the age of 50 and they are four times more likely to die of a preventable cause. Barriers to accessing healthcare for people with learning disabilities and/ or autism
Communication difficulties. Attitudes. Lack of accessibile and understandable information. Capacity and content issues.
Fear / anxiety. Lack of time. Lack of preparation. Physical environment (e.g. noise, activity levels, equipment, etc.)
Lack of information about the patient.
Carers/family not being involved in care planning. Lack of training/education for healthcare professionals. Diagnostic overshadowing.
50
Reasonable adjustments Putting reasonable adjustments in place in healthcare is a legal requirement to ensure that people with disabilities have a fair and equal chance to access the healthcare they need. An example of a reasonable adjustment would be providing easy read information. Communication
Approximately 50% of people with a learning disability have significant communication difficulties.
Keep in mind that if a person has a sensory or physical impairment, this will further compound their communication difficulties. Not everybody will communicate their feelings or symptoms of illness verbally. We use a great deal of non-verbal communication with each other (e.g. facial expressions, body language, and tone of voice). Not everybody will be able to understand these methods of communication, but it is still important to make sure both your verbal and non-verbal communication is very clear.
Use pictures and photographs where helpful. There are hospital communication books in all clinical areas. Some people with a learning disability and/or autism may have verbal skills that are better than their understanding (or vice versa). If somebody’s behaviour is becoming challenging, the likelihood is the person is attempting to communicate distress to you.
Strategies that may overcome communication difficulties in people with autism If the person with autism does not pay attention when you are talking to them:
Always use the person’s name at the beginning, when you are saying something, so that they know you are talking to them. Make sure the person is paying attention before you ask a question or give an instruction. This might mean waiting for them to look at you or in your direction.
Use the person’s special interest, or the activity they are currently doing, to engage them. The individual will be more motivated to listen if they are interested in the activity.
Support communication with visual aids. For free visual resources, visit www.do2learn.com.
A person with autism has difficulty processing the information that is said to them.
Reduce the amount of non-verbal communication that you use including eye contact, facial expressions, gestures, body language, etc. when the person is showing signs of anxiety. It can be difficult for the person to process information if they have high levels of anxiety.
Use visual supports (e.g. symbols, timetables, Social Stories©) to help them to 51
process the information more easily. Speak clearly and precisely using short sentences. A person with autism can find it difficult to filter out the less important information. If there is too much information, it can lead to ‘overload’, where no further information can be processed. Do not use too many questions. People with autism may find ‘where’, ‘when’, and ‘who’ questions difficult. ‘Why’ questions may not be useful.
Be aware of the environment that you are in. (e.g. is it noisy/crowded, etc.) It may be affecting how much the person can process.
Wait for the person to respond or complete the task before repeating yourself or giving further instruction. It can take up to 30 seconds for a person with autism to process information.
A person with autism has difficulty answering open-ended questions
Structure your questions. For example, offer options or choices rather than them having to think of the options themselves.
Keep your questions short. Be specific. For example, ask “How was lunchtime?” and “How was work?” rather than “How was your day?” which may be too broad. Ask only the most necessary questions. This minimises the decision-making the individual has to do on a daily basis.
Environment and communicating with somebody with autism: Provide a low arousal environment if the individual is over-sensitive to noise, light, heat and/or smells. For example, limiting disruption or background noise can help the person to focus. For more on environment and surroundings, see www.autism.org.uk/18450
A person with autism is reluctant to ask for help, even though you think they may not understand
Give them a visual help card for them to use to approach somebody for help. If the person shows echolalia (the repetition of words/phrases spoken by others), it can be due to their lack of understanding the question or how best to respond. Check their understanding and support them with visual support or offering choices.
The person with autism is taking everything I say literally.
Avoid using irony, sarcasm, figurative language, rhetorical questions, idioms etc. If you do use them, explain what you have said and be clear about what you really mean to say.
52
Hospital passports Person centred care is essential for people with a learning disability. Many people will have a hospital passport that they bring with them when they come to hospital. Across Hertfordshire, the purple folder is used in place of a hospital passport. The hospital passport/purple folder is a tool that will have important information about the person. It encourages safe and person centred care and is therefore essential that you promote these in the hospital. It will have medical information and information about how they like to be supported, their routines, what they like and do not like.
Advice and support: the learning disability team Karen Thomson Learning disability specialist nurse Extension: 8230 or bleep 073 Email: karen.thomson17@nhs.net Sinead Juhas Learning disability assistant Extension: 8231 or bleep 061 Email: sinead.juhas@nhs.net Generic team email: learning.disabilities@nhs.net
53
Moving and handling – care of the back (level 1) Aims and objectives We are committed to ensuring safe practice in accordance with the Health and Safety at Work Act 1974, The Manual Handling Operations Regulations 1992 amended 2002, Lifting Operations and Lifting Equipment Regulations 1998, Provision and Use of Work Equipment Regulations 1998 and the Human Rights Act 1998. This will enable you to:
Understand and recognise safe systems of work.
Understand your responsibilities to avoid back pain for yourself and others. Recognise manual handling risk factors and how injuries can occur. Know the factors to look out for when undertaking an on the spot risk assessment, prior to undertaking a moving and handling activity. Choose suitable risk control strategies.
Develop knowledge and skills to move objects safely using an ergonomic approach to manual handling and other work tasks.
Understand principles of good back care to promote general musculoskeletal health. Understand employer and employee responsibilities under relevant national Health and Safety legislation including most recent versions of the Manual Handling Operation Regulations.
Understand your responsibilities under local organisational policies for moving and handling and know where additional advice and information can be sought relating to moving and handling issues.
Definitions Human factors and ergonomics - human factors and ergonomics, also known as comfort design, functional design, and systems, is the practice of designing products, systems, or processes to take proper account of the interaction between them and the people who use them. Manual handling – The Manual Handling Operations Regulations (1992) define manual handling as any transporting or supporting of a load including the lifting, putting down, pushing, pulling, carrying or moving thereof by hand or by bodily force. Hazard – Something that has the potential to cause harm. Risk – risk is the combination of the likelihood of something occurring and the severity of the injury/consequences. Risk assessment – Hazards identified, risks evaluated and control measures put in place.
54
The legal framework Manual Handling Operations Regulations (1992) amended 2002 The Manual Handling Operations Regulations 1992 cover the transporting or supporting of a load, including the lifting, putting down, pushing, pulling, carrying or moving it, by hand or by bodily force. The regulations impose the following duties on employers:
To avoid hazardous manual handling, where possible. To reduce risk of injury by using the assessment as the basis for action.
To provide information on the load (where reasonably practicable).
To review the assessment as needed.
You must make full and proper use of any system of work and equipment provided to promote safety during the handling of loads. You must also be aware of your own capabilities and any limitations in the handling of loads and take care not to put themselves or others at risk.
Care of the back and spine Back pain is an extremely common complaint and an estimated 80% of people in the UK are affected at some time in their lives. Most back pain is caused by strains and minor injury rather than serious injury and is often called “simple back pain”. Most back pain does not have an identifiable cause. Worrying about back pain may make it worse and hold back recovery. Sprains and strains usually heal themselves within a short time; recovery will be usually be assisted by keeping to normal levels of day-to-day activity, using simple pain relief if needed, however, medical advice should always be sought. Some of the most common causes of stress and strain on the spine are:
On-going poor posture.
Slouching in chairs. Driving in hunched positions. Standing badly. Lifting incorrectly. Sleeping on sagging mattresses.
Being unfit. Generally overdoing it. Five tips for avoiding back pain
To minimise your chances of developing back pain, follow these simple steps:
Avoid slouching and stooping or spending long periods hunched over a computer. 55
Always try to encourage your own good posture, try to think about the way you sit and stand. When standing for long periods, consider whether your shoulders are hunched; if so, stretch them back gently. Also, balance your weight equally when you stand, as placing pressure unevenly on one side throws your spine’s curvature, which can make the shoulders and hips uneven. Avoid lifting and carrying heavy objects. Use a shallow trolley at the supermarket to avoid stooping and bending. Apply good moving and handling techniques everywhere, not just at work.
Principles of safer moving and handling When moving any inanimate load i.e. a load that cannot move on its own, you need to remember the “TILEO” acronym. TILEO prompts you to consider each essential area of the activity in order to improve safety. The TILEO acronym stands for Task, Individual, Load, Environment and Other factors: T – Task: this means considering the manual handling activity itself, i.e. the lifting, lowering, carrying, pushing or pulling, and looking at how it may affect your health and safety. I – Individual: this means considering the person who will be carrying out the manual handling activity, i.e. you or another colleague. For example, how strong, fit or able is the person? Are they capable of manual handling alone? Do they need assistance? L - Load: this means considering what is being moved, and looking at how this may affect health and safety. For example, is the load particularly heavy, bulky, hard to grasp or unstable? E – Environment: this means considering the area in which the load is being moved, and looking at how this could make the manual handling task unsafe. For example, are there any space constraints? Is the floor slippery or uneven? Is there sufficient lighting? Are there any trip hazards? O - Other factors: this means considering anything else, in addition to the task, individual, load and environment, which may affect the safety of the manual handling activity. For example, will personal protective equipment (PPE) make movement difficult? Is more/different PPE needed? The potential adverse consequences of not carrying out an adequate risk assessment are serious harm or injury to patients and staff and potentially raised levels of sickness from musculoskeletal injuries. There is also a potential of legal action against the trust. Guideline weights for lifting There is no such thing as a completely ‘safe’ manual handling operation. However, working within the following guidelines will cut the risk and reduce the need for a more detailed assessment. 56
Basic lifting principles:
Keep the load close to your waist where possible. Stable base.
Bend knees. Spine in line. Secure handhold with inanimate objects. Smooth controlled movement. Vary positions.
Move with the load. Command – “ready, steady, action” when lifting with another person.
Note: If you move patients, you must also attend a practical clinical moving and handling course.
57
Safeguarding vulnerable adults (level one) Course overview The aims of this training are:
To provide you with the information and support you need to identify potential safeguarding concerns. To provide a process for you to report abuse of an adult at risk and support for their continued management and referral. To promote a culture of care within PAHT that protects the rights of adults who may be at risk of abuse or neglect; ensuring the views of these people are known and that they receive the same high quality care that we aim to provide to all of our patients.
We are a statutory partner working with other agencies to protect adults at risk of abuse. Our aim is to protect the rights and interests of vulnerable adults, particularly when in our care, by:
Ensuring we have a culture where all colleagues recognise when there may be safeguarding concerns.
Not hesitating to raise concerns when we have them. Knowing what action to take to protect a patient and escalate any concerns we have.
Safeguarding adults at risk of harm is everyone’s responsibility. What is safeguarding adults? Adult safeguarding is the process of protecting adults, who have care and support needs, from abuse or neglect. It is an important part of our role and it is everybody’s business. A statutory framework Section 42 – 44 of the Care Act 2014 and Mental Capacity Act is now in place to protect adults from neglect and abuse. Anybody aged over 18 who has on-going care and support needs because of an illness, disability or frailty and is unable to protect themselves against harm or exploitation is considered as an adult at risk. This may include:
People with learning disabilities. People with physical disabilities.
People with sensory impairment. People with mental health needs, including dementia. People who misuse substances or alcohol. People who are physically or mentally frail.
People who lack mental capacity and where a deprivation of liberty application will be made in their best interests. 58
People who are frail. An adult at risk who may be subjected to Female Genital Mutilation (FGM). An adult at risk who is also a victim of domestic abuse.
What are abuse and neglect? The following is not intended to be an exhaustive list but is included to illustrate the sort of behaviour that could give rise to a safeguarding concern:
Physical abuse – including hitting, slapping, pushing, misuse of medication and restraint. Domestic violence - including psychological, physical, sexual and emotional including honour based violence. Sexual abuse – including rape, indecent exposure, sexual harassment, inappropriate looking or touching, sexual teasing or innuendo. Psychological abuse – including emotional abuse, threats of harm or abandonment, deprivation of contact, humiliation, blaming, controlling intimidation, cyber bullying and isolation. Financial or material abuse – including theft, fraud, coercion with property, will and inheritance. Modern slavery – encompasses slavery, human trafficking, forced labour and domestic servitude. Discriminatory abuse – including harassment, slurs or similar ill-treatment because of race, gender, gender identity, age, disability, sexual orientation or religion. Organisational abuse – this includes neglect and/or poor care practice within an institution; it may be a one-off incident or repeated ill treatment. It can also be through neglect or poor professional practice because of the structure, policies, processes and practices within an organisation. Neglect and acts of omission – including ignoring medical, emotional or physical care needs, failure to provide access to appropriate health care and support or educational services or withholding the necessities such as medication, adequate nutrition and heating. Self-neglect – this covers a wide range of behaviour neglecting to care for one’s personal hygiene, health or surroundings and includes behaviour such as hoarding.
What should I do if I have a safeguarding concern? If you have a safeguarding concern about a person, you must act immediately to protect the person including:
Report this to your line-manager (site manager out-of-hours). Contact the safeguarding adult’s team for advice. Complete a Datix form to report the incident.
Complete a safeguarding alert form (SAF) giving as much detail as possible and 59
send to: tpa-tr.Safeguarding-Adults@nhs.net and the local authority. If a crime has been committed on trust premises, the police must be contacted. Refer to your line manager for help with this.
If you suspect a crime has been committed outside of the trust, you must encourage the person who has told you to report it to the police.
Refer to our safeguarding adult’s policy for further information.
How to contact the safeguarding adult’s team Lead Nurse Safeguarding adults: x 7232 Safeguarding Nurse: x 2126 Generic email address: tpa-tr.Safeguarding-Adults@nhs.net Out of hours: call clinical site team on bleep 626 Adult social care: 0300 123 0778
Identifying and supporting victims of human trafficking or modern slavery Anyone could come across a victim of human trafficking in the course of their work. We all have a duty to take appropriate action and a legal obligation in the case of children under 18 if you suspect a person is a victim of trafficking. What is human trafficking? Human trafficking is the recruitment, movement, harbouring or receiving of children, women or men with force, coercion, and abuse of vulnerability, deception or other means for the purpose of exploitation. Who is trafficked? British and foreign nationals can be trafficked into, around and out of the UK. Children, women and men can all be victims of human trafficking. Why are people trafficked? Children, women and men are trafficked for a wide range of reasons including:
Sexual exploitation. Domestic servitude. Forced labour; including in the agricultural, construction, food processing, and hospitality industries and in factories; criminal activity including cannabis cultivation, street crime, forced begging and benefit fraud.
Organ harvesting.
How might you encounter a victim of human trafficking?
A person may tell you about their experience. 60
You detect signs that suggest a person may have been trafficked. A trafficked person may be referred to you
Signs of trafficking for adults, children and young people include a person being accompanied by someone who appears controlling and/or who insists on speaking on their behalf and coming with them when they see the health worker. The person may:
Be withdrawn and submissive, seem afraid to speak to a person in authority and the accompanying person speaks for them.
Give a vague and inconsistent explanation of where they live, their employment or schooling.
Have old or serious injuries left untreated. Have delayed presentation and is vague and reluctant to explain how the injury occurred or to give a medical history.
Not be registered with a GP, nursery or school.
Have experienced being moved locally, regionally, nationally or internationally. Appear to be moving location frequently. Have an appearance that suggests general physical neglect. Struggle to speak English.
Have no official means of identification or has suspicious looking documents.
Children and young people may:
Have an unclear relationship with the accompanying adult. Go missing (sometimes within 48 hours of going into care) and repeatedly from school, home and care.
Give inconsistent information about their age. What are the possible healthcare issues of trafficked people? Victims of trafficking may only come to your attention when seriously ill or injured or with an injury or illness that has been left untreated for a while.
Healthcare issues may include: Evidence of long term multiple injuries. Indications of mental, physical and sexual trauma. Sexually transmitted infections. Pregnancy or a late booking over 24 weeks for maternity care.
Disordered eating or poor nutrition. Dental pain.
Fatigue. Non-specific symptoms of Post-Traumatic Stress Disorder.
Symptoms of psychiatric and psychological distress.
Back pain, stomach pain, skin problems, headaches and dizzy spells. 61
Evidence of self-harm.
What should you do? In all cases, trust and act on your professional or personal instinct that something is not quite right. You may suspect trafficking from a number of triggers, such as an inconsistent story and a pattern of symptoms. If you have any concerns about a child, young person or adult, take immediate action, report your concerns to your line manager, and then telephone the safeguarding adults or children’s teams for further support and advice. Remember:
Trafficked people may not identify themselves as victims of trafficking. Trafficking victims can be prevented by revealing their experience to healthcare staff from fear, shame, language barriers or a lack of opportunity to do so. It can take time for a person to feel safe enough to open up.
Take caution when talking about age - if a person tells you they are under 18 or if a person says they are an adult, but you suspect they are not, take action as though they were under 18 years old.
Support for victims of human trafficking is available.
Try to find out more about the situation and speak to the person in private without anyone accompanying them. When speaking to the person reassure them that it is safe for them to speak. Do not make promises. Only ask non-judgemental, relevant questions.
Allow the person time to tell you their experiences. Do not let concerns you may have about challenging cultural beliefs stand in the way of making informed assessments about the safety of a child, young person or adult.
The prevent strategy The prevent strategy is part of the Government’s counter-terrorism strategy CONTEST and its aim is to stop people becoming terrorists or supporting terrorism. Prevent falls under the NHS safeguarding strategy because it seeks to identify and support people at the point when they are coming under the influence of people seeking to radicalise them – either directly, through personal contact, or indirectly, for example through the internet. It is a statutory requirement for all staff in the NHS to have awareness of their responsibilities in supporting prevent. The need for NHS providers to engage with the prevent strategy is two-fold:
The NHS is one of the biggest employers in the UK and therefore integrating the 62
prevent strategy across health will ensure. Its implementation is widespread throughout the country. We may be vulnerable to radicalisation, as well as our patients.
Front line colleagues may meet people whilst carrying out their duties who may exhibit signs or behaviours of extremist activity, or may appear to be coming under the influence of radical groups. This might be evident in various ways, for example comments from relatives about changes in their behaviour or worrying contacts with others or the nature of injuries. People who are vulnerable, such as those with mental health problems, learning disabilities or social difficulties are also vulnerable to radicalisation and could be targeted by terrorist groups. There have been a number of cases where terrorist actions have been undertaken or planned involving vulnerable people, who have been cynically targeted in this way. One of the key objectives of the prevent strategy is to work with sectors and institutions where there are risks of radicalisation which need to be addressed. Reporting a concern via the prevent strategy will result in a review of the information available about the person in question and possibly some further inquiries about them. If it appears that the person may be becoming radicalised, they will be offered support via the prevent strategy. They are not obliged to accept this support; however, the majority of people who are offered the support do accept it. If you feel that a patient, colleague or other person appears to be at risk of radicalisation please contact the safeguarding adults team. Further reading
Trust policies Safeguarding adults at risk policy Mental capacity policy
Deprivation of liberty policy PREVENT policy Domestic abuse policy Care of patients with learning disabilities and autism Southend, Essex and Thurrock (SET) procedures
63
Safe guarding children (level one) Introduction Welcome to the safeguarding children training level one. Reading and understanding this section will ensure that you are compliant for your safeguarding children level one. However, most clinical staff will also need to attend further training sessions. This section supports you to understand what we mean by safeguarding children, child protection, the different ways a child or young person may be abused or neglected and what action you should take if you ever have concerns that a child is being harmed. Children’s rights Human rights are the basic standards that people need to live in dignity and exist to make sure that we are treated properly, fairly, given the freedom to develop to our full potential, and to promote our wellbeing. In addition to the rights that are available to all people, there are rights that apply only to children. Children need special rights because of their unique needs and because they need additional protection to keep them safe. The United Nations Convention on the Rights of the Child (1989) is an international document that sets out all of the rights that children have. The United Kingdom Government ratified the Convention in 1991 and ensures that every child has the rights that are listed in it by ensuring amongst other things that there is sufficient legislation to keep them safe. These rights are incorporated into legislation such as The Children Act (1989, 2004) the Sexual Offences Act (2003) Female Genital Mutilation Act (2003) and the Forced Marriage Act (2007). This key legislation can be found on the safeguarding children Alex page. What is safeguarding children? Safeguarding and promoting the welfare of children is defined as:
Protecting children from maltreatment. Preventing impairment of children’s health or development. Ensuring children are growing up in circumstances consistent with the provision of safe and effective care.
Taking action to enable all children to have the best life chances.
Safeguarding children is everyone’s responsibility. Although we say this freely, the challenge for us is to follow this through with actions. Non-clinical colleagues are less likely to encounter safeguarding issues as part of their role, but still need to be aware of safeguarding issues, as they can arise both at work and in your private life. 64
What is child protection? Child protection is part of safeguarding and promoting welfare. It refers to the activity that is taken to protect specific children who are being abused, those who are suffering, or are likely to suffer, significant harm. Effective child protection is essential as part of wider work to safeguard and promote the welfare of children. We should aim to proactively safeguard and promote the welfare of children so that the need for action to protect children from harm is reduced. What is child abuse? The term child abuse describes a range of ways in which people harm children or young people (up to the age of 18, or 19 if disabled, including the unborn baby) knowingly, or by failing to act to prevent harm. Children may be abused in a family, institutional or community setting, by those known to them or more rarely, by a stranger for example, via the internet. An adult or adults, or another child or children may abuse them. Child abuse can be physical, emotional or sexual abuse, or neglect or a combination of these. Some forms of abuse are obvious for example, when an adult strikes out at a child in anger but others are much more difficult for outsiders to notice. While some types of abuse are caused by someone doing something that harms the child, others are the result of neglect, of failing to take steps to keep children safe and well.
Definitions of abuse The four categories of abuse are set out below. Physical abuse Hitting, shaking, throwing, poisoning, burning or scalding, drowning, suffocating or otherwise causing physical harm to a child. Fabricated or Induced Illness (FII): May also be caused when a parent or carer fakes the symptoms or deliberately causes ill health to a child whom they are looking after. Female Genital Mutilation (FGM). This is not to say that whenever an injury is caused to a child, it must be a case of physical abuse. An adult or older child might inflict an injury by accident for example, while playing football. What matters is whether the child was knowingly put at risk or whether the parent or carer paid reasonable attention to the child’s safety.
65
Emotional abuse Emotional abuse is the persistent emotional maltreatment of a child such as to cause severe and persistent adverse effects on the child’s emotional development. It could include:
Conveying to children that they are worthless or unloved, inadequate, or valued only as they meet the needs of another person. Not giving the child opportunities to express their views, deliberately silencing them or ‘making fun’ of what they say or how they communicate. Age or developmentally inappropriate expectations being imposed on children. These may include interactions that are beyond the child’s developmental capability, as well as Overprotection and limitation of exploration and learning, or preventing the child participating in normal social interaction. Seeing or hearing the ill- treatment of another (domestic abuse). Serious bullying (including cyber bullying), causing children frequently to feel frightened or in danger, or the exploitation or corruption of children. Some level of emotional abuse is involved in all types of maltreatment of a child, though it may occur alone.
Emotional abuse can also include the risk of radicalisation or exploitation by a radical group. For further guidance, please refer to the policy for the early identification of people at risk of radicalisation (PREVENT). This policy can be found on the risk management Alex page or by contacting a member of the safeguarding team. Sexual abuse Forcing or enticing a child to take part in sexual activities, not necessarily involving a high level of violence, whether or not the child is aware of what is happening. May involve physical contact:
Assault by penetration (rape or oral sex). Non-penetrative acts such as kissing, masturbation, rubbing and touching child outside of clothing. May also include non-contact activities: o Involving children in looking at, or in the production of, sexual images. o Watching sexual activities. o Encouraging a child to behave in sexually inappropriate ways. o Grooming child in preparation for abuse (including via the internet).
Sexual abuse also includes sexual exploitation of children and young people under 18, which involves exploitative situations, contexts and relationships where the young person (or third person/s) receive ‘something’ (e.g. food, accommodation, drugs, alcohol, cigarettes, affection, gifts, money) as a result of them performing, and/or another or others performing on them, sexual activities.
66
Sexual exploitation can occur using technology without the child’s immediate recognition; for example being persuaded to post sexual images on the internet/mobile phones without immediate payment or gain. Sexual abuse is not solely perpetrated by adult males, women also commit acts of sexual abuse, as can other children. Neglect Neglect is the persistent failure to meet a child’s basic physical and / or psychological needs, likely to result in the serious impairment of the child’s health or development. Neglect may occur during pregnancy because of maternal substance abuse. Once a child is born, neglect may involve a parent or carer failing to:
Provide adequate food, clothing and shelter (including exclusion from home or abandonment). Protect a child from physical and emotional harm or danger. Ensure adequate supervision (including the use of inadequate care-givers); or Ensure access to appropriate medical care or treatment.
It may also include neglect of, or unresponsiveness to, a child’s basic emotional needs. (Source: Working Together to Safeguard Children 2015) Myths surrounding child abuse There are many myths surrounding child abuse. Here are just a few: Myth
Only adult males sexually abuse children.
Fact
Although the majority of those who sexually abuse children are men, in up to 20% of cases the abuse is by a female. Young people commit one-third of reported sexual assaults.
Myth
Some cultures believe that child abuse is acceptable.
Fact
There are different understandings as to what constitutes abuse, but all children have the right to protection from harm.
Myth
Disabled children are less likely to be abused.
Fact
Disabled children are more likely to be abused because they are more vulnerable, dependent on others and may be less able to communicate what has happened to them.
67
Myth
Children often lie about abuse.
Fact
Children rarely lie about abuse, and their fear is that they will not be believed. Abusers often tell their victims that no one will believe them if they report what has happened.
Myth
Child abusers have deprived backgrounds and are of below-average intelligence.
Fact
Abusers come from a very wide range of social and intellectual backgrounds and may be well-liked and respected members of society.
Myth
Children are always safe in groups.
Fact
This is not always true: young children have been sexually assaulted in nursery school while other adults and children were present.
Myth
Children abused by their parents are always taken into care.
Fact
Child protection professionals recognise that there are many benefits in keeping a child with their birth family, so they try to protect a child within the home where possible.
What are the effects of child abuse? The effects of cruelty to children are wide-ranging and profound. They vary according to the type of abuse and how long it has been endured but can include:
Behavioural problems. Educational problems. Mental health problems. Relationship difficulties. Drug and alcohol problems. Suicide or other self-harm. Injury and in extreme cases, death.
Many survivors comment that the emotional consequences are far more severe than the physical effects of abuse. Fortunately, children who are abused can be helped. It is vital that everyone who works with children, whether they are paid employees or volunteers, are equipped to recognise signs of child abuse at the earliest opportunity so that the harm can be stopped and the damage can start to be repaired.
68
Looked after children Some children who have been victims of abuse or neglect are taken into care by the local authority and become looked after children. This happens when an assessment by children’s social care indicates that it is not possible for the birth family to care for the child safely, or to protect the child from further abuse. Legal definition of looked after children Looked after - a provision made under the Children’s Act 1989 in England and Wales whereby a local authority has obligations to provide for, or share, the care of a child or young person under 16 years of age where parent(s) or guardian(s) for whatever reason are prevented from providing them with a suitable accommodation or care. Care leaver: a person who has been looked after for at least 13 weeks since the age of 14, and who was in care on their 16th birthday. Reasons that children are taken into care Children may be taken into care as an emergency, or after a period of statutory agencies working with the birth family. Some children are only looked after for a short period and then return home. However, some go on to be adopted or will remain looked after until they reach adulthood. There is a legal framework in England and Wales which defines who are looked after children. Children who are victims of neglect or abuse form the majority of looked after children. Children could also be accommodated for other reasons:
At the request of parents due to parental ill health or parental inability to manage challenging behaviour. Under 18 year olds who arrive in the UK unaccompanied. Young offenders on remand, those in custody or a community based alternative e.g. intensive foster placements or supervision and surveillance.
Depending on the legal status of the looked after child, the local authority may or may not have parental responsibilities and this determines who can give consent for medical treatment. Parental responsibility means the legal rights, duties, powers, responsibilities and authority a parent has for a child and their property. A person who has parental responsibility for a child has the right to make decisions about their care including consent to medical treatment and upbringing. The local authority has parental responsibility under the following types of order: Section 31 (Care order). Section 44 (Emergency protection order). Under supervision order, court bail, in remand, secure accommodation order, etc. (other specific Sections of 1989 Act).
69
If the child needs to be accommodated by the local authority because they do not have a home, or their home is not safe for them to remain there, the birth parents retain the parental responsibility. This is a section 20 order. For unaccompanied asylum seeking children, the local authority has parental responsibility. Health services for looked after children Looked after children are amongst the most vulnerable children in our society as many, have suffered prolonged neglect and abuse. They are known to be at a significantly increased risk of having mental health and behavioural problems (5 to 10 times of general childhood population) and developmental or learning problems (8 times). Such problems can persist for years after they have been taken into care. What should you do if you suspect a child or young person is being abused? Whilst at work If you suspect that a child or young person is being abused whilst at work and you work in a clinical area, immediately inform the person in charge of that area and your line manager. If you suspect a member of staff is carrying out the abuse, you must inform your line manager and the safeguarding children team. If you work in a non-clinical area, contact the safeguarding children team for further advice and support. Outside of work If you suspect that a child or young person is being abused outside of work, you can contact: The local children’s social care team within your council (contact numbers will be on the council’s website). The police on 999. NSPCC on 0808 800 5000. Managing your own feelings and distress Child abuse is both distressing and disturbing. It is natural for you to feel shocked or angry. If you know the person involved, you may find it difficult to accept that it has happened. However, it is important to manage your own feelings so that you can react appropriately. You may find it helpful to talk these issues over with a colleague, friend, member of the safeguarding children team or the staff counsellor so that it is clear where responsibility sits and what contribution you can reasonably be expected to make.
70
Awareness of child abuse can often remind adults of painful situations in their own past. If this applies to you, you may need help from colleagues or professionals in dealing with them. Support is available within the trust via the safeguarding Alex page, safeguarding children team, the Essex Safeguarding Children Board website and the Southend, Essex and Thurrock (SET) Procedures (2015). Alternative support can be accessed from:
NSPCC 0808 800 5000. Website: http://www.nspcc.org.uk/ NAPAC (The National Association for People Abused in Childhood) 0800 085 3330.
Contacting the safeguarding children team You can contact the safeguarding children team on the following numbers:
Dr Than Soe – named doctor safeguarding children internal pager available via switchboard (dial 0 for switchboard).
Nicole Anderson – safeguarding children lead x 7559 or 07770640918
Catherine Jordan – senior safeguarding children nurse x 7559 / 07887523062
Christine Curtis – named midwife x 2929 / 07932528126
Sharon Manzi - safeguarding administrator x 2287.
Outside of office hours, the on-call paediatric registrar or consultant via switchboard.
Further reading You can find our policies on Alex: Safeguarding children policy. Managing allegations against staff working with children policy. Southend, Essex and Thurrock (SET) procedures.
71
Information governance and data security awareness level one Welcome NHS Digital delivers information and technology for better health and care. We have developed this workbook to:
Help you to use and share information in a lawful and secure way. Promote good practice that should be adapted for your working environment.
Description We are required to provide annual training on topics such as:
The Data Protection Act 2018 The General Data Protection Regulations (GDPR) 2018 UK GDPR as of 1st January 2021. The Freedom of Information Act 2000. The adoption of technology – building and maintaining public trust in how we use and share information. Information security policy and procedure.
This workbook provides an overview and guidance and good practice on the above topics. Author: NHS Digital (data security centre and external IG delivery) Duration: Approximately one hour
Learning objectives By the end of this workbook, you will understand:
The principles and terminology of information governance (IG). Basic data security / cyber security terminology. The importance of data security to patient/service user care. That law and national guidance requires personal information to be protected.
In addition, you will be able to:
Explain your responsibilities when using personal information. Identify some of the most common data security risks and their impact. Identify near misses and incidents and know what to report. Distinguish between good and poor practice when using personal information. Apply good practice in the workplace.
72
Why is data security important in health and care? Data security has always been important. In fact, it is no more important today than it has always been. However, it has become more complex and time-consuming to manage now that technology is so central to the way we deliver health and care. Technology provides us with fantastic opportunities and is designed for safe and effective use. We must ensure that we use it in a way that does not pose unacceptable risk to the hospital or the patients that we care for. We all have a duty to protect peopleâ&#x20AC;&#x2122;s information in a safe and secure manner Technology enables us to deliver a better quality of care
Information can be shared more quickly
Powerful analysis can be performed to improve the future of care
Safe data, safe care Good information underpins good care. It is important to maintain the patient and service user confidentiality, use of personal information and ensure that its integrity is protected against loss or damage. Authorised members of staff must only access the information. Everyone who uses health and care services should be able to trust that their personal confidential information is protected. People should be assured that those involved in their care, and running and improving services, are using their information appropriately and only when necessary. You can help to ensure that our patients and service users remain safe and receive the best possible care by being mindful of good practise when handling information. For more information, please refer to:
The CQC review 'Safe Data, Safe Careâ&#x20AC;&#x2122; The national data guardian review of data security, consent and opt-outs
73
Confidentiality, integrity, availability Data security can be broken down into three areas: confidentiality, integrity and availability. Confidentiality
Integrity
Availability
Confidentiality is about privacy and ensuring information is only accessible to those with a proven need to see it.
It would be unacceptable for a perfect stranger to be able to access sensitive information from a laptop simply by lifting the lid and switching it on. That's why a laptop should be password-protected and the data on it encrypted when switched off. Integrity is about information stored in a database being consistent and unmodified.
Systems must be designed so that the input and management of information is not prone to human error and that the flow of information does not result in loss or alteration. Availability is about information being there when it is needed to support care.
System design must include appropriate access controls and checks so that the information in the system has consistency and accuracy, can be trusted as correct and can be relied on when providing health or care.
Scenario Consider this scenario to illustrate the link between safe patient information and safe care. Which aspect of data security does this refer to? Jane has an accident whilst decorating her flat and falls badly, hurting her leg. She calls the ambulance.
74
The paramedics ask Jane for her name, address and about her injury – they can see she is in pain and ask if she is allergic to any medications. She is not sure if she is. Feedback The paramedics use their tablet device to look up Jane’s summary care record, which gives details of her medical history. Confidentiality – the paramedics are proven to have a need to see the record. However, due to a telephone network outage, they are unable to access the relevant information. The paramedics administer morphine, but Jane is allergic – a fact held on her record – and goes into anaphylactic shock. Integrity – the record is correct and unmodified but was not available. She is driven to hospital where her condition stabilises but she is kept in intensive care. In this case, the lack of information availability has had a direct impact on patient care. Summary This section has introduced the concepts of confidentiality, integrity and availability, and explained why data security is important to patient and service user care. We will now look in more detail at the threats to patient and service user information and the legal obligations of all staff in health and care when accessing patient information. Information and the law We will now look in more detail at managing patient and service user information in health and care. It is the law to abide by everything in this session. We will cover: 1. 2. 3. 4.
Confidentiality - good practice The Data Protection Act, including the rights of patients and service users The Freedom of Information Act, including how to comply Good record keeping
Types of information
In health and care settings, we meet various types of personal information about people. It is important to be able to identify these different types of information so that they can be appropriately protected when they are used and shared.
75
Confidential information Confidential information is information that patients and service users disclose in confidence to staff who are providing their health and care - they expect that information to be treated confidentially. It can include names and addresses, as well as a person’s sensitive personal information - for example, health and care information. Other information can also be confidential information, such as employee references and some commercial information (for example, about the organisation). Sensitive information As mentioned above, all health and care information is sensitive, but patients and service users may consider particular types of information to be highly sensitive, for example, information relating to their mental or sexual health. Personal information Information about someone is classed as personal when it identifies an individual. It may be about living or deceased people, including patients, service users, members of staff and other individuals. A person’s name and address are clearly personal information when presented together, but an unusual name may, by itself, might enable an individual to be identified. Personal information may be recorded in hard copy or digital form – for example, photographs, videos/DVDs, whiteboards, health and care records, personnel files, on a computer – or it may be information simply known by others (such as the care team). You may also come across the term ‘personal data’, which is used in the Data Protection Act 2018 and is a subset of personal information. Some personal data may be ‘sensitive personal data’ as it concerns a person’s health and care. The Act also defines other personal data as sensitive such as religion, race and trade union membership. Pseudonymised information Pseudonymised information is information in which an individual’s identity is disguised by using a unique identifier (that is, a pseudonym). This does not reveal their ‘real world’ identity, but allows the linking of different data sets for the individual concerned. Anonymised information This information does not identify an individual and cannot be used to determine their identity. Anonymisation requires the removal of name, address, full post code and any other detail or combination of details that might support identification, either by itself or when used with other available information. Anonymised information does not identify a person, so it cannot be personal or confidential.
76
The value of information
It is important to comply with the law to protect personal information, because health and care information is valuable. Poor security can cause personal, social and reputational damage. Here are some of the common ways that information is lost: Losing information, including paper Theft of information, records, over the such as by clicking on phone, via faxes, loss links to fake websites Common law duty of confidentiality of computers or (phishing) mobiles phones
Insecure storage and disposal of information leading to loss or theft
Under what is known as the common law duty of confidentiality, confidential information (information that individuals disclose in confidence) should not be used or shared further without the consent of the individual. Exceptions to the requirement for consent are limited to: ď&#x201A;ˇ ď&#x201A;ˇ
A legal reason to disclose information, e.g. by Acts of Parliament or court orders; A public interest justification for breaching confidentiality such as a serious crime.
Decisions on whether or not to breach confidentiality should be made by senior staff, for example your information governance lead or caldicott guardian. After you have completed this course, please remind yourself of our procedures, so that you will know what to do if you are asked to share someoneâ&#x20AC;&#x2122;s information without their consent. The caldicott principles Before using confidential information, you should consider the caldicott principles: Principle one: Do you have a justified purpose for using this confidential information? The purpose for using confidential information should be justified, which means making sure there is a valid reason for using it to carry out that particular purpose Principle two: Are you using it because it is absolutely necessary to do so? The use of confidential information must be necessary to carry out the stated purpose.
77
Principle three: Are you using the minimum information required? If it is necessary to use confidential information, it should include only the minimum that is needed to carry out the purpose. Principle four: Are you allowing access to this information on a strict need-toknow basis only? Before confidential information is accessed, a quick assessment should be made to determine whether it is actually needed for the stated purpose. If the intention is to share the information, it should only be shared with those who need it to carry out their role. Principle five: Do you understand your responsibility and duty to the subject with regards to keeping their information secure and confidential? Everyone should understand their responsibility for protecting information, which generally requires that training and awareness sessions are put in place. If the intention is to share the information, those people must also be made aware of their own responsibility for protecting information and they must be informed of the restrictions on further sharing. Principle six: Do you understand the law and are you complying with the law before handling the confidential information? There are a range of legal obligations to consider when using confidential information. The key ones that must be complied with by law are provided by the common law duty of confidentiality and under the Data Protection Act 2018. If you have a query around the disclosure of medical or other confidential personal information you should go to your line manager initially and then the information governance manager if you are still not sure. For serious and complex issues your manager should contact the caldicott guardian for advice and guidance. Principle seven: Do you understand that the duty to share information can be as important as the duty to protect confidentiality? You should have the confidence to share information in the best interests of your patients and service users within the framework set out by these principles. Confidentiality â&#x20AC;&#x201C; good practice
We all have a legal duty to respect the privacy of our patients and service users â&#x20AC;&#x201C; and to use their personal information appropriately. We will now look at the main aspects of confidentiality good practice by covering the following: 78
Informing people Sharing information for care Sharing information for non-care
Informing people Patients and service users will not expect you to look at their record unless you are involved in their care. You should inform them that you are accessing and using their information. There are specific techniques you should use when doing so.
Explain
Give choice
Clearly explain to people how you will use their personal information and point them to additional information about this – for example, on our website, in a leaflet or on a poster.
Give people a choice about how their information is used and tell them whether that choice will affect the services offered to them.
Meet expectations Only use personal information in ways that people would reasonably expect. You do not need to obtain consent every time you use or share personal information for the same purpose, providing you have previously informed the individual – they should know what is happening and have no objections. Sharing information for care Sharing information with the right people can be just as important as not disclosing to the wrong person. When you know that sharing patient information will assist the care or treatment of an individual and you believe that they understand the information sharing that is needed to support that care, you have a duty to share the information. This duty is set out in the Health and Social Care (Safety and Quality) Act 2015, which introduced a legal duty for health and adult social care bodies to share information where it will assist the care of an individual.
Check
Best practices
Check that the individual understands what information will be shared and has no concerns.
Ensure that the data protection, record keeping and security best practices covered later in this workbook are met.
Respect objections Normally, if the individual objects to any proposed information sharing, you must respect their objection even if it undermines or prevents care provision. Your caldicott guardian or information governance lead will be able to advise on what to do in these circumstances. 79
Sharing information for non-care In many cases, you should obtain consent if you want to use someone’s personal information for non-care purposes. However, if there is a risk of immediate harm to the patient, service user, or to someone else, and you cannot find an appropriate person to discuss the information request, you should share the information. At the first opportunity afterwards, you should inform the information governance so that they can follow up the legal basis for sharing.
Ask
Advice
Action
Find out who is responsible for managing information sharing requests in your organisation.
Discuss the request with this person.
Provide the information only when authorised to do so.
Data protection
The Act provides people with a number of rights. The most relevant in a health and care setting are:
The right to be informed about what their personal information is being used for and who it may be shared with (fair processing). When information is held in confidence, people should also be informed that they have a right to have their objection to use and sharing considered and unless there are exceptional reasons why not, to have those objections respected. To see and have a copy of their information (subject to access). To have objections to their information being processed considered where they claim they are suffering unwarranted distress or damage as a result.
Other rights exist and the following rights may be relevant:
To prevent processing for direct marketing. To object to decisions being taken by automated means.
80
Rights of individuals Patients and service users currently have many rights in relation to their information including:
Make subject access requests. Have inaccuracies corrected. Have information erased, where it has not been relied upon to provide health or care. Object to direct marketing. Restrict the processing of their information, including automated decision-making systems or programs.
In addition to accurately recording facts, we must consider that the patient or service user might be able to view their record online. When providing people with access, care must be taken not to reveal information that they do not already know relating to third parties, for example, information in their record about family members, other service users, etc. Data protection – good practice Certain simple actions can ensure that you comply with the principles of the Data Protection Act. We have policies and procedures and can provide training to help you ensure good governance of personal information. No surprises Handle personal information only in ways in which the individual would reasonably expect. Think – how would you expect others to handle your personal information? Be open, honest and clear about:
Why you need the personal information What you intend to do with it With whom you may share it Who the individual should contact, if they wish to obtain a copy
Record clearly It is important that records are full, accurate, dated and timed. They should distinguish between clinical or care findings, your opinions and any information provided by others. Be accurate:
Enter accurate information into records and ensure the information is kept up to date Give individuals the opportunity to check and confirm the details held about them Avoid creating duplicate records
81
Remember – under the Data Protection Act 2018, individuals (including patients and service users) have a right to see information recorded about them. So make sure that what you record is clear and accurate. Secure and confidential disposal
Stick to our rules for the disposal of personal information Seek advice from the ICT department or provider when disposing of information held on digital assets – for example, laptops, smartphones, and so on. Our ICT department must dispose of all devices such as laptops.
General Data Protection Regulation 2018 The General Data Protection Regulation (GDPR) 2018 is a European wide law that applies to our trust because we hold European citizen’s personal data. The GDPR is an evolution of the existing law; it gives people stronger data protection rights and requires personal data to be processed in a manner that ensures transparency, lawfulness and security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures to be used. You can find more guidance in the security section of the ICO Guide to the GDPR at https://ico.org.uk/fororganisations/guide-to-the-general-data-protection-regulation-gdpr/security/ Data protection rights The GDPR aims to give individuals more control over the ways in which we process their personal data, and this has led to the granting of new rights for these individuals, as well as enhancing and improving rights that formally existed. People have eight data protection rights, they are: 1. 2. 3. 4. 5. 6. 7. 8.
The right to be informed The right of access (subject access request) The right of rectification The right to be forgotten (erasure) The right to data portability The right to object restrict processing The right to restrict processing Rights related to automated decision making and profiling.
You may face requests from the public in relation to their data protection rights. In these circumstances, do not handle these requests, but follow the certain minimum procedures set out in our Policy for Individuals Data Protection Rights. The Information Commissioner’s Office (ICO) The ICO is the UK’s independent regulatory authority set up to uphold data protection rights in the public interest, promoting openness by public bodies and data privacy for individuals.
82
The ICO covers a number of acts and regulations including the GDPR, Data Protection Act, Freedom of Information Act and Privacy and Electronic Communications Regulations. Part of their role is to improve the data protection practices of organisations by gathering and dealing with concerns raised by members of the public. If an organisation is not taking its responsibilities seriously, the ICO may also take enforcement action. In the most serious cases, they can serve administrative fines and stop that organisation from using personal data. Administrative fines Under the GDPR there are two tiers of administrative fines that can be imposed:
The maximum fine for the first tier is €10,000,000, or an undertaking up to 2% of total annual global turnover (not profit) of the preceding financial year, whichever is greater. The second tier maximum is €20,000,000 or an undertaking up to 4% of total annual global turnover (not profit) for the preceding financial year whichever is greater
The fines within each tier relate to specific articles within the regulation that the organisation has breached. As a general rule, organisations who fail to comply with GDPR principles will result in a fine within tier one, while data breaches of an individual’s privacy, rights and freedoms will result in a fine within tier two. You can find out more about GDPR on the Information Commissioner’s website at: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/ UK GDPR came into force as of 1 January 2021. Broadly, the principles will mirror the current GDPR arrangements. Freedom of information Where an organisation uses public money, the Freedom of Information (FOI) Act 2000, puts a duty on the organisation to provide information to individuals who make a written request for it. Members of the public can make FOI requests through a number of means:
by letter by email by fax
83
The act allows anyone from anywhere in the world to ask for information held by the organisation. Individuals do not need to say who they are (other than to provide adequate correspondence details) or why they want the information. It must be provided, even if it presents the organisation in a poor light.
The act only applies to information that already exists in a recorded form (for example, documents, emails, written notes, tape recordings). It does not normally require an organisation to create new information in order to meet a request.
Not all organisations have to comply with the Act. See below: Local authorities, health bodies and regulators, dentists, general practitioners, optical contractors and pharmacy businesses must comply with the Act. Private health and care providers should check their contract for any duty to comply with the Act. Charities and similar organisations may deal with FOI requests on a voluntary basis.
Handling Freedom of Information (FOI) requests What you need to know:
Handling FOI requests is a technical skill that should be handled by trained staff. You should not try to handle a request yourself unless you have been trained to do so. Many requests for information will simply be ‘business as usual’ requests. If in doubt, ask.
You have a responsibility to:
Make sure you know who is responsible for managing our FOI requests. Send any FOI requests to the person responsible immediately, to comply with the 20 working day turnaround.
Example FOI request Which one of these examples is not a valid request? Tick two options from the list below, and then go to page 20 to check your answer. A.
Please send me a copy of my social care record
B.
How many GPs work in the practice?
C.
When is my daughter’s next appointment?
D.
How much did the trust spend on rail travel last year?
E.
How many staff have passed their IG training?
Valid
Not valid
84
F.
What services are being considered for closure in the next year?
Record keeping – good practice Poor quality information presents a risk to patients, service users, staff members and the organisation. If you are uncertain about any of the good practice raised in this section, talk to your line manager to improve your understanding. Here are some checklists on what to remember. Accurate and up to date
Make sure you know what needs to be included in the record, why you are recording the information and how it will be used so that the information you enter is correct and clear. Make sure you record the information in the correct system and in the correct record. Give individuals the opportunity to check information about them and point out any mistakes or inaccuracies. If you are not a health or care professional, you should check the information with someone who is – or cross-reference the information with other records. Follow our process to report and correct errors. Give patients or service users the opportunity to check and confirm the details held about them. When using shared records, ensure that they are kept up to date so that other care providers have the correct information available to them.
Recorded and complete Recorded as events occur - record information whilst the event, care or otherwise, is still fresh in your mind. Record high-risk information as a matter of urgency. Complete - include the NHS number in health and care records, this helps to ensure that the correct record is accessed or shared for the correct patient or service user. Free from duplication - before you create a new record, make sure that one does not already exist. Quick and easy to locate - save records in a secure place that is easy to find. Comply with any procedures that ensure records are stored safely and securely, and can be quickly located when required. Scenario Bill has developed clinical depression since he had a personal tragedy but is actively seeking treatment. Because Bill is optimistic about a full recovery through treatment, he has not disclosed his condition to his work colleagues.
85
Because of a data entry error, a receptionist mistakenly calls his work number rather than his personal number and as Bill is in a meeting, one of his colleagues picks up the phone. Thinking Bill has answered, the receptionist goes on to ask him if can come in an hour earlier for his appointment. It is immediately apparent to Billâ&#x20AC;&#x2122;s colleague that Bill is seeking mental health treatment, and rather than keeping the information to himself, the colleague tells other employees. The resulting embarrassment causes Bill to resign and to make a formal complaint to the healthcare provider. This scenario shows the importance of: Entering information accurately into the correct systems Verifying identity before disclosing confidential information
86
Example FOI request - feedback Request
Valid
Not valid x
Feedback
A.
Please send me a copy of my social care record
B.
How many GPs work in the practice?
C.
When is my daughter’s next appointment?
D.
How much did the trust spend on rail travel last year?
x
This is a valid FOI request – it is not seeking information about which staff have travelled by rail but a request for the overall cost of rail travel.
E.
How many staff have passed their IG training?
x
This is a valid FOI request – it is not a request about particular staff, it is about the number of staff that have passed their IG training.
F.
What services are being considered for closure in the next year?
x
This is a valid FOI request – it is asking for information about decisions the organisation may have made regarding service provision.
This is a Data Protection Act subject access request; the requestor should be assisted to make their request to the correct person/team. This is a valid FOI request – it is not asking for information about particular GPs, just how many GPs work in the practice.
x
x
Whilst this is a request for information, it is not an FOI request and it should be handled as business as usual.
Summary We all have a responsibility to use information lawfully. To make sure you comply with the law, you must know and comply with our Data Protection Act or Freedom of Information Act processes in place. Sharing information can improve the speed and quality of service we provide to the public, so do not be afraid to share information on a need-to-know basis. Make sure it is shared in a secure way and that, if necessary, you have consent to do so. Give individuals an opportunity to check the accuracy of information and records held to enable any mistakes to be corrected. 87
If you are unsure, you should ask for help, or seek advice from our information governance team.
Avoiding threats to data security In this section, you will look in more detail at potential threats to the security of information in the workplace. You will learn about: 1. Social engineering. 2. Email phishing and malware. 3. Good practice for protecting information. Social engineering Those who want to steal data may use tricks to manipulate people to give access to valuable information. This is called social engineering. They might try to employ confidence tricks or resort to the interception or theft of devices or documents. This includes digital or physical materials, such as printed documents or mobiles, to gain further access to more protected systems. Criminals will often take weeks and months getting to know a place before even coming in the door or making a phone call. Their preparation might include finding a company phone list or organisation chart and researching employees on social networking sites like LinkedIn or Facebook. The goal is always to gain the trust of one or more of your employees, through a variety of means: On the phone A social engineer might call and pretend to be a fellow employee or a trusted outside authority (such as law enforcement or an auditor).
In the office "Can you hold the door for me? I do not have my key/access card on me." How often have you heard that in your building? While the person asking may not seem suspicious, this is a very common tactic used by social engineers.
Online Social networking sites have opened a completely new door for social engineering scams. One of the latest involves the criminal posing as a Facebook "friendâ&#x20AC;?. However, you can never be certain the person you are talking to on Facebook is actually the real person. Criminals are stealing passwords, hacking accounts and posing as friends for financial gain. 88
The fake ICT department A recent scam is for criminals to set up call centres that make calls to health organisations or social care providers. They may ask you to disclose your username, password, email address or other details about where you work. They may also try to get you to click on a malicious web or email link. Your ICT department or provider already knows a lot about you and will not need to ask these types of questions. Social engineering - what you can do The best advice is to be vigilant at work, whether it is using the phone, receiving unsolicited emails, using social media, or walking around your place of work. Do not be afraid to challenge suspicious behaviour and request proof of identification, if it is safe to do so. Using social media Read these fake social media posts between a mental health worker, a district nurse and their colleagues, and consider how the information could be valuable to a social engineer.
89
In this example, criminal could:
Burgle Sandra's house when she was on holiday. Gain access to Sandra's office using the door entry code. Find out where the mental health worker's new office was by searching the council's website, then aligning the social worker’s online pictures to their office. Access a computer within the building, using the mental health worker’s login details to try to authorise a £50,000 transaction. Attempt to create a new referral for himself, to claim a personal budget. Access bank account details listed in the system, to steal a service user’s money.
Whilst this complete scenario is unlikely to occur, a criminal could gain vital intelligence about how our processes work. Read our internet use policy to avoid any problems. If a criminal can find these posts, so can your employer, which could result in disciplinary action for you. Email phishing and malware
Email can be the most efficient option for exchanging information securely but as with all forms of information transfer there are risks. 90
Hackers and criminals sometimes use unsolicited emails containing attachments or links to try to trick people into providing access to information. Attachments may contain a file with an .exe extension, these files are executable, and some may contain malicious software (malware) that will automatically download onto your computer. This type of threat is known as phishing. If you receive a request from a supposed colleague asking for login details, or sensitive, financial or patient/service user information, you should always double check the request with that colleague over the phone. Equally if you receive an unsolicited email that contains attachments or links you have not asked for, do not open them. Remain vigilant and report the suspicious email to your ICT department or provider. Never give your login details to anyone. Phishing Phishing is by far the biggest and easiest form of social engineering. Criminals use phishing emails and websites to scam people every week. They are hoping for you to click on fake links to sites or open attachments so they can steal data or install malicious software. The aim of phishing emails is to force users to make a mistake – for example, by imitating a legitimate company's emails or by creating a time limited or pressurised situation. Phishing email attachments or websites might ask you to enter personal information or a password – or they could start downloading and installing malware.
Be vigilant:
Stay Vigilant
Do not install any new software unless you are advised to do so by your ICT department/provider. Think - is someone trying to extract or extort information from you? If you are unsure, or think this is happening to you, then you should discuss it with your manager and ICT.
Phishing – what to do If you do identify a phishing email, take these steps:
Do not reply. Select the email, right-click it and mark it as junk.
91
Ensure suspicious email domains are blocked and associated emails are sent to the spam or junk folder. We have a process for dealing with spam – contact the IT service desk on x 1010 or by email paht.itservicedesk@nhs.net
Macros Macros are a series of actions that a program such as Microsoft Excel may perform to work out some formulas. Your computer will disable macros by default because they can be programmed to install malware.
Always be vigilant; especially when clicking 'enable macros' or 'edit document'. Do you trust the source of the document? Malware Malicious software (malware) can reside on your computer and evade detection, making it easier for someone to be active on your system without you noticing. To protect us from these types of threat, our ICT department ensure that we have up-todate antivirus software installed. Malware can make computer run slowly or perform in unusual ways. If you suspect your computer is not performing as it normally does, contact the ICT department. Good practice for protecting information Now that you have read about some of the common threats to data security in the workplace, you will look at some simple ways that you can help to ensure information remains safe.
92
Good practice - Setting passwords It is important to use strong passwords on all your devices to prevent unauthorised access. You should also use different passwords for each account. Creating strong passwords does not need to be a daunting task if you follow simple guidelines. The National Cyber Security Centre (NCSC) has a range of guidance on good password management, including this article to help you set secure passwords: https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0. Consider the use of a free password manager as well; again the NCSC have detailed guidance on what to look for: https://www.ncsc.gov.uk/blog-post/what-does-ncsc-thinkpassword-managers. Good practice - locking devices A number of simple measures can help you to stay safe online. You should lock your device as soon as you stop using it. All mobile phones, laptops, PCs and tablets, whether personal or not, should have a passcode set. If you see a colleague's device open and unlocked, lock it for them and gently remind them to do so in future. This also applies to corporate mobile devices - activate the lock function so that a password or code is needed to unlock them. Tip: select the Windows Key + L on your keyboard to lock your laptop or PC quickly. Good practice - removable drives Do not use unauthorised USB drives and avoid plugging in any non-approved devices to charge via a USB cable. A private mobile phone is effectively a large USB storage device and may contain malware. Before using USB drives, scan them to ensure they are safe. A USB device can technically be a small computer. If you plug the USB into an untrusted computer, malicious software could be transferred and passed on to any other devices where you use the USB. Ask the ICT department if you are unsure. Good practice - untrusted websites Be vigilant when you visit a website that is declared "untrusted".
93
If a web browser states that you are about to enter an untrusted site, be very careful – it could be a fake phishing website that has been made to look genuine. A browser may display a red padlock or a warning message stating ‘Your connection is not private’. Good practice - mobile devices
Digital do’s
Read, understand and comply with our policy and procedures regarding the use of digital assets. Seek advice from your line manager if any aspects of the policy or procedures are unclear. Store your digital assets securely when not in use. Update antivirus software if your digital asset prompts you to do so. Keep regular backups of the data stored on digital assets – store appropriately, according to our policies. Report any lost or stolen digital asset to the police immediately – you should also follow our incident management procedure. Ensure that digital assets and passes are handed back if you are leaving the organisation.
Digital don’ts
Do not use your own device for business purposes unless this has been properly authorised. Do not use work-provided digital assets for personal use (such as social media and personal web browsing) unless you are authorised to do so. Do not connect your work-provided digital asset to unknown or untrusted networks – for example, public Wi-Fi hotspots. Do not allow unauthorised personnel, friends or relatives to use your work-provided digital assets. Do not attach unauthorised equipment of any kind to your work-provided digital asset, computer or network. Do not remove or copy personal information, including digital information (such as by email, on a USB stick), off site without authorisation. Do not leave digital assets where a thief can easily steal them – for example, on display or unattended in your car or in a public place. Do not install unauthorised software or download software or data from the internet. Do not disable the antivirus protection software.
94
Good practice - disposal of confidential information We have to be careful when disposing of any information. Much of the data that health and care organisations create and use is classed as official in the eyes of the government. OFFICIAL - government definition The majority of information that is created or processed by the public sector: this includes routine business operations and services, some of which could have damaging consequences if lost, stolen or published in the media. Special care must be taken to dispose of the following securely, including but not limited to:
Paper records that contain confidential information
Desktop computers
Servers
Multifunction devices (e.g. Printers/Photocopiers)
Laptops, tablet computers and electronic notebooks
Mobile telephones
Digital recorders
Cameras
USB devices
DVDs, CDs and other portable devices and removable media.
We have a process for securely disposing of each of these things to avoid breaches. Good practice - clear desks Most organisations now have policies about having clear desks. This is because things tend to get lost on cluttered desks. Do not leave information in unsecure locations. For example, documents that identify someone, financial information etc. Having a clear desk ensures that you are not potentially leaving sensitive information laying around, raising the risk of a breach.
Summary In this section you have learnt about different types of data security threat, how to spot them, and what to do. The learning also covered good practice in the workplace. 95
The last section covers what to do if you identify that a security incident or breach has occurred.
Breaches and incidents This section will look at some scenarios for breaches and incidents and explain how to avoid them. In your place of work, you must be able to spot common activities where information could be lost, and know what to report. All members of staff provide our first line of defence against information loss and theft. The section covers:
Identifying breaches and incidents Reporting breaches and incidents Avoiding breaches and incidents Everyday scenarios where information can be lost.
You have already looked at a number of ways in which data security might be compromised. Such incidents typically fall into two categories:
A breach of one of the principles of the Data Protection Act 1998 and/or confidentiality law Technology-related incidents
A breach can be caused by a security incident for example, disclosure of patient details using social media. However, some incidents for example, defacing a website may not involve a breach of information. More information about the different types of incidents is in the table below. Breaches
Cyber incidents
Identifiable data lost in transit
Phishing email
Lost or stolen hardware
Denial of service attack
Lost or stolen paperwork
Social media disclosure
Data disclosed in error
Website defacement
Data uploaded to website in error
Malicious damage to systems
Non-secure disposal – hardware
Cyber bullying
Non-secure disposal – paperwork Technical security failing Corruption or inability to recover data Unauthorised access or disclosure
96
Breaches The Information Commissioner reports on trends in breaches and incidents and can be found here: https://ico.org.uk/action-weve-taken/data-security-incident-trends/ In health and care the most common forms are:
Faxes that are sent to the wrong number or misplaced. Lost or stolen paperwork. Failure to adhere to principle 7 of the Data Protection Act 2018.
Incidents using technology Website defacement This term is used to describe an attack on a website that changes the content of the site or a webpage. It may also involve creating a website with the intention of misleading users into thinking that a different person or organisation has created it. Social media disclosure This term is used to describe the disclosure of confidential or sensitive information through an employee’s social media profile.
Denial of service attack This term is used to describe an attempt to make a machine or network resource unavailable to its intended users.
Malicious damage to systems This term is used to describe what happens when a person intentionally sets out to corrupt or delete electronic files, information or software programs.
Consequences of breaches and incidents Imagine the risk of making an important decision about a person’s care if their record was no longer available, was wrong or incomplete, or if someone had tampered with it. By this point in the course, you should understand why data security measures are in place. We all need to help ensure that our information is protected in the best way possible.
97
Reporting incidents You have a responsibility to know how to report data security incidents:
If you know or suspect that an incident has taken place, register it in line with our incident reporting procedure. This is through Datix. Notify the information governance lead as soon as possible, so they can assess how serious the incident is and start an investigation. Know our policy on the fair use of ICT– do not alter or change any software on your device without permission. For more information view the two IT policies: IT Compliance Policy IT Security Policy
Read your organisations Fair Use of ICT policy
A data incident takes place
Notify the right team about the incident (Typically your ICT or IG team)
In your notification you should include when, where and what business activity you were conducting when it happened.
Near misses where data was nearly lost or where there was nearly a breach should also be reported.
Report suspected incidents and any ‘near misses’. Lessons be learned from them – they can be closed or withdrawn when the full facts are known.
98
Data security risks - scenarios Certain procedures can help to reduce the risk of sending information by post, email, telephone and fax. Consider these scenarios and the different ways in which breaches and incidents can be avoided by remaining vigilant and aware of your personal responsibility. Postal breach Consider the following scenario which illustrates how incidents can arise using the post. The situation - Miss Broom is waiting to receive information from her social worker. She opens her post one morning and finds that, as well as her own letter, the envelope contains two further letters addressed to other people.
The organisationâ&#x20AC;&#x2122;s reaction â&#x20AC;&#x201C; the organisationâ&#x20AC;&#x2122;s information governance lead telephones Miss Broom to apologise for the error and asks her to keep the letters safe whilst arrangements are made for someone to collect them.
Miss Broom contacts the organisation and tells an administrative officer about the additional letters. She receives an apology and the promise of a call back. Consequences - The organisation wrote a formal apology to Miss Broom and to the two individuals that she received letters about. Both individuals were deeply concerned that Miss Broom (who they did not know) now knew important information about them. One of them wrote to their local paper about the breach. Senior staff in the local authority spent the next two weeks responding to media queries about the number of breaches the organisation had experienced. The other individual, who had suffered from a similar breach the previous year, instructed his solicitor to bring legal proceedings against the local authority.
If you are placed in this situation, follow our procedures and where possible, adhere to the following principles.
99
Email breach The situation - Mr. Foster has recently been diagnosed with depression and has joined a support group to help him through his care. The organisation emails information to support group members each month. Recently, they have started to receive emails and phone calls from individuals who are upset about the disclosure of their names and email addresses to more than 500 people. The organisation’s reaction - The organisation undertakes an investigation and finds that a new member of staff had sent out the email. They had mistakenly put the list of all the support group members’ email addresses in the ‘CC’ field – rather than the ‘BCC’ field – of all the individual emails. Consequences - Everyone who received the email could identify who was a member of the depression support group. The investigation also finds that all existing staff members involved in sending out emails knew what to do, but had not supervised the new member of staff.
We have guidance on sending secure emails. You can also go to the NHSmail portal to access guidance about sending emails securely: https://portal.nhs.net/Home/AcceptablePolicy If you are placed in this situation, follow our procedures and:
Make sure you know the difference between ‘TO’, ‘CC’ and ‘BCC’.
Check email content and distribution before you click ‘Send’.
Be aware that some people may share their email accounts so the content may need to be adjusted.
Email checklist Before emailing any external parties:
Check with your line manager and/or information governance lead whether it is acceptable to send personal information in this way.
Confirm the accuracy of the email addresses for all intended recipients, sending test emails where unsure.
Check that everyone on the copy list has a genuine ‘need to know’ the information you intend to send.
When referring to patients or service users use the minimum identifiable information (e.g. NHS number).
Check whether you need to encrypt the email yourself or the recipients are all using secure interoperable email systems, e.g. NHSmail-to-NHSmail or to Government Secure Internet (GSI) systems. Ask the IT team for support if you do not know.
100
Where email needs to be sent to an unsecure recipient check whether this is at the request of a service user who understands and accepts the risks or if encrypting the email yourself is more appropriate.
Phone breach Consider the following scenario which illustrates how incidents can arise using the post. The situation - Joe, a practice manager, receives a call from a local hospital requesting information about Mrs Smith, one of the practice patients. He knows she has been referred to that hospital for cancer investigation so he gives the information to the caller. The result - The next morning, Mrs Smith phones the practice and tells Joe that her brother-in-law has information about her health that he can only have obtained from the practice. At that point, Joe realises he had no proof that the previous day's call was from the local hospital. Phone checklist If a request for information is made by phone, where possible:
Confirm the name, job title, department and organisation of the person requesting the information.
Confirm the reason for the information request is appropriate.
Take a contact telephone number, e.g. main switchboard number (never a direct line or mobile phone number).
Check whether the information can be provided – if in doubt, tell the enquirer you will call them back.
Provide the information only to the person who requested it (do not leave messages).
Ensure that you record your name, date and the time of the disclosure, the reason for it and who authorised it – also record the recipient’s name, job title, organisation and telephone number. Fax breach You should never send personal information by fax unless it is necessary. Some organisations use multi-function printers (photocopiers) to send faxes; this rule also applies to these devices. Consider the following scenario, which illustrates how incidents can arise using fax.
101
The situation - Rachel works in a care home and is asked to fax some service user information to a local general practice. However, she is in a rush and accidentally gets one of the numbers wrong.
What happens - The fax goes to a local golf club where the manager calls the local newspaper. An embarrassing article about negligence and breach of confidentiality soon follows.
The consequences - This is not the first such error made by Rachel’s organisation and the Information Commissioner’s Office, once informed, carries out an investigation that results in a £100,000 fine.
Fax checklist If it is necessary to send information by fax, use the following procedure where possible:
Personal details should be faxed separately from clinical details with the exception of the NHS number.
Telephone the recipient of the fax (or their representative) to let them know you are going to send confidential information.
Ask the recipient to acknowledge the fax.
Double check the fax number and use pre-programmed numbers.
Make sure your fax cover sheet states who the information is for, and mark it ‘Private and confidential’.
Either request a confirmation that the transmission was completed or call to confirm.
Make sure you remove the original document from the fax machine once you have sent the fax.
Fax machines used for sensitive information should be sited in a ‘safe haven’ location - in a room with access controls, not in reception or in front of clear-glass windows or public-accessible areas.
102
Data security risks Last week, someone in a high visibility vest visited a social care office as well as a GP practice. He followed a member of staff into the building and told the receptionist that he needed everyone's details for a 'software update'. He then sold these details to other criminals. Let us find out what else he found.
Doors Nearly every door he encountered in the office was open. Even those doors marked as â&#x20AC;&#x153;restricted accessâ&#x20AC;? had been propped open to allow for a delivery. Visitors When he was at the reception desk, he asked for directions to the server room. The receptionist was happy to help, he was not asked to sign in or show a visitorâ&#x20AC;&#x2122;s badge. Desks Despite most organisations having strict clear desk policies, it was amazing how much information he could find in unoccupied office areas. He had a bag of memory sticks and randomly dispersed them around the desks in the hope that someone will plug one into their machine. Once plugged in, it will start installing malware into the computer. Other areas He then gains access to the server room as the door has been left unlocked. From here, the possibilities are endless. With this access, he can disrupt the server, causing connectivity problems across the whole organisation. As there is so little physical security, he can potentially come and go as he pleases. Summary In this workbook, you have looked at why data security is important, the legal obligations for staff working in health and care, threats to the security of information, and how to identify a potential incident or breach. 103
You can now see why good data security is important, and why we are all bound by legal requirements to protect health and care information. You should now complete the assessment to finish your training.
Module summary Having completed this session, you should understand:
The principles and terminology of information governance (IG).
Basic data security / cyber security terminology.
The importance of data security to patient/service user care.
That law and national guidance requires personal information to be protected.
And be able to:
Explain your responsibilities when using personal information.
Identify some of the most common data security risks and their impact.
Identify near misses and incidents and know what to report.
Distinguish between good and poor practice when using personal information.
Apply good practice in the workplace.
Resources You can refer to the following internal policies for additional information: Data protection and confidentiality policy Freedom of information policy Email use policy Internet use policy IT compliance policy IT security policy You can also refer to the following external documents for additional information:
1. Department of Health. Information Security Management: NHS Code of Practice1. London: DH, 2007. 2. Records Management Code of Practice for Health and Social Care 2016 2 IGA, 2016 1
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/200506/Information_Securit y_Management_-_NHS_Code_of_Practice.pdf 2 https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-informationgovernance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-ofpractice-for-health-and-social-care-2016
104
3. Website of the Information Governance Alliance3 4. Caldicott 1 - Report on the Review of Patient-Identifiable Information4. London: Caldicott Committee, 1997 5. Caldicott 2 - Information: To Share Or Not To Share? The Information Governance Review5. London: Independent Information Governance Oversight Panel, 2013 6. Caldicott 3 - Review of Data Security, Consent and Opt-Outs6. London: National Data Guardian, 2016 References 7. Information Commissionerâ&#x20AC;&#x2122;s Office. Trends in breaches and incidents7 8. Department of Health. Confidentiality: NHS Code of Practice8. London: DH, 2003. 9. The National Cyber Security Centre - Creating passwords9 10. The National Cyber Security Centre - Password Managers10
You have reached the end of this learning workbook For more information on information governance, contact us by emailing paht.infogov@nhs.net or calling: Tel: 01279 444455 x 1015 | x 1025 | x 1032 Acknowledgement to author of this document - NHS Digital and Department of Health https://www.igt.hscic.gov.uk/NewsArticle.aspx?artid=170
3
https://digital.nhs.uk/information-governance-alliance http://ukcgc.uk/docs/caldicott1.pdf 5 https://www.gov.uk/government/publications/the-information-governance-review 6 https://www.gov.uk/government/publications/review-of-data-security-consent-and-opt-outs 7 https://ico.org.uk/action-weve-taken/data-security-incident-trends/ 8 https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/200146/Confidentiality__NHS_Code_of_Practice.pdf 9 https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0 10 https://www.ncsc.gov.uk/blog-post/what-does-ncsc-think-password-managers 4
105
Information governance and data security awareness: assessment
Name Email Job title Date
Please note that you will need to complete the test again if you fail as your training compliance status is only updated after successfully passing this assessment. The minimum pass rate is 80%.
Note: attempt all of the following 15 questions, print and then email the assessment to paht.training@nhs.net Question 1: Which of the following statements on the types of information used in health and care is correct? Tick one option from the answers listed below. A
Personal information applies only to living people
B
Personal information applies only to patients
C
A personâ&#x20AC;&#x2122;s name and address are needed for them to be identified
D
An unusual name will not identify an individual
E
Anonymised information cannot be personal or confidential
Question 2: Which of the following statements on the topic of confidentiality is correct? Tick one option from the answers listed below. A
It is not necessary to explain how someoneâ&#x20AC;&#x2122;s personal information will be used
B
It is not necessary to give them a choice about how their personal information is used 106
C
It is not necessary to tell them before their personal information is shared for the first time
D
It is not necessary to get consent every time you subsequently share someoneâ&#x20AC;&#x2122;s personal information for the same purpose
Question 3: Which of the following statements on the Data Protection Act 2018 is correct? Tick one option from the answers listed below. A
The Act only applies to patient or service user information
B
The Act only applies to personal information in digital form
C
The Act prevents information being shared for health and care purposes
D
Organisations can be fined or face legal action for breaching the principles of the Act
Question 4: Which of the following statements on the Freedom of Information Act is correct? Tick one option from the answers listed below. A
The Act puts a duty on organisations to supply information to individuals who make a written request
B
Individuals can submit a request for information in writing or over the telephone
C
Organisations must respond to a valid request within 10 working days
D
If necessary, organisations have a duty to create new information in order to meet a FOI request
Question 5: Which of the following represents an example of good practice in record keeping? Tick one option from the answers listed below. A
Storing commonly used records in your drawer
B
Including each personâ&#x20AC;&#x2122;s NHS number
C
Creating duplicate records for each person
107
D
Preventing people from checking their own details
E
Updating records at the end of each month
Question 6: Which of the following represents an example of good practice in physical security? Tick one option from the answers listed below. A
Having a sign-in procedure for visitors
B
Sharing your ID badge with a colleague who has forgotten his
C
Propping open fire doors when the weather is warm
D
Leaving service user records on your desk in case you need them later
Question 7: Which of the following should not be used to send personal information unless necessary? Tick one option from the answers listed below. A
Post
B
C
Fax
D
Telephone
Question 8: Which of the following is likely to increase the risk of a breach when sending personal information? Tick one option from the answers listed below. A
Using a trusted postal courier service
B
Verifying the identity of telephone callers
C
Using a secure email system
D
Leaving messages for telephone callers 108
E
Encrypting any personal information
Question 9: Which of the following statements best describes how to respond to an incident? Tick one option from the answers listed below. A
All incidents should be reported
B
An incident should be reported only if it results in personal information being revealed
C
An incident should be reported only if it results in personal information being lost
D
An incident should be reported only if it results in harm to a service user
E
There is no need to report an incident
Question 10: Which of the following is least likely to create a security risk? Tick one option from the answers listed below. A
Leaving sensitive documents on your desk
B
Using a company USB at work
C
Using an unauthorised mobile phone for work matters
D
Leaving a restricted access door open
Question 11: Which of the following is characteristic of a secure password? Tick one option from the answers listed below. A
No more than 5 characters in length
B
Contains your username
C
Contains a mix of character types
109
D
Similar to previous passwords
Question 12: Under which of the following circumstances is it acceptable to use your work-provided digital asset for personal browsing? Tick one option from the answers listed below. A
To connect to your personal webmail
B
If you do not stay online too long
C
When you are working outside the office or home
D
Only if you have been authorised to do so by your organisation
Question 13: Which of the following is the best course of action if you receive a phishing email? Tick one option from the answers listed below. A
Reply to the email
B
Forward the email to your colleagues
C
Notify your IT department/provider
D
Open the attachments
E
Click on the links in the email
Question 14: Consider the following statement. â&#x20AC;&#x153;If your computer is running slowly you should disable the anti-virus software.â&#x20AC;? Tick one option from the answers listed below. A
This statement is true
B
This statement is false
110
Question 15: Which of the following represents an example of good practice in data security? Tick one option from the answers listed below. A
Attaching unauthorised equipment to your work-provided digital asset
B
Updating the anti-virus software on your work-provided digital asset
C
Using your work-provided digital asset for personal reasons not consistent with your organisationâ&#x20AC;&#x2122;s policy
D
Downloading software or data from the Internet to your work-provided digital asset
E
Connecting your work-provided digital asset to an unknown network
You have now completed the assessment. Please email this to paht.training@nhs.net and allow five days for the team to email you the results.
111