QSPOL01 Incident Reporting and Management Policy extended by Provide Community

Incident Reporting (including Serious Incident Reporting) & Management Policy

Version: V9

Ratified By: Quality & Safety Committee

Date ratified: 23/01/2020

Job Title of Author: Head of Quality and Safety

Reviewed by Sub Group or Expert Group: Expert Panel (Virtual Review)

Equality Impact Assessed by: Head of Quality and Safety

1. Introduction

The policy details an organisational framework for the management of incidents to ensure incidents are identified, reviewed and the lessons learnt are identified and shared. All reported serious incidents are analysed to identify root causes and any likelihood of reoccurrence.

Provide is committed to accurate monitoring of incident activity across all services. Provide is committed to learning from activities and incidents, demonstrating decision making processes regarding how incidents are handled.

Provide is responsible for the safety of staff, service users and visitors and ensures robust systems are in place for recognising, reporting, investigating and responding to incidents and for arranging and resourcing investigations.

Provide’s commissioners are responsible for holding Provide to account for quality assuring the robustness of the organisation’s serious incident investigations and the development and implementation of effective actions, to prevent recurrence of similar incidents.

Incident

Any event or circumstance that led to unintended or unexpected harm, loss or damage.

Patient Safety Incident

A patient safety incident is any unintended or unexpected incident which could have or did lead to harm for one or more patients receiving NHS care, (NHS Improvement, 2017).

Near Miss

An event or occurrence which, but for skilful management or a fortunate turn of events, would have led to harm, loss or damage (NHS Improvement, 2017)

Serious Incident

Serious Incidents in healthcare are adverse events, where the consequences to service users, families and carers, staff or organisations are so significant or the potential for learning is so great that a heightened level of response is justified (NHS England, 2015).

Within Provide a serious incident is declared as such, once there is agreement from a Director that the event has met the criteria of a serious incident, as defined by NHS England in the Serious Incident Framework. This will instigate a formal investigation reportable to Commissioners and Regulatory bodies.

2. Duty of Candour

Providers of healthcare have a duty to be honest and open with patients and their families and give them information about any incidents that have taken place in relation to the care

delivered by Provide or on behalf of Provide. The organisation is committed to supporting families and staff when things go wrong and understands the importance of being transparent in admitting mistakes and learning from them to improve the services being delivered.

Any incident occurring during the delivery of care to a Service User must be verbally communicated as soon as possible to the Service User and /or their families/carers. This must be clearly recorded in the Services Users health record, to verify it has taken place. In the event of a notifiable patient safety incident, as defined in Care Quality Commission Regulation 20 as:

‘An unintended or unexpected incident….that could result in, or appears to have resulted in the death of a service user …or severe or moderate harm or prolonger psychological harm to the service user’

The verbal communication must be immediately followed up by a written apology that clearly states that a full investigation is being undertaken, the terms of reference and the contact details of the Senior Manager of the Service where the incident occurred should they require any further information during the investigation period. Support will be provided to the Service User and their family throughout the investigation process and their wishes will be respected as far as possible.

The Statutory Duty of Candour states that the initial written apology must be sent with 10 working days of the incident occurring, by organisations operating under the standard NHS contract (CQC Regulation 20: 20(2))

On completion of an investigation a letter must be sent to the Service User and/or their families/carers outlining the key findings of the investigation and inviting them to meet to go through the findings. This letter must be sent by the Assistant Director of the Service where the incident occurred. The Service User and/or their families/carers are entitled to request a meeting to review the investigation report at any time in the future.

Provide’s Chief Executive Officer and Board has responsibility to ensure that the Organisation supports the Duty of Candour and is open in the reporting of all incidents.

Safety incidents, particularly those causing significant harm can have severe and longlasting consequences for Service Users, their families and carers, and are often distressing for the professionals involved. Being open with people about what has happened and discussing incidents promptly, fully and compassionately can help Services Users and professionals to cope better with the after effects.

Being open following a Serious Incident involves:

• Acknowledging, apologising and explaining when things go wrong

• Conducting a thorough investigation and reassuring patients, their families and carers that lessons learned will help prevent the incident happening again

• Providing support for those involved to cope with what happened

Reporting of incidents requires an open and just culture so that healthcare professionals feel able to report. This is one of the key foundations for being open. A just culture recognises that competent people make mistakes but has no tolerance for reckless, dangerous or negligent behaviour. If staff feel they will be treated fairly, they will report

incidents, and then they can be open with patients and apologise, explain, investigate and learn lessons

For full details of how to share information in relation to incidents with Service Users and families refer to Policy: QSPOL03 Being Open and Duty of Candour Policy

Information Governance

For personal data breach (IG) incidents the organisation must provide the following to Service user:

• The name and contact details of the organisation’s data protection officer or other contact point where more information can be obtained

• A description of the likely consequences of the personal data breach

• A description of the measures taken, or proposed measures to be taken to deal with the personal data breach, including where appropriate, the measures taken to mitigate any possible adverse effects

3. Accountability and Responsibility

Provide Chief Executive Officer (CEO)

Has overall accountability for all matters relating to incident reporting and management across the organisation and Provide group. The CEO is responsible for ensuring that systems are in place to report and monitor incident data, respond appropriately to incidents and learn with respect to all incidents. The CEO is also responsible for ensuring that relevant information is made available to the Provide Board with respect to reporting and learning from all incidents.

Provide Board

Responsible for reviewing data and associated processes, responses and learning in order to satisfy itself that processes are robust, actions have been identified and implemented as appropriate and that learning has been identified and shared appropriately. This process of review will act as the assurance for Provide Board.

The Executive Directors and Director of Operations

Responsible for ensuring they receive an incident overview through Provide’s governance framework.

Responsible for liaising with the relevant Assistant Director as part of the decision making process leading to the commissioning of the investigation. Ultimate responsibility for declaring an incident ‘serious’ when appropriate.

The Executive Clinical & Operations Director, Director of Operations and Director of Nursing and Allied Health Professionals have responsibility for declaring patient safety events as ‘Serious Incidents’ when appropriate.

The Executive Finance Director has responsibility for declaring information governance events as ‘serious incidents’ when appropriate.

In the event of a likely serious incident and the absence of the appropriate executive or deputy director, the decision making will transfer to the director on duty.

Assistant Directors

Responsible for ensuring that they and all members of their staff are aware of and act in line with the relevant policies governing incidents and associated reporting and learning. Assistant Directors are responsible for submitting a quarterly report to assure the Quality & Safety Committee that all incidents are being appropriately managed.

Assistant Directors are responsible for liaising with the appropriate Executive Director to determine when an incident has met the criteria to be reported as a serious incident. Assistant Directors must inform the Clinical Quality Team when an incident has been classified as a Serious Incident in order to initiate the external reporting process.

Assistant Directors are responsible and accountable for ensuring that all serious incident action plans within their Business Units are completed and signed off within the agreed 3 month timeframe and are reported to the relevant Quality and Safety Committee. Assistant Directors are responsiblefor implementing steps to disseminate the learning from incidents and that actions required following investigations are implemented.

The relevant Assistant Director has responsibility for reviewing the serious incident action plan two months after the date of the Serious Incident Review Group. All serious incident action plans are only held centrally on the R-Drive (Quality Action Logs/Serious Incidents). The finalised action plan must be presented to the Quality & Safety Committee for final approval, three months from the date of the SIRG.

The Director of Nursing and Allied Health Professionals

Responsible for assigning an appropriately trained member of staff to act as the Investigation Officer for the Serious Incident. In the absence of the Director of Nursing and Allied Health Professionals the Director for Operations will undertake this. They are responsible for ensuring that details are shared with the Investigation Officer and the Assistant Director for the Service where the Investigation Officer has been allocated from and the Assistant Director for the Service where the incident occurred.

The Head of Quality and Safety

Has delegated responsibility from the Director of Nursing and Allied Health Professionals for ensuring that all incidents reported are done so correctly and in line with the processes described within this policy. They are responsible for ensuring that all Serious Incident investigations are tracked and reported in line with reporting timeframes. The Head of Quality and Safety is responsible for reviewing action plans before they are presented to the Quality & Safety Committee. The Head of Quality and Safety and the Serious Incident Investigator are responsible for reviewing all reported incidents to identify trends and themes to ensure that robust governance systems are in place.

All serious incident action plans and reports from investigations will be reported at the relevant Serious Incident Review Group (SIRG) prior to (internal) sign off at the Quality & Safety Committee.

Clinical Quality Team

Ensures all draft reports, minutes and communications in relation to Serious Incidents are stored securely and must maintain the accuracy of the version control and is responsible for monitoring the progress of the serious incident investigation. This includes ensuring that all action plans following Serious Incident Investigations are reviewed. Responsible for keeping a live record of trained Investigation Officers who have agreed to undertake serious incident investigations.

The Quality & Safety Committee (Q&SC)

Responsible for requesting and reviewing incident data to ensure processes are robust, actions have been identified and implemented as appropriate and that learning has been identified and shared appropriately. This process will act as the assurance for the Q&SC and will form part of the assurance to Provide Board.

Service Leads within the relevant Business Unit

Responsible for ensuring their staff are aware of their obligation to report incidents and for the timely review of reported incidents with in their teams.

Responsible for completing a preliminary 72 hour serious incident report for submission to the Clinical Quality Team who will forward to the relevant Commissioner, when appropriate. Service Leads within the relevant Business Unit are responsible for implementing recommendations and actions identified in the Serious Incident Action Plan. This includes monitoring the action plans when requested to do so by their Assistant Director.

The latest version of each action plan will be stored centrally on the R-drive by the Quality and Safety team and the responsibility for updating an action plan to the R-drive sits with the relevant Assistant Director.

Investigation Officer and /or Officers (dependant on the investigation)

Responsible for undertaking a comprehensive review of the incident ensuring they follow the principles of the Serious Incident Framework (NHS England, 2015). This includes the completion of a Serious Incident Investigation Report, which is submitted to Commissioners via the Clinical Quality Team within 60 working days of the incident being reported to the Commissioner. Investigating Officers must access QSGU101: Guidance on writing witness statements as part of a Serious Incident Investigation.

The Line Manager for the Investigating Officer/Officers will have agreed with the Assistant Director of the Business unit to assign time to allow the Investigating Officer to undertake the investigation.

All staff (clinical and non-clinical) within Provide

Responsible forreporting all incidents using the Datix Electronic Incident Reporting System (DATIX).

Staff must alert their relevant Service Lead when incidents happen within their area, who in turn must inform the Assistant Director. Staff must operate within the reporting time frame as set out within this policy.

All staff (clinical and non-clinical) within Provide are responsible for participating in local team meetings to discuss learning from incidents.

All staff must participate in the implementation of actions to improve or change practice to further reduce risks as appropriate and embed learning.

4. Scope

This policy does not apply to a disciplinary procedure

Investigation’s under the Serious Incident framework are not conducted to hold any individual or organisation to account as there are other processes for that purpose including; disciplinary procedures, criminal proceedings, employment law and systems of service and professional regulation, such as Care Quality Commission and the Nursing and Midwifery Council, The Health and Care Professions Council and the General Medical Council.

In the event of an incident that may require consideration under a disciplinary procedure the responsible manager should immediately discuss the situation with their HR Business Partner to ensure that the correct and most appropriate process is followed: Disciplinary Policy (HRPOL14). The HR investigation process is very different to an investigation undertaken for the purposes of a Serious Incident in healthcare and for this reason the two should not be carried out together or as one investigation.

Only in very exceptional circumstances where it is decided by the Executive Clinical & Operations Director (in their absence the Director of Operations and Director of Nursing and Allied Health Professionals) and the Assistant Director for Human Resources should a parallel investigation take place at the same time.

Similarly, in the event that during a Serious Incident Investigation, the investigator discovers further information which is considered under HR-disciplinary/Criminal Law, Safeguarding, Information Governance or Infection Prevention; the investigator must report immediately to the Assistant Director of the relevant Business Unit, who is responsible and accountable for taking immediate action

5. Incident Reporting

Provide will ensure that all incidents are appropriately recorded and that action is taken to minimise the risk of reoccurrence. Staff are encouraged to report No Harm and/or Near Miss incidents; from a risk management perspective as they help guide procedures to avoid reoccurrences. Timely reporting of incidents allows provide to:

• Reduce the likelihood of reoccurrence

• Provide feedback and information to those involved

• Improve practice as a result of the findings

• Set priorities for investment in training or other resources

• Assess and prepare for legal action

• Promote shared learning across the organisation

• Monitor that lessons learnt have been implemented and maintained

6. Types of Incidents Requiring Reporting

Although not all incidents reported are considered as serious it is important that all staff know what to report, when and how.

A patient safety incident is any unintended or unexpected incident which could have or did lead to harm for one or more patients receiving NHS care, (NHS Improvement, 2017). To maximise all learning from incidents across the organisation it is important to report all patient safety incidents which include:

• Incidents that cause no harm or minimal harm

• Incidents that you may have witnessed or been involved in, this could be within Provide or as part of the care provided to a Service User where joint care is in place

• Incidents that were prevented (near misses)

• Serious Incidents

Provide uses the Datix Incident Management System to report incidents. All incidents can be seen and reviewed by appropriate members of staff.

Newborn Screening Incidents should be managed in line with national guidance produced by Public Health England “Managing Safety Incidents in NHS Screening Programmes” Incidents of this category should still be reported through the organisational reporting system however require scrutiny against national guidance in conjunction with this policy due to the unique characteristics of screening. https://www.gov.uk/government/publications/managing-safety-incidents-in-nhsscreening-programmes

For details of the process related to screening incidents and types of incidents in this category please refer to Appendix 5.

Incident Reporting for Near Miss Incidents

A Near Miss is an unplanned event that did not result in injury, illness, or damage, but has the potential to do so. All Near Miss incidents must be reported and recognised as they provide an opportunity to improve process and organisational learning.

Harm Free Care Group

All incidents reported into the Datix system are reviewed by members of the Quality and safety team. Incidents that do not meet the threshold for a Serious Incident process but have a severity rating of Moderate and above, or where it is not clear if all measures have been implemented to prevent harm or there may be additional learning, are reviewed at the Harm Free Care Group. The group which meets 4 to 6 weekly comprises of the Director of Nursing and Allied Health Professionals, Head of Quality and Safety, Serious Incident Investigator and representatives from the clinical directorates.

The purpose of this group is to facilitate discussion regarding the incident and allows a mechanism in which borderline incidents have Organisational oversight, are appropriately managed and escalated for action.

Serious Incident Reporting

Serious Incidents in healthcare are adverse events, where the consequences to Service Users, families and carers, staff or organisations are so significant or the potential for

learning is so great that a heightened level of response is justified (NHS England, 2015). It is essential that all serious incidents are considered and formally reviewed to foster a culture of transparency, learning and reflection and to improve the quality and safety of the services provided.

Serious Incidents include acts or omissions in care that result in; unexpected or avoidable death, unexpected or avoidable injury resulting in serious harm, including those where the injury required treatment to prevent death or serious harm, abuse, Never Events, incidents that prevent (or threaten to prevent) an organisation’s ability to continue to deliver an acceptable quality of healthcare services and incidents that cause widespread public concern resulting in a loss of confidence in healthcare services.

There are 7 key principles of

Serious Incident Management

1. Openness and Transparency: The needs of those affected should be the primary concern of those involved in the response to and the investigation of serious incidents

2. Preventative: All Serious Investigations are undertaken to ensure that weaknesses in a system and/or process are identified and analysed to understand what went wrong, how it went wrong and what can be done to prevent similar incidents occurring again. Please note, investigations are carried out for the purposes of learning to prevent recurrence. They are not conducted to hold an individual or organisation to account.

3. Objective: Those in the investigation process must not be involved in the direct care of the patients affected or should they work directly with those involved in the delivery of that care. Those working in the same team may have a shared perception of appropriate/safe care that is influenced by the culture and environment in which they work.

4. Timely and Responsive: Serious Incidents must be reported with 2 working days after the incident is identified.

5. System based: The investigation must be conducted using recognised systemsbased investigation methodology that identifies; the problems, the contributory factors and the fundamental issues/root causes.

6. Proportionate: The scope and scale of the investigation should be proportionate to the incident to ensure resources are effectively used.

7. Collaborative: Where Serious Incidents involve several organisations, they must work in partnership to ensure the incident is effectively managed.

Where serious incidents are identified they can demonstrate weakness in a system or process that without address will lead to further incidents and possible serious harm to Service Users, staff or organisational reputation. It is therefore important that the organisation investigates serious incidents to identify the factors that contributed to the event and the root causes that underpinned what went wrong.

Provide has an obligation to report serious incidents to the appropriate commissioner of the service involved and to the appropriate regulatory body. There is no national definitive list of what constitutes a serious incident to ensure that all incidents are considered individually.

Provide follows the guidance issued by NHS England (2015): Serious Incident Framework and the description below sets out how every possible incident must be considered case by case.

Serious Incidents include

Acts and/or omissions occurring as part of NHS-funded healthcare (including in the community) that result in:

• Unexpected or avoidable death of one or more people. This includes - suicide/selfinflicted death and homicide by a person in receipt of mental health care within the recent past

• Unexpected or avoidable injury/ harm to one or more people that has resulted in serious harm

• Unexpected or avoidable injury/harm to one or more people that requires further treatment by a healthcare professional in order to prevent the death or serious harm of the Service User

• Actual or alleged abuse; sexual abuse, physical or psychological ill-treatment, or acts of omission which constitute neglect, exploitation, financial or material abuse, discriminative and organisational abuse, self-neglect, domestic abuse, human trafficking and modern day slavery where Healthcare did not take appropriate action/intervention to safeguard against such abuse occurring

• Where abuse occurred during the provision of NHS-funded care. This includes abuse that resulted in (or was identified through) a Serious Case Review (SCR), Safeguarding Adult Review (SAR), Safeguarding Adult Enquiry or other externallyled investigation, where delivery of NHS funded care caused/contributed towards the incidents

In many cases it will be immediately clear that a serious incident has occurred and further investigation will be required to discover what exactly went wrong, how it went wrong (from a human factors and systems-based approach) and what may be done to address the weakness to prevent the incident from happening again.

Serious incidents are often identified through events that have resulted in serious outcomes to Service Users, staff or the organisation and may be identified through various other routes but not limited to:

• Incidents identified during the provision of healthcare by the organisation e.g. patient safety incidents which have serious/catastrophic or distressing outcomes for the Service User

• Allegations made against or concerns expressed about the organisation by a Service User or third party

• Information shared at Serious Incident Review Groups

• Complaints

• Freedom to Speak Up

• Issues raised with the organisation by coroner, police or other statutory or regulatory agency

• Initiation of other investigations ,Serious Case Reviews (SCRs), Safeguarding Adult Reviews (SARs), Safeguarding Adults Enquiries (Section 42 Care Act) Domestic Homicide Reviews (DHRs), Individual Management Reviews (IMRs) and Death in Custody Investigations (led by the Prison Probation Ombudsman

Whilst a serious incident (such as the death of a patient who was not expected to die or where someone requires on going/long term treatment due to unforeseen and unexpected consequences of health intervention) can provide a trigger for identifying serious incidents, outcome alone is not always enough to delineate what counts as a serious incident. The organisation strives to achieve the very best outcomes but this may not always be achievable.

Similarly, some incidents, such as those which require activation of a major incident plan, may not reveal omissions in care or service delivery and may not have been preventable in the given circumstances. However, this should be established through thorough investigation and action to mitigate future risks to be determined.

Where it is not clear whether or not an incident fulfils the criteria of a Serious Incident, providers and commissioners must engage in open and honest discussions to agree the appropriate and proportionate response.

It may be unclear initially whether any weaknesses in a system or process (including acts or omissions in care) caused or contributed towards a serious incident. The simplest and most defensible position is to discuss openly, to investigate proportionately and to determine the root cause of the incident.

If a serious incident is declared but further investigation reveals that the criteria of a serious incident is not met (i.e. there were no acts or omissions in care which caused or contributed towards the outcome) the incident can be downgraded. This can be agreed at any stage of the investigation and the purpose of any downgrading is to ensure efforts are focused on the incidents where problems are identified and learning and action are required.

Can a Near Miss be a Serious Incident?

The outcome of an incident does not always reflect the potential severity of the harm that could be caused should the incident or a similar incident happen again. It is possible for a near miss to be investigated as a serious incident. In such circumstances the organisation should consider: -

• The likelihood of the incident happening again if current systems are not changed

• The potential for harm to Service Users and staff should the incident happen again

Information Governance (IG) Serious Incidents

All organisations processing Health, Public Health and Adult Social Care Personal Data are required to use the Data Security and Protection (DSP) Toolkit Incident Reporting Tool to report level 2 IG SIRI’s to the DH, Information Commissioners Office and other regulators.

All IG incidents must be assessed against the IG Serious Incident Reporting Checklist on Datix. Any IG Incidents categorised as Level 2 or above must be discussed with the Organisation’s SIRO or Executive Finance Director before being reported on the Toolkit.

Once agreed, all Information Governance Serious Incidents should be input onto the DSP Toolkit without undue delay (not later than 72 hours of the breach being notified) with as much information as can be ascertained at the time. A full record of the incident should be complete within 5 working days from when the incident was initially reported.

Where required a legal practitioner will be utilised to ensure that the incident is managed within the framework of the law.

Once incident management and investigation procedures have been followed the incident must be closed on the toolkit in a timely manner

Failure to meet the above requirements exposes the organisation to an administrative fine of up to €10,000,000 or in case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

7. Never Events

Never Events are incidents that require investigation under the Serious Incident Framework. Never Events may highlight weakness in how an organisation manages fundamental safety processes.

Each Never Event type have the potential to cause serious patient harm or death. However, serious harm or death does not need to have happened as a result of a specific incident for that incident to be categorised as a Never Event.

Never Events are serious, largely preventable patient safety incidents that should not occur if the available preventative measures have been implemented. Theoretically, a Never Event is an incident or event that should never happen.

The Department of Health publishes a reviewed list of Never Events annually and any organisation Providing NHS care is expected to closely monitor the occurrence of Never Events within the services they provide.

8. Pressure Ulcers

Community Hospital Wards

All incidents of Service User’s with category 2, 3, 4, unstageable and deep tissue injury pressure ulcers that are identified must be reported into the Datix Incident Reporting System (Datix). The incident handler must determine if all appropriate actions were taken to minimise the risk of the pressure ulcer developing or degrading when reviewing the Datix record. Incidents which identify that further action could have been taken must be escalated to the relevant Assistant Director.

All Other Community Services

All incidents of Service User’s with category 3, 4, unstageable and deep tissue injury pressure ulcers that are identified must be reported into the Datix Incident Reporting System (Datix). The incident handler must determine if all appropriate actions were taken to minimise the risk of the pressure ulcer developing or degrading when reviewing the Datix

record. Incidents which identify that further action could have been taken must be escalated to the relevant Assistant Director.

Any pressure damage in the categories stipulated above, where further preventative action could have been taken must be investigated following the SI process.

9. Infection Prevention

All laboratory results identified clinically relevant and non-clinically relevant post 48 hours cases (admission to the ward) of MRSA bacteraemia are required to be reported to the relevant commissioner by the Infection Prevention and Control team on identification

All laboratory identified Clostridium difficile (CD) toxin positive results post 72 hrs cases (Admission to the ward) are required to be reported to the relevant commissioner by the Infection Prevention & Control team. Additionally any CD Infectionsfrom previous episodes of admission are required to be reported to commissioners (Public Health England, May 2017).

Provide will also be required to report as a Serious Incident any Health Care Acquired Infection (HCAI) which necessitates the closure of a ward (this does not include the closure of individual bays and side rooms) and cohorting of community based patients as a result of outbreaks of infections, and a death where HCAI is the primary cause (1a, 1b, and 1c on death certificate).

10.Immediate Actions

The immediate actions following an incident or serious incident are critical and the first responsibility of any Provide staff member identifying an incident is to ensure the safety of the individuals involved in the incident. A safe environment must be established before the incident is escalated to the appropriate managers within the organisation.

If the incident relates to a child or adult safeguarding concern local process for safeguarding must be instigated, the incident must be reported to the Head of Safeguarding for advice and direction.

11.Incident Reporting Process

• All incidents reported within Provide must be reported using the Datix (Datix Incident Reporting Form) within 24 working hours of identifying the incident. It is the responsibility of the staff member who identified the incident to submit the Datix Incident Report

• It is every staff member’s responsibility to acquaint themselves with Datix and to report accordingly. The member of staff that identifies and reports the incident is known as the ‘Reporter’

• All incidents must be reported verbally to the Line Manager as soon as possible/immediately after the incident occurs

• It is the Line Manager’s responsibility to ensure that staff are aware of their responsibility of reporting incidents into Datix. The Line Manager of the staff member who reported the incident is known as the ‘Handler’. It is the responsibility of the Handler to review and update the Datix Incident Report within 5 working days

• Once a Reporter has submitted a Datix Incident Report an automatic notification is sent via email to the Handler, Assistant Director of the Business Unit where the incident occurred, the Clinical Quality Team and other Senior Managers as appropriate

• The Clinical Quality Team review all Datix Incident Reports and initiate further quality assurance processes where appropriate

• Commissioners and Regulatory bodies must be immediately informed of any incident that has caused death of a Service User, is a Never Event or where the safe delivery of services has been interrupted

• Where it is not obvious that an incident has met the criteria for serious incident investigation a 72 hour ‘fact-finding’ report must be completed by the manager (or on-call manager out-of-hours) and immediately sent to the Assistant Director of the Service or on-call Director out of hours

• It is the responsibility of the service manager of the team which identified the incident to coordinate the immediate management of the area, including the implementation of any required changes to minimise the risk of reoccurrence

• Staff on duty and directly involved in the incident have a requirement to provide a written statement of their involvement in the incident prior to going off duty unless they are medically unfit to do so

• It is the responsibility of the most senior member of staff on duty when the incident occurs to ensure the incident reporting process is completed

• Within normal working hours (09:00-17:00) it is the responsibility of the Assistant Director for the Service and to liaise with the appropriate Executive Director if they believe the incident meets the criteria for serious incident investigation. Outside of normal hours this process should be completed by the Executive Director ‘on call’

• The relevant Executive Director or duty director will make the final decision about the incident being reported as a Serious Incident

• Any incident that meets the criteria for serious incident investigation must be immediately reported to the Director of Nursing and Allied Health Professionals and Head of Quality and Safety

12.Serious Incident Reporting

Clinical Serious Incidents

Must be reported via the Director of Clinical Operations or the Executive Clinical & Operations Director.

Health and Safety Serious Incidents

Must be reported via the Executive Director - Business Strategy and Service Delivery

Serious Incidents in relation to information governance, IT and estates

Must be reported to the Director of Finance

Serious Incidents in relation to non-clinical incidents outside of operational teams must be reported to the Executive Director – Business Strategy and Service Delivery

The Head of Quality and Safety will arrange for the incident to be reported externally to appropriate Commissioners and Regulatory Bodies. The Clinical Quality Team must be aware that there are various routes for reporting Serious Incidents dependent on the Commissioner.

Where the incident is a Never Event immediate verbal notification is necessary to the relevant Commissioner

The Head of Quality and Safety will inform the Care Quality Commission as part of the serious incident reporting process of any incident required by the Essential Standards Framework.

Where escalation is required to the Information Commissioner this will be carried out by the Lead for Information Governance.

Where escalation is required to the Health and Safety Executive this will be carried out by the Head of Health and Safety & Resilience.

Serial incidents are rare, in the event of one occurring, the Chief Executive Officer will initiate a response plan which, if appropriate will include the establishment of an "information hotline" for service users, relatives/carers, staff and/or the public to call.

13.Serious Incident Categories

In line with NHS England’s Serious Incident Policy all Serious Incidents must be reported and investigated within the same time frame. A single timeframe (60 working days) has been agreed for the completion of investigation reports. This allows providers and commissioners to monitor progress in a more consistent way.

The recognised system-based method for conducting serious incident reviews, commonly known as Root Cause Analysis (RCA), should be applied for the investigation of Serious Incidents. It is also important to note that the level of the review must have been considered in determining whether one Investigation Officer or a panel is required to carry out the investigation.

The NHS England Serious Incident Framework, (2015) endorses three levels of investigation. The level of investigation should be proportionate to the individual incident.

1. Concise (Level 1- Investigation) - suited to less complex incidents which can be managed by individuals or a small group of individuals at a local level. The investigation should be completed within 60 days.

2. Comprehensive (Level 2 Investigation) - suited to complex issues which should be managed by a multidisciplinary team involving experts and/or specialist investigators. The investigation should be completed within 60 days.

3. Independent (Level 3 Investigation)- suited to incidents where the integrity of the internal investigation is likely to be challenged or where it will be difficult for an organisation to conduct an objective investigation internally due to the size of organisation, or the capacity/ capability of the available individuals and/or number of organisations involved. The investigation should be completed within 60 days of being commissioned.

14.Serious Incident Review

After a Serious Incident is declared by the relevant Executive Director or Director the following actions are required to establish the investigation of the incident:

Stage 1: Virtual Serious Incident Review Panel

A virtual Serious Incident Review Panel (may consist of a representative from Assistant Director for the service or their deputy where the incident occurred, Director of Nursing and Allied Health Professionals, Head of Quality and Safety, and Quality & Safety Team Representative. The Investigation Officer must be identified within 72 hours of the incident being reported. The panel must address the following: -

• Agree the level of investigation required

• Set the terms of reference for the Serious Incident Investigation

• Agree if additional support is required (i.e. panel/additional investigator/ expert /note taker for statements)

• Support the Service User/family and Carers and check a verbal Duty of Candour has been completed and is in the Service Users Clinical record

• Support the investigator (Protected time /additional hours /back fill/inform line manager)

• Support the investigator with all the relevant documentation (policy / guidance/SI standard template)

• Agree timeframe/deadlines and date for the Serious Incident Review Group (review of investigator’s findings)

• Agree written Duty of Candour letter to include the serious incident terms of reference

• Additional advice and support may be required from: -

• Clinicians

• IT Representative

• An expert within a specific field

• Representative from Estates

• Health and Safety Representative

• Finance Advisor

• Medical Advisor

• Pharmacist

• Therapist

• Administrative Support

The Virtual Serious Incident Panel will agree the milestone dates which are set to ensure that the investigation is completed within the 60 day timeframe; to allow a comprehensive review process of the report, prior to approval at the Quality and Safety Committee and final submission of the report to relevant commissioner.

The Head of Quality and Safety will support the process as required and the investigator will update the Head of Quality and Safety weekly on the progress of the investigation/review process (email, telephone conversation or meeting).

The Investigation Officer/Officers will keep the Assistant Director informed of the review progress with any significant findings that may affect patient safety being reported immediately. If further investigations outside the remit of a Serious Incident Review are highlighted (i.e. Safeguarding/IG/HR); it is the responsibility of the Assistant Director to escalate this to the relevant Director.

Once completed, the investigation report will be submitted to the relevant Director and Assistant Director as well as Head of Quality and Safety for review and comment.

The relevant Assistant Director will then approve the report for submission to the Serious Incident Review Group (SIRG).

Stage 2: Serious Incident Review Group

A Serious Incident Review Group (SIRG) will be organised by the Specialist Quality & Safety Team on behalf of the Assistant Director within the relevant Business Unit. The Investigation Officer/Officers and all staff involved in the investigation will be invited to attend.

The Serious Incident Review Group is an opportunity to have an open discussion with the Investigation Officer/s and the staff involved in a safe and productive environment. The SIRG read and quality check the reports prior to submission to the Quality & Safety Committee to ensure that the Terms of Reference have been met and that the learnings from the incident have been identified and realistic actions plans are in place to address any actions required within an agreed timeframe.

• The Investigation Officer/s will be supported by the group to go through the full report and discuss the timeline, findings, and contributory factors, root causes, learning outcomes, recommendations and required actions

• The chair of the group will ask relevant questions to ensure that the investigation has been system based (Root Cause Analysis), proportionate to the incident, objective, collaborative, timely and responsive

• The group will either agree the report as complete for submission to the Quality & Safety Committee or will ask the Investigation Officer/s to gather further information and revise the report. The Quality & Safety Team is responsible for sending the most up to date version of the report to the Investigation Officer/s for amendment. Following amendment the report will be reviewed at a further SIRG which will be convened within 7 days of the initial SIRG

• The chair will check with the Investigation Officer/s that all the recommendations and actions have clear timeframes which have been agreed by the relevant Assistant Director. The chair has responsibility for supporting and acknowledging the diligence of the Investigation Officer/s

• The final report must be checked to ensure all service user /staff /carer, identifiable information has been removed (i.e. Patient A, Nurse1)

• Minutes from the SIRG must be typed up by the Clinical Quality Team within 3 working days

• Following the SIRG the relevant Assistant Director has responsibility for writing the Duty of Candour outcome letter to the Service User and /or Family or carer and forwarding a copy to the Specialist Quality & Safety Team. This must be embedded in the final report going to Q&SC

• Once the SIRG approves the report, the minutes from the SIRG will be embedded in the final report by the Quality & Safety Team. The final report will be sent to the relevant Assistant Director to confirm it can be embedded into the Quality & Safety Committee papers

• Serious Incidents will be closed by the relevant commissioner when they are satisfied that the investigation report and action plan meets the required standard. Please note incidents can be closed before all actions are complete, but there must be a mechanism in place for monitoring on-going implementation of the action plan

• Any action plan relating to a Serious Incident Investigation is the responsibility of the relevant Assistant Director and will be updated through the Quality and Safety Committee where closure will be noted. The Assistant Director is responsible for ensuring that any changes to practice are made

Stage 3: Action Plan Closure

The action plan must be updated within the R Drive folder Action Logs/Serious Incidents to ensure that version control is maintained. Local versions are not recommended. At the 3 month period the Action log with all relevant updates must go to the Quality and Safety Committee meeting for review and sign off. The Committee may make further recommendations on actions and evidence of closure and request it be represented at a later date (not more than 3 months).

Evidence of compliance with closure of action logs will be reviewed by the Head of Quality and Safety biannually through an audit process and shared with the Quality and Safety Committee for assurance purposes. Shared learning for incidents will be reviewed quarterly and where applicable shared in Clinical Matters.

15.Additional Reporting Requirements

Medicines Management

Incidents involving adverse drug reactions, incorrect administration of medication and incidents involving controlled drugs (CD) must be reported to the Head of Medicines

Management as soon as practicable. It is the responsibility of the Head of Medicines Management to determine whether incidents involving a CD require reporting to the Police.

If a CD is involved in a serious incident the Head of Medicines Management will decide if there is a requirement to report to the Police.

Police

Some incidents will need to be reported to the Police. Incidents that involve theft or indicate intent to harm or neglect of a Service User must also be reported to the Director of the Business Unit and the Head of Quality and Safety

The incident may also need to be reported to:

• Local Security Management Specialist (LSMS)

• Provide Lawyers

• Provide Insurers

• Head of Safeguarding

• Head of Medicines Management

• Lead for Infection Prevention & Control

• Information Governance Lead

Police involvement should not necessarily be regarded as grounds for deferring an incident review or for any immediate clinical managerial action, although advice should be sought in these circumstances from the relevant Executive Director who will seek advice from the organisation’s solicitors in conjunction with the local Police or Crown Prosecution Service.

Any individual (patient, staff, and visitor) subject to a criminal act must be advised of their right to report the incident to the Police, and of the process for doing so. Staff should consult the Local Security Management Specialist (LSMS) for advice but must assist any service user or inpatient in the reporting of an incident.

Safeguarding

As per SGPOL02: Safeguarding Children & Young People and SGPOL07: Safeguarding Adults at Risk of Abuse all incidents relating to safeguarding must be reported to the Head of Safeguarding. Incidents involving the death or serious harm of a child will usually lead to a multi-agency review under the procedure of aSerious Case Review. The initial incident review and necessary clinical managerial action should not necessarily be deferred. Any incident requiring a serious case review must also be reported as a serious incident in the first instance.

Shared Involvement with Other Organisations

For incidents involving other agencies or organisations, the possibility of jointly commissioning a single review will be considered by the relevant Director in conjunction with representatives of the other agencies/organisations involved. The aim is to enable local reviews to proceed as soon as possible and for lessons to be learned, whilst ensuring coordination of procedures and avoiding duplication of processes. Robust communication is vital when more than one agency is involved in an incident.

When the incident has occurred on a facility or property not managed by the organisation, the relevant facility’s manager must also be informed.

Where other agencies or organisations are involved, for example the Police or Health and Safety Executive, an early meeting of the senior staff of all agencies will be required to agree the investigation process, reporting timeframes, review and the sharing of information.

16.Complaints and Claims

All serious incidents will be cross checked to establish if there are any links to claims or complaints either current or in the past and to establish if any further incident detail is held within the organisation.

Complaints

When a complaint is made to the organisation irrespective of the source, the Customer Service Team will check if the content of the complaint has been reported as an incident within Datix. If this is the case the Customer Service Team will request access to the Datix Incident Report as well as any other report information available to aid the investigation for the complaint.

Claims

When a claim comes into the organisation, it must be registered with the Provide Contracts Manager. This will then either be dealt with by the Contracts Manager or passed onto the Head of Quality and Safety or the Head of HR to process. Once received Provide will always check that there are no incidents or complaints investigations already carried out as this will be required for any insurance investigation or may be used to enhance the evidence required by HR or the Contracts Team.

• All clinical claims will be dealt with by Head of Quality and Safety

• All non-clinical claims will be dealt with by Contracts Manager

• All claims arising from staffing issues will be dealt with by the Head of HR

• All claims in relation to Health & Safety will be dealt with by the Health & Safety, Resilience & Security Manager

17.External Reporting Requirements

HM Coroner

Sudden and/or unexpected and/or unnatural deaths are notifiable to HM Coroner. In the event of a sudden death on a ward, the Coroner is informed as a priority and as soon as practicable.

Health & Safety Executive (HSE)

Incidents notifiable under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) must be reported by the Head of Health & Safety and Resilience to the Health & Safety Executive as soon as practicable.

Medicines & Healthcare Products Regulatory Agency (MHRA)

Suspected adverse reactions to drugs are notifiable by doctors, nurses, patients and pharmacists through the Yellow Cards Scheme. Advice and Yellow Cards are available from the MHRA Website and are included in the British National Formulary (BNF).

Adverse incidents relating to medical devices are also reportable to the MHRA. Staff that identify incidents relating to medical devices must report internally via Datix and externally via the MHRA Website.

Environmental Health Department

Confirmed reports of food poisoning are notifiable to the relevant local authority Environmental Health Department by the Head of Infection Prevention & Control via Public Health England.

Public Health England (PHE)

Certain notifiable diseases are reported to Public Health England. A representative of the Infection Prevention & Control team will report to the PHE East of England Health Protection Team

NHS Estates

Fire incidents and adverse incidents involving buildings or plant are notifiable to Buildings Landlords by the Head of Estates and Facilities.

Information Commissioner Office (ICO)

Serious incidents which have occurred in relation to data loss or breach of Data Protection law will be communicated to the Information Commissioner.

Care Quality Commission (CQC)

In accordance with the Health and Social Care Act 2008 incidents where patients have been severely harmed or injured as a result of Provide care or incidents which prevent the organisation from carrying out regulated activity must be reported to The Care Quality Commission. It is the responsibility of the Head of Quality Assurance to send notification to the CQC.

18.Responding to an Incident

All Staff

All Provide staff present at, or responding to an incident on Provide property must, to the best of their ability, carry out the following: -

Respond in the first instance according to the nature of the incident, their assessment of risk involved and the advice given by the person in charge of the area.

Where appropriate, to raise the alarm (e.g. emergency/fire alarms/radio/telephone) in order to gain more assistance from additional medical and other support staff.

At all times the preservation of life, safety and security of service users, staff and visitors is paramount.

Take appropriate emergency action in the case of fire, explosion, toxic or electrical hazard, etc. Always call emergency services as a priority and ensure that any casualties receive appropriate attention and support.

When faulty equipment is involved, it must be retained by the person in charge of the area for inspection. The equipment must be clearly labelled with appropriate information stating that it is out of use, e.g. date it became faulty, nature of the fault and who ascertained the fault.

Most Senior Person on Duty

The immediate responsibility for managing an incident falls to the most senior person on duty in the relevant area at that time. Where necessary this person is responsible for ensuring that: -

The area is made safe, including redeployment of additional staff/resources if necessary.

Those directly involved in the incident receive the immediate care and assistance required in order to reduce any further untoward impact.

The risk to staff, service users and visitors is minimised as far as possible.

If the Service User is not aware that they have been involved in or affected by an incident, they must be informed at the earliest opportunity by a member of staff on duty.

Where one or more Service User is involved, the appropriate clinical staff must make comprehensive entries in the health records, giving a full description of events, interventions used and post incident care planned. This must be completed before staff go off duty.

• The most senior member of staff on duty must ensure that a Datix Incident Report has been submitted and must allow staff time to complete all appropriate record keeping. They must verbally inform their line manager of the incident as soon as practicable.

Assistant Director for the Business Unit where the Incident Occurred

The Assistant Director of Service on duty or on-call manager out of hours is responsible for ensuring that appropriate action has been taken to manage the incident and to initiate additional action as necessary. This may include, but is not restricted to: -

The on-call Director is informed immediately where appropriate e.g. if it is viewed that the incident is potentially a Serious Incident.

The management of the incident is escalated to the appropriate Director, Director on Call, or the Chief Executive, if necessary.

Liaison with the Police in the event of suspected criminal activity or suspicious circumstances.

Ensuring that staff and Service Users have access to appropriate support.

In the case of a Never Event occurring, ensuring that this is reported as part of the 24 hour reporting process.

Ensuring that where appropriate an incident file is started that will include relevant documentation including staff statements, liaison with family members, the Police, etc.

Service Manager/Manager on Call

The Service Manager/Manager on call who is responsible/present at the incident is responsible for informing the patient's relatives/carers of what has happened, having obtained consent from the patient when possible. This must be done in line with the organisation’s Being Open & Duty of Candour Policy. All information must be recorded in the Service User’s health record. The relatives/carers must be given the name and contact details of someone who can answer any further questions or concerns they might have after the initial contact.

19.Post Incident Care & Support for Staff

In all situations line managers have the responsibility to make appropriate and timely arrangements to ensure that support is provided to all staff and Service Users involved in serious incidents. Examples of this may include:

• Review of fitness to continue to work

• Medical treatment as necessary

• Referral to the Occupational Health Service

• Clinical team support to service users

• Support for relatives and carers

• Team Briefing Sessions

• HR

• Mental Health Champions

20.Support for Service Users involved in or Witness to a Distressing Incident

The most senior member of staff on duty within the relevant area should decide on the most appropriate method of supporting Service Users (taking into account such issues as the time of day/night that the incident occurred and whether other Service Users are aware of it). This should be done in discussion with other members of the clinical team/on call manager.

Service Users can exhibit a wide range of emotional responses when they are affected by serious incidents and it is not unusual for such emotionally charged situations to have a delayed emotional effect on those involved or witnessing.

The most senior member of staff on duty should consider whether a meeting, involving all Service Users and staff, should take place. All questions surrounding the nature and circumstances of the incident should be answered truthfully and information only withheld

if it is necessary to do so due to the legal process, maintenance of safety or matters of confidentiality.

If the incident is serious, such as a death of a fellow Service User, the clinical team should consider the effect this has on other Service Users.

The Manager of the service must ensure that Service Users have access to other support/advice services i.e. bereavement services.

Provide supports NHS England (2018): Just Culture Guide which can be used by all parties to explain how they will respond to incidents as a reference point for incident reporting as a communication tool to help staff, patients and families(Appendix 4)

21.Records Management

It is essential that accurate records are obtained as soon as possible following a serious incident. Please refer to the organisation’s Health Record Keeping Policy IGPOL63.

Requests for release of case notes, for example, requests from the Police, should be made through the Clinical Quality Team. Please refer to IGPOL29: Access to Health Records Policy.

All records related to provide serious incidents investigations will be archived by the respective Governance Departments and retained in line with NHS Records Management Schedule.

22.Training

All serious incident investigation officers are required to complete root cause analysis (RCA) training.

23.Audit

The Serious Incident Investigator will submit a yearly report to the Quality & Safety Committee to monitor serious incident trends and themes.

24.References

CQC Regulation 20: Duty of Candour

NHS Improvement (2017 ) Learning from patient safety incidents https://improvement.nhs.uk/resources/report-patient-safety-incident/

NHS England: Serious Incident Framework (2015): Supporting learning to prevent recurrence

NHS Improvement: (2018) Never Events Policy and Framework

NHS Improvement: (2018) A Just Culture Guide

Public Health England (2017) Managing Safety Incidents in NHS Screening Programmes

Public Health England (May 2017) Clostridium Difficile Infection Surveillance Updates

Appendix 1: Assessing a Cyber SIRI

Although the primary factors for assessing the severity level is the criticality and scale of the incident, for example the potential for impact on confidentiality, integrity or availability. If more information becomes available, post incident investigation the Cyber SIRI level should be re-assessed.

Please note: Conversely, when targeted systems are protected e.g. by an Intrusion Prevention System, so that no services are affected. The sensitivity factors will reflect that the risk is low.

All Cyber SIRIs entered onto the IG Toolkit Incident Reporting Tool, confirmed as severity level 2, will trigger an automated notification email to the DH and HSCIC.

The IG Incident reporting tool works on the following basis when calculating the severity of an incident:

There are 2 factors which influence the severity of a Cyber SIRI – Scale & Sensitivity.

Scale Factors

Whilst any Cyber SIRI is a potentially a very serious matter, the scale is clearly an important factor. The scale provides the base categorisation level of an incident, which will be modified by a range of sensitivity factors.

Cyber Baseline Scale*

0 No impact: Attack(s) blocked

0 False alarm

1 Individual, Internal group(s), team or department affected.

2 Multiple departments or entire organisation affected.

A further category of Cyber SIRI is also possible and should be used in incident closure where it is determined that it was a near miss or the incident is found to have been mistakenly reported:

0. No impact: Attack blocked

0. False Alarm

Where a Cyber SIRI has found not to have occurred or severity is reduced due to fortunate events which were not part of pre-planned controls this should be recorded as a “near miss” to enable lessons learned activities to take place and appropriate recording of the event

Sensitivity Factors

Sensitivity in this context may cover a wide range of different considerations and each incident may have a range of characteristics, some of which may raise the categorisation of an incident and some of which may lower it. The same incident may have characteristics that do both, potentially cancelling each other out. For the purpose of Cyber SIRIs sensitivity factors may be:

iii. Low – reduces the base categorisation

iv. High – increases the base categorisation

Assessment Checklist for Cyber SIRI’s

Once completed the form must be attached in the documents section of the relevant incident recorded on Datix.

Any Cyber SIRI’s which achieve a level 2 or above must be counter agreed either by the SIRO or a Director of the organisation prior to inputting the incident on the Information Governance Toolkit.

Datix Incident Ref:-

The following process should be followed to categorise a Cyber SIRI

Baseline Scale*

0 No impact: Attack(s) blocked

0 False alarm

1 Individual, Internal group(s), team or department affected.

2 Multiple departments or entire organisation affected.

Scoring

Identify which sensitivity characteristics may apply and the baseline scale point will adjust

Cyber Sensitivity Factors (SF) modify baseline scale

Low: For each of the following factors reduce the baseline score by 1 Scoring

-1

(A) A Tertiary System affected which is hosted on infrastructure outside health and Social Care Networks.

High: The following factors increase the baseline score by 1 Scoring

(B) Repeat Incident (Previous Incident within the last 3 months)

+1 for each

(D) Likely to attract media interest

(E) Confidential information release (non-personal)

(F) Require advice on additional controls to put into place to reduce reoccurrence)

(G) Aware that other organisations have been affected

(H) Multiple attacks detected and blocked over a period of 1 month

Calculate Final Score:

Example Incident Classification (Cyber SIRI)

Examples

A An organisation’s twitter and Facebook accounts are compromised and posts made by a group with forthright views on healthcare provision. The organisation knows a neighbouring provider has also had issues with their social media accounts. Although it is easy to change the accounts password the trust is unsure how to prevent reoccurrence.

Baseline scale factor

Sensitivity Factors 1

+1 Likely to attract media interest

+1 Require advice on additional controls to put in place to reduce reoccurrence

+1 Aware that other organisations have been affected

Final scale point 4 so this is a level 2 and would be reportable.

B A disgruntled technician from the IT Department who is due to be downgraded as part of a reorganisation deletes vast sections of the Active Directory structure (discovered through audit trails). The organisation’s recovery efforts were prolonged due to issues with backup and rollback issues, with IT “normality” returning 48 hours post event. The organisation does not have a full EPR and so was able to put contingency plans in place and consequently there was not intense media interest.

Baseline scale factor 2

Sensitivity Factors

+1 Critical business system unavailable for over 24 hours

Final scale point 3 so this is a level 2 and would generate an alert

C An organisation offers free WIFI for patients and visitors in its buildings. There is also a business WIFI which is used widely used with mobile devices used at the point of care to support clinical pathways. As part of a routine examination of audit logs it’s believed that a user of the public WIFI has managed to cross over from the public Wi-Fi to the business network. There is also some evidence that certain accounts have had unexpectedly had elevated rights applied around the same time frame, though due to lack of system wide logging there it’s not clear what has been effected and whether the two events are connected. The organisation is unsure how to deal with the situation and switches off both public and business WIFI.

Baseline scale factor 2

Sensitivity Factors

+1 Critical business system unavailable for over 4 hours

+1 Require advice on additional controls to put in place to reduce reoccurrence

Final scale point 4 so this is a level 2 and would generate an alert

D An organisation utilises a 3rd party to provide a salary sacrifice car scheme. The provider’s website features the available cars and the ability to calculate your expected contribution. The website is hosted on an external cloud in North America which suffers a denial of service attack making the system unavailable for over half the working day.

Baseline scale factor -1

Sensitivity Factors

-1 A tertiary system affected which is hosted on infrastructure outside health and social care networks.

Final scale point -1 so this is a level 0 and would not generate an alert

E An organisations web site is subject was subject to large flux on incoming packets from an IP addresses outside the U.K. that intended for the site to be unavailable. The trust’s new IPS system detected the attack and took appropriate action so that the site suffered no loss of access.

Baseline scale factor 0 No impact: Attack(s) blocked

Sensitivity Factors

None

Final scale point 0 so this is a level 0 and this should be locally determined whether this should be logged. N.B. When determining reporting consideration should be given to the intelligence value of the incident(s) in informing Cyber responses and not the affect (or lack of) a particular incident(s).

F A service user complains that a member of staff has initially befriended them on social media then made a number of inappropriate approaches. The approaches are rejected which leads to a member of harassing and trolling the service user. Upon investigation it is discovered the member of staff has utilised business IT equipment and accessed social media sites in line with the organisations social media / fair usage policy. The member of staff has also disclosed details of where the service users resides and treatment plans.

Baseline scale factor 1

Sensitivity Factors

+1 Likely to attract media interest

Final scale point 2 so this is a level 2 andwould generate an alert. This incident should also go through the IG SIRI classification due to the disclosure of confidential information.

For Further Information please refer to the HSCIC Guidance (Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Security Serious Incidents Requiring Investigation)

Appendix 2: Serious Incident Flowchart

Q&S Team to send approved 60 Day Report to the commissioner by the 60 day deadline. Note : report must be anonymised, without appendices, Action Plan, SIRG minutes and take out any mention of them within the report .

Approved Report to be s hared with Assistant Director together with a request for the D OC Outcome Letter.

Approved Report & DOC Letter to be shared with Commissioner & CQC if requested

IO to keep updating the Action Plan and 3 months later to be sent to Q&S Team for inclusion in Q&SC Meeting for final signoff. May need to return monthly thereafter until closed .

IO to make amendments to the 60 Day Report (v2), produce an Action Plan & submit both to the Q&S Team one week before the next Quality & Safety Committee Meeting for inclusion in the Agenda .

IO to present 60 Day Report at the SIRG Meeting. Action Plan/Learning and Report amendments to be agreed by SIRG Members.

60 Day Report (version 1) to be submitted to the Q&S Team one week prior to the date of the SIRG Meeting .

Not a Serious Incident : Handler i nvestigates and closes on Datix.

Incident reported by Staff Member via the Datix Incident ReportingSystem.

Head of Quality & Safety decides whether the incident should go to the 6weekly Harm Free Care Meeting (HFC) for further discussion. Incident reviewed at HFC Meeting to establish if a full investigation as a Serious Incident is required.

YES

• Notify CQC * depending on contract (via CQC Notification Form)

• Notify Commissioner (via STEIS Reporting System)

• Notify Provide Executive Team (via Exec SI Notification Form )

Q & S Team to repo rt Incident as follows :

Confirmed Serious Incident

Serious Incident (SI)

Investigation Process

Q&S Team to set up a Serious Incident Review Group (SIRG) and send invites to appropriate Staff

• Timeline with deadlines.

• Initial Duty of Candour Letter (DOC)

• 60 Day Report

• 72 Hour Report (not required for PU ’s )

Q&S Team to send request to IO (copy in AD) for the following:

Investigation Officer (IO) to be appointed by the Assistant Director (AD) of the service where the incident occurred and sets the Terms of Reference (TOR). Details to be shared with the Q&S Team .

Appendix 3: Information Governance Serious Incidents

There are 2 factors which influence the severity of an IG SIRI – Scale & Sensitivity.

Scale Factors

Whilst any IG SIRI is a potentially a very serious matter, the number of individuals that might potentially suffer distress, harm or other detriment is clearly an important factor. The scale provides the base categorisation level of an incident, which will be modified by a range of sensitivity factors. For the purpose of IG SIRIs the scale of an incident will be one of:

0 Information about less than 11 individuals

1 Information about 11-50-50 individuals

1 Information about 51-100 individuals

2 Information about 101-300 individuals

2 Information about 301-500 Individuals

2 Information about 501 – 1,000 individuals

3 Information about 1,001 – 5,000 individuals

3 Information about 5,001 – 10,000 individuals

3 Information about 10,001 – 100,000 individuals

3 Information about 100,001 + Individuals

Sensitivity Factors

i. Low – reduces the base categorisation ii. High – increases the base categorisation

Categorising SIRIs

The IG SIRI category is determined by the context, scale and sensitivity. Every incident can be categorised as level:

1. Confirmed IG SIRI but no need to report to ICO & DH

2. Confirmed IG SIRI that must be reported to ICO & DH

A further category of SIRI is also possible and should be used in incident closure where it is determined that it was a near miss or the incident is found to have been mistakenly reported:

0. Near miss/non-event

Where an IG SIRI has found not to have occurred or severity is reduced due to fortunate events which were not part of pre-planned controls this should be recorded as a “near miss” to enable lessons learned activities to take place and appropriate recording of the event.

Assessment Checklist for Information Governance Serious Incidents (IGSI’s)

• This form must be completed for each incident reported as a potential IGSI

• Once completed it must be attached in the documents section of the relevant incident recorded on Datix

• This form can also be completed on Datix.

• Any IGSI’s which achieve a level 2 or above must be counter agreed either by the SIRO or a Director of the organisation prior to inputting the incident on the Information Governance Toolkit.

Datix Incident Ref:-

The following process should be followed to categorise an IG SIRI

Step 1: Establish the scale of the incident. If this is not known it will be necessary to estimate the maximum potential scale point.

Baseline Scale Scoring

0 Information about less than 11 individuals

1 Information about 11-50-50 individuals

1 Information about 51-100 individuals

2 Information about 101-300 individuals

2 Information about 301-500 Individuals

2 Information about 501 – 1,000 individuals

3 Information about 1,001 – 5,000 individuals

3 Information about 5,001 – 10,000 individuals

3 Information about 10,001 – 100,000 individuals

3 Information about 100,001 + Individuals

Step 2: Identify which sensitivity characteristics may apply and adjust the baseline scale point accordingly.

Sensitivity Factors (SF) modify baseline scale

Low: For each of the following factors reduce the baseline score by 1 Scoring

-1 for each

(A) No Sensitive personal data (e.g. Health Information) (as defined by the Data Protection Act 1998) at risk nor data to which a duty of confidence is owed

(B) Information readily accessible or already in the public domain (e.g. Information equivalent to that found in a telephone directory) or would be made available under access to Information legislation e.g. Freedom of Information

(C ) Information unlikely to identify individual(s)

High: For each of the following factors increase the baseline score by 1 Scoring

(D) Detailed clinical information at risk e.g. clinical/ care case notes, social care notes

+1 for each

(E) Particularly sensitive information at risk e.g. HIV, STD, Mental Health, Children

(F) One or more previous incidents of a similar type in past 12 months

(G) Failure to implement, enforce or follow appropriate safeguards to protect information (e.g. failure to encrypt mobile technology (incl Memory Sticks, laptop etc.))

(H) Likely to attract media interest and/ or a complaint has been made directly to the Information Commissioner by a member of the public, another organisation or an individual

(I) Individuals affected are likely to suffer substantial damage or distress, including significant embarrassment or detriment

(J) Individuals affected are likely to have been placed at risk or have incurred physical harm or a clinical untoward incident

D Two diaries containing information relating to the care of 240 children were stolen from a health visitor’s car.

E Loss of an individual’s medical records. The records were found to be missing when the patient concerned made a subject access request. Patient has made a complaint and also contacted the Information Commissioners Office.

Example Incident Classification

Examples

A Health Visitor data inappropriately disclosed in response to an FOI request. Data relating to 292 children, detailing their client and referral references, their ages, an indicator of their level of need, and details of each disability or impairment that led to their being in contact with the health visiting service e.g. autism, chromosomal abnormalities etc.

Baseline scale factor

Sensitivity Factors 2 -1 Information unlikely to identify individual(s) +1 Particularly sensitive information

Final scale point 2 so this is a level 2 reportable SIRI

B Member of staff has access to digital health records as per her job role. Her daughter has recently started dating an older man and the member of staff accessed this man’s records and those of other members of his family (5 in total). The main record included reference to a recent STD.

Baseline scale factor

Sensitivity Factors 0

+1 Detailed information at risk e.g. clinical/care case notes , social care

+1 High risk confidential information

+1 Failure to implement, enforce or follow appropriate organisational or technical safeguards to protect information

+1 Individuals affected are likely to suffer substantial damage or distress, including significant embarrassment or detriment

Final scale point 4 so this is a level 2 reportable SIRI

C A ward handover sheet containing sensitive personal details of 15 patients from an ICT team was found by a member of the public and handed back into the organisation. The gentleman who found the handover sheet said that he found it on the road outside his house. The sheet contained the patient's full name, NHS Number and a brief description of their current condition.

Baseline scale factor

Sensitivity Factors 1

+1 Failure to implement, enforce or follow appropriate organisational or technical safeguards to protect information

Final scale point 2 so this is a level 2 reportable SIRI

https://improvement.nhs.uk/resources/just-culture-guide/

Appendix 5: Screening Incident Reporting Process

All Screening incidents (Child Health Information Services – CHIS) must be reported in the normal way through Datix and reviewed within 5 working days. The line manager must also be informed.

Where incidents refer to a screening incident a Screening Incident Assessment Form (SIAF) must be completed and submitted

Screening Incident Assessment Form

For the purpose of completing a SIAF form CHIS are responsible for reporting anything relating to screening that would constitute an incident and where a Datix has been completed.

Newborn Screening Incidents should be managed in line with national guidance “Managing Safety Incidents in NHS Screening Programmes

The link to this guidance and revised SIAF is below: https://www.gov.uk/government/publications/managing-safety-incidents-in-nhsscreening-programmes

The following list would include but not be exhaustive of:

Incident relating to bloodspots

Incorrect, omitted or late information from laboratories.

Muddled patient details or NHS numbers

Bloodspot letter sent containing inaccurate information

Bloodspot letter sent out in error or where omitted to be send out where appropriate

Incorrect information sent or received by task

Breakdown in initial and repeat samples being taken by either Maternity or health visiting. Recurrent incidents surrounding bloodspots.

Incorrect information recorded on Failsafe–(Northgate)

Incidents relating to Newborn and Infant Physical Examination (NIPE)

Inaccurate, incorrect or missing information Screening

Incidents relating to Newborn Infant Hearing Screening

Inaccurate, incorrect of missing information.

Procedure

All incidents must be relayed to the CHIS lead on duty to advise on Datix. The CHIS lead on duty will contact NHS Screening in their area for discussion as to completion of a SIAF. Where incident is deemed of sufficient seriousness a form will be completed and sent immediately.

CHIS lead to complete section 1- 10 of the SIAF and gather information forthe investigation

If the incident has occurred in CHIS and is discovered by another service a SIAF will be sent to CHIS lead for investigation.

In addition if required by Quality and Assurance (East of England) an additional optional screening safety incident investigation outcome report will be completed. Child Health to send representation to screening incident review meetings if required to do so.

All incidents and recommendations will be discussed as a standing agenda item within CHIS Management Meetings. Should investigations highlight an immediate concern and recommendation for CHIS the CHIS lead will liaise with other all CHIS leads within Provide to change processes immediately.

Where it is appropriate, information will be shared with CHIS teams through their team meetings and the weekly CHIS update newsletter.

Details of the incident will be shared through the Organisation via reporting at the Quality and Safety Committee and via Provide Board through the assurance framework and reporting

Further analysis of Screening Incidents

CHIS will undertake further analysis via regular reporting from Datix of all incidents to establish frequency, nature and communality

Internal incidents

CHIS teams to be briefed on all incidents but where multiple incidents occur or where clusters of incidents occur a specialist training programme will be rolled out across all teams

External incidents

The CHIS management will investigate whether incidents are occurring in isolation or in clusters from a particular provider The CHIS management may instigate meetings and complete action plans to solve the issue with the provider. Where appropriate NHS England to be informed

Where there are multiple incidents of the same nature but across various providers CHIS management will set up multidisciplinary meetings and inform NHS England.

EQUALITY IMPACT ASSESSMENT

TEMPLATE: Stage 1: ‘Screening’

Name of project/policy/strategy (hereafter referred to as “initiative”):

Incident Reporting (including Serious Incident Reporting) & Reporting Management Policy

Provide a brief summary (bullet points) of the aims of the initiative and main activities:

This policy covers the reporting and management of incidents in Provide Community Interest Company. It also details the process for identifying, reporting and commissioning reviews of serious incidents.

The purpose of this policy is to provide the framework that ensures incidents are identified and reviewed, and the lessons learnt are promptly applied. The policy also ensures that reported incidents are analysed to seek to identify root causes and any likelihood of repetition, taking into account building a safer NHS for patients: implementing an organisation with a memory (Department of Health 2001).

Project/Policy Manager: Head of Quality and Safety Date: November 2019

This stage establishes whether a proposed initiative will have an impact from an equality perspective on any particular group of people or community – i.e. on the grounds of race (incl. religion/faith), gender (incl. sexual orientation), age, disability, or whether it is “equality neutral” (i.e. have no effect either positive or negative). In the case of gender, consider whether men and women are affected differently.

Q1. Who will benefit from this initiative? Is there likely to be a positive impact on specific groups/communities (whether or not they are the intended beneficiaries), and if so, how? Or is it clear at this stage that it will be equality “neutral”? i.e. will have no particular effect on any group.

This is quality neutral.

Q2. Is there likely to be an adverse impact on one or more minority/under-represented or community groups as a result of this initiative? If so, who may be affected and why? Or is it clear at this stage that it will be equality “neutral”?

This is quality neutral.

Q3. Is the impact of the initiative – whether positive or negative - significant enough to warrant a more detailed assessment (Stage 2 – see guidance)? If not, will there be monitoring and review to assess the impact over a period time? Briefly (bullet points) give reasons for your answer and any steps you are taking to address particular issues, including any consultation with staff or external groups/agencies.

This will be reviewed in line with the policy review date or sooner if need arises.

Guidelines: Things to consider

• Equality impact assessments at Provide take account of relevant equality legislation and include age, (i.e. young and old,); race and ethnicity, gender, disability, religion and faith, and sexual orientation.

• The initiative may have a positive, negative or neutral impact, i.e. have no particular effect on the group/community.

• Where a negative (i.e. adverse) impact is identified, it may be appropriate to make a more detailed EIA (see Stage 2), or, as important, take early action to redress this – e.g. by abandoning or modifying the initiative. NB: If the initiative contravenes equality legislation, it must be abandoned or modified.

• Where an initiative has a positive impact on groups/community relations, the EIA should make this explicit, to enable the outcomes to be monitored over its lifespan.

• Where there is a positive impact on particular groups does this mean there could be an adverse impact on others, and if so can this be justified? - E.g. are there other existing or planned initiatives which redress this?

• It may not be possible to provide detailed answers to some of these questions at the start of the initiative. The EIA may identify a lack of relevant data, and that data-gathering is a specific action required to inform the initiative as it develops, and also to form part of a continuing evaluation and review process.

• It is envisaged that it will be relatively rare for full impact assessments to be carried out at Provide. Usually, where there are particular problems identified in the screening stage, it is envisaged that the approach will be amended at this stage, and/or setting up a monitoring/evaluation system to review a policy’s impact over time.

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 2:

(To be used where the ‘screening phase has identified a substantial problem/concern)

This stage examines the initiative in more detail in order to obtain further information where required about its potential adverse or positive impact from an equality perspective. It will help inform whether any action needs to be taken and may form part of a continuing assessment framework as the initiative develops.

Q1. What data/information is there on the target beneficiary groups/communities? Are any of these groups under- or over-represented? Do they have access to the same resources? What are your sources of data and are there any gaps?

n/a

Q2. Is there a potential for this initiative to have a positive impact, such as tackling discrimination, promoting equality of opportunity and good community relations? If yes, how? Which are the main groups it will have an impact on?

n/a

Q3. Will the initiative have an adverse impact on any particular group or community/community relations? If yes, in what way? Will the impact be different for different groups – e.g. men and women?

n/a

Q4. Has there been consultation/is consultation planned with stakeholders/ beneficiaries/ staff who will be affected by the initiative? Summarise (bullet points) any important issues arising from the consultation.

n/a

Q5. Given your answers to the previous questions, how will your plans be revised to reduce/eliminate negative impact or enhance positive impact? Are there specific factors which need to be taken into account?

n/a

Q6. How will the initiative continue to be monitored and evaluated, including its impact on particular groups/ improving community relations? Where appropriate, identify any additional data that will be required.

n/a

Guidelines: Things to consider

• An initiative may have a positive impact on some sectors of the community but leave others excluded or feeling they are excluded. Consideration should be given to how this can be tackled or minimised.

• It is important to ensure that relevant groups/communities are identified who should be consulted. This may require taking positive action to engage with those groups who are traditionally less likely to respond to consultations, and could form a specific part of the initiative.

• The consultation process should form a meaningful part of the initiative as it develops, and help inform any future action.

• If the EIA shows an adverse impact, is this because it contravenes any equality legislation? If so, the initiative must be modified or abandoned. There may be another way to meet the objective(s) of the initiative.

Further information:

Useful Websites www.equalityhumanrights.com Website for new Equality agency www.employers-forum.co.uk – Employers forum on disability www.disabilitynow.org.uk – online disability related newspaper www.womenandequalityunit.gov.uk – Gender issues in more depth www.opportunitynow.org.uk - Employer member organisation (gender) www.efa.org.uk – Employers forum on age www.agepositive.gov.uk – Age issues in more depth