Finding the risks, flowing the data: How one CSU is managing the NHS IG challenge

Information governance is often seen as a barrier to sharing data across healthcare organisations. But at least one commissioning support unit (CSU) is managing information in a way that allows it and its customers to comprehensively map data flows and assets, quickly identify and mitigate any risks and ensure that vital information can be harnessed securely.

South East Commissioning Support Unit (SECSU) became one of the largest providers of NHS information governance services anywhere in England when it launched in October 2014, following a merger between South London CSU, Kent and Medway Commissioning Support and North West London CSU.

Covering a large geographical area and with some 1,300 staff employed in the CSU alone, the organisation deals with a significant number of information flows and assets across a number of its own sites, in addition to the large amount of information flows and assets that it enables 19 clinical commissioning groups (CCG) to manage.

By using Apira’s Information Asset Management (IAM) software, this complex, yet extremely important task, has been made significantly easier, meaning that high risks can be much more effectively identified, managed and mitigated, explains Vicky Poole, a senior associate for information governance at the CSU.

“IAM is the most intelligent information management tool I have ever seen,” she says. “By using the IAM tool the CSU is able to map all its data flows, primary assets, secondary assets and associated policies, procedures and training needs. The tool enables us to assess these flows and assets against multiple factors, and enables the CSU to understand where the highest risks lie and in turn controls can be put in place to mitigate these risks.”

Addressing Information Governance Toolkit requirements

The application of IAM is not only benefiting the CSU, but also the 19 CCGs using its IG services.

By using IAM, the CSU is now providing its customers with a means to easily and comprehensively fulfil both the data flow mapping and information asset register requirements that they are obliged to meet for the HSCIC Information Governance Toolkit, and set the foundation for many more.

Staff are able to record all flows from their department, ward or team, both internal and external to the organisation, and add new assets. As users enter data into the system, the organisation’s information asset register is built at the same time, allowing administrators to allocate assets to information asset administrators and owners, fulfilling a requirement of the IG Toolkit.

Larger assets such as clinical systems or staff databases, can be added into IAM by information asset owners so that their teams have assets already in the system to record flows against.

Clear visibility of information – managing and exploiting assets

IAM provides the CSU and its customers with the ability to hold a complete and easy view of information flows and related assets.

At a time when information is recognised as being more important than ever in driving forward service improvements and delivering effective models of care, this is providing both the CSU and the CCGs with an unprecedented level of detail in the visibility of the information they hold, whilst at the same time eliminating the need to spend lengthy amounts of time reviewing individual spreadsheets, with information collated by IAM through easy to use dashboards.

“IAM is enabling us to go into detail in identifying data and is cutting down time in managing that information,” says Poole. “For example, at a click of a button we can run a report to find where all our human resources data is stored and the assets it is stored in.”

Depending on the nature of the information asset, this ability to register information can be highly valuable both for the CSU and the CCG. Anonymised information, that might otherwise be locked away in silos, such as in a folder on an individual’s laptop, can be located through IAM; data which when amassed, can potentially offer high value for business intelligence, supporting anything from commissioning new services through to highlighting issues where services might not be delivering.

“IAM supports an integral part of what the CSU does – exploiting data to provide the best services that we can,” says Poole. “It helps us to identify where we are flowing information and where we can use information to improve services.”

Clear visibility of risks – ensuring flows are secure

As something that touches every individual, at every level in the organisation, managing the secure flow of information is no small challenge for the CSU given the number of flows and users across its geographical spread and customer base. IAM is proving effective in more than mapping these flows, also highlighting what steps need to be taken to ensure they are secure.

“IAM doesn’t only map information, it highlights policies needed to support the control of specific flows and even the training that needs to be conducted for people dealing with specific flows,” says Poole. “It shows where risks are and what needs to be done to manage those risks, making my job a lot easier.”

Administrators and owners tasked with approving flows from or landing in their assets, which might be anything from an HR database through to a clinical records database, are given a risk score for each flow, helping them to make their decision. High risks are flagged by IAM, for example, when information is being sent via fax or by unencrypted email, and measures can then be taken to improve the security of the flow. The system also shows why flows are taking place, whether consent has been given in instances of personal information, as well as highlighting where information sharing agreements may need to be reviewed.

“This is definitely a proactive step to avoiding data breaches and shows the Information Commissioner’s Office that correct procedures are being followed and measures taken to minimise risk to information,” adds Poole.

Equally, IAM highlights where information may no longer be needed, showing instances where a flow may have not been used for some time, allowing the CSU and its customers to only retain necessary information.

“The majority of what the CSU does involves data and there are strict guidelines to what data can be held by the CSU and what it is used for,” says Poole. “IAM is becoming embedded in processes which secure the use of data and ensure the CSU has a legal basis to hold and use it in the way it is required. This level of detail provides assurances not only internally, but also to our customers. This is highlighted in the CSU being able to achieve 100% in its IG Toolkit submissions.”

A more confident service

Poole believes that IAM is now assisting the CSU in developing a strong understanding of the information risks and threats to the organisation, in turn allowing staff and customers to do the same.

“The CSU is building a more confident service in how we are managing information, how we are controlling it and how our staff perceive information, something equally applicable to CCGs,” she says.

“Information governance has always been seen as a barrier to flowing information. This tool makes that process easier and helps people understand how they can use information and what they need to do to improve controls around those flows.”