This portal provides an open platform for user feedback and product change requests. Anyone can add an idea and remain as a Guest, but please consider signing up so that others can see who has created the ideas!
Note: this is a public facing web portal, any text here can be viewed by anyone over the internet, so please consider carefully the content you wish to share and please do not post anything of a sensitive nature.
Currently the data consumers of the NCR access it via a contextual link in their line of business systems. Our partner organisations have programmes or software in place that proactively monitor each staff member’s access to patient records. When it identifies potential inappropriate access, this is flagged to the organisation’s IG team, who investigate and then pass the information onto HR if a breach has been identified. When access to the NCR is via the line of business system, IG leads in organisations can contact the NCR BAU IG team to request an audit log to confirm whether the staff member under investigation has inappropriately accessed a patient’s NCR as well. Currently, the risk of data breach in the NCR by inappropriate access is mitigated by the presence of the proactive automatic monitoring of the line of business systems.
However, as we seek to expand the roll out of the NCR, these new organisations are more unlikely to have such proactive automatic monitoring of their line of business systems or will be accessing the NCR via weblink which also will not enable any proactive automatic monitoring of the access to the patient data. This will make it very difficult to prove that we are processing data in keeping with the Article 5(f) principle of UK GDPR where we need to be processing in a manner that ensures appropriate security of the PID, including protection against unauthorised processing, … using appropriate technical or organisational measures (the integrity and confidentiality principle). As a result, the proposed further roll out to organisations that cannot proactively automatically monitor their staff’s access to the NCR is likely to be blocked by our existing partners.
| As a | Senior Information Governance Officer |
| I would like | A solution to enable the proactive automatic monitoring of the audit log of staff who have accessed patient records via the shared care record. |
| So that | we have assurance that we are adhering to Article 5(f) of the UK GDPR across all partner organisations. When we have that assurance, this can be removed as a blocker to further roll out of the Shared Care Record. |
| User contact | Cat Cooper |
|
Other information
As a: (your role requesting the change) Senior Information Governance Officer for Digital Notts, involved in the implementation of the Notts Care Record. Also, member of the Nottingham and Nottinghamshire Records and Information Group (SIGN). I would like: (change request) A solution to enable the proactive automatic monitoring of the audit log of staff who have accessed patient records via the shared care record. So that: (what it would enable you to do) we have assurance that we are adhering to Article 5(f) of the UK GDPR across all partner organisations. When we have that assurance, this can be removed as a blocker to further roll out of the Notts Care Record. |
|
This is a good candidate for user centred design. We should explore this from a user perspective to see what they can currently do, what the problems are and what solutions we need to implement to fix the issues.
Partners being able to access the audit log or export it to local systems and run business rules against it to check proactively for inappropriate access would allow an enhanced level of security.