Introduction

Information quality is a requirement for appropriate decision making, governance and the ongoing provision of high-quality healthcare. The concept applies to the records, information and data that our organisation creates, maintains and utilises. This document uses definitions provided by the Cabinet Office. The Cabinet Office defines data as ‘qualitative or quantitative statements or numbers that are assumed to be factual, and not the product of analysis or interpretation’ and information as ‘output of some process that summarises interprets or otherwise represents data to convey meaning’. All references to information in this document encompasses information and data which is personal, financial or falls within any other category.

Information quality is a legal requirement for the organisation under the Data Protection legislation (Data Protection Act 2018 and UK General Data Protection Regulation – identified in this Policy as the Data Protection Legislation) and Public Records Act 1958. It is a regulatory as well as an organisational requirement under government policy and standards.

This policy sets out the standards expected in our processes, systems and working practice to ensure good quality information is at the heart of all of our organisation’s functions. It aims to ensure that we create and perpetuate a culture of information quality throughout Penrose Health and with those that work in partnership with us. This includes standards of quality across information and data, as outlined by the Cabinet Office and referenced below. In addition, this policy sets out the principles of how we evaluate and mitigate errors in data.

This policy sets out: our statement of intent for information quality, the principles that inform the relevant standard, who is accountable for the requirements within this policy, where responsibility sits and the method for their measurement, reporting and delivery.

Penrose Health recognises that effective information management is fundamental to good administration and operational effectiveness and is an enabler to the achievement of our strategic values.

This policy is part of the suite of Information Governance policies which set out the expected standards and controls around data usage. They are: Information Governance, Information Quality, Information Management, Information Security, and Confidentiality. The concepts and standards are interrelated. It is important to consider all of the Practice’s obligations and intentions across the suite of policies.

Scope

This policy is applicable to:

• All records, information and data held and processed by Penrose Health. All information must be managed and held within a controlled environment and to a high standard of accuracy and completeness. This includes personal data of patients and staff, patient level data (non-identifiable – with exceptions) as well as corporate information. It applies to records, information and data regardless of format, in addition to legacy data held by the organisation, in accordance with the approved retention standards (as stated in the Records Management Code of Practice for Health and Social Care 2020);
• Patient level data must be in non-identifiable format (anonymised or pseudonymised) except where held for direct care purposes or permitted via an NHS Act 2006 s.251 approved use or where there is another lawful basis for processing under Data Protection Legislation;
• Patient level data held in identifiable format must only be held and processed with the appropriate consent or other lawful basis with security and access control requirements in place which meet Data Protection standards;
• All permanent, contract or temporary staff of Penrose Health and all third parties who have access to our premises, systems or information. Any reference to staff within this document also refers to those working on behalf of the Practice on a temporary, contractual or voluntary basis;
• Information systems, data sets, computer systems, networks, software and information created, held or processed on these systems, together with printed outputs from these systems, and;
• All means of communicating information, both within and outside the organisation and both paper and electronic, including data and voice transmissions, emails, post, audio and video conferencing.
• There are different levels and ranges of data that support the contracting of services, from Personal Confidential Data (or “PCD” see definitions for further clarification) also known as special category data, to organisational performance data.

Purpose

As a Controller of personal data, Penrose Health requires good quality information to be created, managed and utilised. The Practice has a responsibility to drive improvements in Information Governance in the services we provide. This ensures an efficient, effective and accountable service. This includes ensuring that contractual requirements and monitoring of performance include information quality on a routine basis. In those instances where we appropriately share or publish information we must ensure that this information is accurate, up-to-date, and complete.

Without high standards of information quality, supported by systematic processes and practice, we cannot support the delivery of high quality healthcare and improve services.

Objectives

Penrose Health is committed to ensuring that all information within its responsibility is created, processed and held to a high standard of quality in a manner which ensures accurate and appropriate decision making.

The right information, to the right people at the right time

• This policy sets out Penrose Health intentions for the creation and maintenance of high-quality information and the management of the associated risks.
• To be of value, information quality must be accurate and complete. The provenance of the information (where it came from) and its timeliness (when it was collected or altered) should be captured where necessary and possible;
• Information systems must incorporate methods (or controls) to support the capture of accurate and complete information. This includes validation checks and reporting to identify errors, outliers and issues that require investigation;
• Procedures must incorporate appropriate steps for the validation of information to ensure that it is accurate and complete throughout its lifecycle (from creation through use, to disposal);
• Working practice supported by training must deliver methods to check and confirm that accurate information is collected, maintained and shared. Those working with information need their training needs and requirements for improving skills and knowledge around information quality assessed and supported;
• Contracts with commissioned services (healthcare and non-healthcare) must incorporate provisions for information quality. These must be supported by methods for monitoring, escalating and resolving issues around information quality;
• Information must fulfil all of the purposes required of it and must be used in a lawful and appropriate manner.
• When reporting, sharing or publishing information, processes must include appropriate checks (including validation where possible) to ensure that accurate information is provided;
• Concerns around the quality of information will be assessed to capture any associated risks and issues arising, to ensure appropriate mitigation, management and risk reduction over time.

Equality Analysis

This document demonstrates the organisation’s commitment to create a positive culture of respect for all individuals, including staff, patients, their families and carers as well as community partners.  The intention is, as required by the Equality Act 2010, to identify, remove or minimise discriminatory practice in the nine named protected characteristics of age, disability, sex, gender reassignment, pregnancy and maternity, race, sexual orientation, religion or belief, and marriage and civil partnership. It is also intended to use the Human Rights Act 1998 and to promote positive practice and value the diversity of all individuals and communities.

Definitions

See Appendix A below for definitions.

Responsibilities

Key responsibilities, accountability and governance arrangements are outlined within the Information Governance Framework

Principles of Information Quality

6.1 Accessibility

Information can be accessed quickly and efficiently through the use of systematic and consistent management in electronic and physical formats. Access must be appropriate so that only those with a lawful basis and legitimate relationship to information can view, create or modify it.

6.2 Accuracy

Information is accurate and supported by appropriate systems, processes, guidance and practices. This is a legal requirement of the Data Protection Legislation that ‘personal data shall be accurate, and where necessary, kept up-to-date’. Ideally, systems will capture data once and ensure that accuracy is maintained and checked through process.

Any limitations on accuracy of data must be made clear to its users and effective margins of error built into calculations.

6.3 Completeness

The relevant information required is identified. Systems, processes and working practices ensure it is routinely captured. The specification of what data is required for the defined need will be incorporated into processes, collection and validation.

Evaluation of information quality must include checks for missing, incomplete or invalid information and consider the causes for this and any associated risks.

6.4 Relevance

Information is kept relevant to the issues rather than for convenience, with appropriate management and structure.

6.5 Reliability

Information must reflect a stable, systematic and consistent approach to collection, management and use. Methods of collection, use and analysis must ensure consistency in the data and variations in these methods must be considered for their potential impact on the quality or content of the information.

6.6 Timeliness

Information is recorded as close as possible to being gathered and can be accessed quickly and efficiently. This is a requirement of the Data Protection Legislation ‘personal data shall be accurate, and where necessary, kept up-to-date’.

6.7 Validity

Information must be collected, recorded and used to the standard set by relevant requirements or controls. Validity is supported by consistency over time, systems and measures. Any information collection, use or analysis process should incorporate a proportionate validation method or tool to ensure that the standards and principles outlined above are met. Validation tools and processes will support routine data entry and analysis, as well as support the identification and control of duplicate records and errors.

6.8 National data standards

The use of national data standards, such as Information Standards Notices, will be incorporated where it supports the appropriate sharing, exchange and monitoring of information. Systems and processes are evaluated to consider what national data standards are relevant and how they will be incorporated. Any risks from not using these standards will be considered, recorded and appropriately managed.

6.9 NHS Number

The NHS Number is the unique identifier within the National Health Service. Where appropriate and legal to be used, it must be incorporated into all correspondence with patients and relevant information systems to ensure that the correct individual is identified.

Services that are commissioned are contracted to the use of an NHS Number, where appropriate, and to ensure it is incorporated into routine data collection, data management and working practice. Appropriate mitigation is required from commissioned services in clinical and commissioning systems for the absence of an NHS number for an individual.

Quality of Information and Quality of Data

As noted above this policy uses the terms data and information as defined by the Cabinet Office. However, issues of quality impact upon data and information differently due to the separate contexts and it is therefore important to draw distinctions between the two. The principles outlined in this policy apply to both, but the following sections outline issues around the individual context.

Quality of Information

Information is defined as ‘the output of some process that summarises interprets or otherwise represents data to convey meaning’. In terms of this policy, the principles of information quality apply to information but are exercised through the process of interpretation or representation. These processes must ensure the information is complete, accurate and support validation. Any errors are identified through the process and the appropriate mitigation undertaken.

Quality of Data

The principles of information quality apply to data and are evaluated before, during and after analysis and interpretation. Processes to ensure the principles in this policy are used but data will be subject to broader analysis for duplication, error and results that sit outside expected ranges.

Errors in Information and Data

Key Principles

It is understood that errors and inaccuracies will occur in information. Systems, processes and analysis during the lifecycle of the information need to identify the causes of any errors, the relevant margin of error introduced into any subsequent use of the information and the appropriate action taken.

This includes understanding the context of any information or dataset, to ensure that “outliers”(results that fall outside expected ranges) are investigated to determine if there are any resulting information quality concerns. It is important to determine and maintain a view of expected ranges of information to support the principles of information quality.

Mitigations

Where errors are identified, appropriate mitigation is required. This includes correction or annotation, where relevant, analysis of process and appropriate action, and ongoing monitoring. Understanding the cause of error and its likely consequence are a key component of improving information quality or managing issues that cannot be addressed through appropriate controls.

Specific Requirements

System Level Policies and Controls

Key information assets (information systems) that utilise information are required to have system level policies setting out their principles of operation and controls. These policies outline the organisation’s principles and approach to information quality.

These systems must consider the requirements of relevant legislation, legal gateways and national data standards; the policy outlines how they are incorporated and the relevant controls. Routine audits of controls on data and validation programmes are incorporated into system level policies and working practice.

Regular reviews of current controls and working practice are required to ensure that any developments of national standards and guidance are taken into account. The standard and frequency for reviews will be outlined in the relevant system level policy.

Information Collection

Any process that involves information collection must incorporate information quality requirements into the relevant protocol and procedures. This is to ensure the quality of information/data collected is sufficient for the intended purpose(s)

Transcription

Transcribing data from one form to another, either manually or by computer, may increase costs or reduce the quality and usefulness of that data. Organisations collecting confidential information should design collection systems which avoid requirements for transcribing data.

Commissioning

Any commissioning of service (healthcare and non-healthcare) must include appropriate contractual and monitoring for information quality. It is important to set out the requirements for any information to be gathered in the course of the contract and ensure it is appropriate, lawful and meets the required standards for the duration of the contract and at its cessation.

Reports provided by commissioned services will be monitored for information quality requirements against the expected standards with the actions taken by the commissioned service monitored as part of ongoing contract management.

New Systems and Change Control

Any new system or change control, must incorporate an assessment of the impact of the change on information quality and include relevant controls to support. Accountability for this assessment will be clearly defined and incorporated.

Monitoring and compliance

This policy and the associated controls will be monitored through the information risk management system for the organisation.

The practice’s information governance risk register will be reviewed on a regular basis by the IG Lead and additionally by the Information Commissioner’s Officer where required in response to any information incident or enforcement action.

Information risk management is a key component of wider assurance and central in setting the priorities for the information governance work plan for information quality.

Further assurance will be provided through the annual completion of the Data Security and Protection Toolkit (DSPT) and the associated audit completed prior to DSPT submission. Reviews of the current controls and their operation will be undertaken in line with a quarterly timescale, as a minimum, in line with the expectations of the DSPT. It is noted that the DSPT may require supplementary work to ensure broader assurance.

Information risk owners, assisted by information risk administrators, will be required to routinely review any identified risks and information flows associated with the information assets utilised to fulfil the business functions and activities within their remit.

Further monitoring will be undertaken through the change control process.

Table 1 below provides more details.

Non-Compliance

Failure to comply with the standards and appropriate governance of information as detailed in this policy, supporting protocols and procedures can result in disciplinary action. All staff are reminded that this policy covers several aspects of legal compliance that they are responsible for as individuals.

Failure to maintain these standards can result in criminal proceedings against the individual. These include but are not limited to:

• Common law duty of confidentiality;
• Computer Misuse Act 1990;
• Data Protection Act 2018;
• UK General Data Protection Regulation (GDPR);
• Freedom of Information Act 2000;
• Human Rights Act 1998;
• Public Records Act 1958;
• Health and Social Care Act 2012;
• Care Act 2014.

Review

Review will take place every three years or earlier until rescinded or superseded, due to legal or national policy changes.

The audience of this document should be aware that a physical copy may not be the latest version.  The latest version, which supersedes all previous versions, is available in the policy register for the Penrose Health.

Those to whom this policy applies are responsible for familiarising themselves periodically with the latest version and for complying with policy requirements at all times.

Statement of evidence / references

12.1 Key Legislative and Regulatory Environment

The following is a list of the key legislative and regulatory framework

• Data Protection Act 2018;
• UK General Data Protection Regulation 2018 (GDPR);
• Freedom of Information Act 2000;
• Computer Misuse Act 1990;
• Common law duty of confidentiality;
• Human Rights Act 1998;
• Health and Social Care Act 2012;
• Care Act 2014;
• NHS Constitution;
• Information Commissioner’s Office guidance;
• Care Quality Commission Requirements (for commissioned healthcare services);
• Records Management Code of Practice for Health and Social Care 2020;
• Code of Practice on Confidential Information 2014.

12.2 Other References

Other relevant policies are:

• Information Governance
• Information Management
• Information Security
• Confidentiality Policy

A list of related protocols and procedures will be maintained in the Information Governance Framework.

Implementation and dissemination of documentation

The Policy, once approved will be shared with all staff through the all staff email, updated on the intranet, included in staff briefings and placed in the policy register. A team and management briefing will be provided to support this dissemination.

In addition to the monitoring detailed above, awareness of the policy will be checked through a staff survey and spot checks on at least an annual basis.