Data and Security —
Training activity: 5

Details

Undertake an information assurance audit of digital clinical and non-clinical data across a patient pathway and report the findings

Type

Developmental training activity (DTA)

Evidence requirements

Evidence the activity has been undertaken by the trainee​.

Reflection on the activity at one or more time points after the event including learning from the activity and/or areas of the trainees practice for development.

An action plan to implement learning and/or to address skills or knowledge gaps identified.

Considerations

• Local, national, international guidelines and legislation
• Data protection, cyber security and information governance
• Data retention periods – standards
• Traceability
• Version control
• Data integrity
• Synchronisation and reconciliation
• Data access requests
• Data transfer
• Accessibility
• Documentation

Reflective practice guidance

The guidance below is provided to support reflection at different time points, providing you with questions to aid you to reflect for this training activity. They are provided for guidance and should not be considered as a mandatory checklist. Trainees should not be expected to provide answers to each of the guidance questions listed.

Before action

• What do you need to know before undertaking this audit? This includes understanding the patient pathway, relevant legislation and guidance on information assurance, audit methodologies, and reporting standards.
• What do you anticipate you will learn from this experience? Consider gaining insights into data flows across a pathway, identifying potential information assurance risks, and developing effective audit reporting skills. Reflect on your existing knowledge of information governance and audit processes.
• What actions will you take in preparation for this experience? Will you review relevant information governance policies and procedures? Will you discuss the audit scope and methodology with your training officer? Consider potential challenges in accessing data or interpreting regulations and how you might handle them. Identify how you feel about embarking on this training activity.

In action

• As you trace the data across the patient pathway, what methods are you using to gather information about data flows and security controls? Why are you focusing on these specific points in the pathway?
• What decisions are you making about the scope and depth of your audit? How are you assessing the adequacy of the controls you observe?
• Which aspects of the audit process, such as identifying data stores or assessing access controls, feel more familiar, and where do you need to concentrate more effort?
• How effective do you think your current approach is in identifying potential information assurance weaknesses? What difficulties are you encountering in understanding the data flows or the controls in place?
• What new insights are you gaining about the information assurance landscape within this patient pathway? How does this relate to your understanding of relevant legislation and guidance?
• If you are unsure about the security posture of a particular system or data transfer, what alternative ways could you seek clarification or evidence? Would consulting with system owners or security personnel be appropriate at this stage? Are the audit steps you are taking aligned with established information assurance principles?

On action

• Describe the patient pathway you audited, the types of digital data involved, the audit process you followed, and the key findings you reported.
• What did you learn about the flow of digital information across a patient pathway? How did you apply relevant legislation and during the audit? What challenges did you encounter in tracking and auditing data across different systems? Did reflecting on your approach during the audit help you adapt your methodology?
• What aspects of information assurance auditing do you need to develop further? How will you apply this learning to future audits of patient pathways or other data flows? What are your next steps in deepening your understanding of relevant legislation and guidance? Do you require any further resources or training on information assurance audit methodologies?

Beyond action

• Have you revisited your audit findings and recommendations? How does your understanding of data flows and information governance across patient pathways compare now? Have you discussed your findings with colleagues?
• How has this audit experience shaped your awareness of information assurance principles in your current practice? Has it improved your ability to analyse complex data flows?
• What transferable skills, such as data analysis and reporting, did you develop? What further actions can you take to enhance your information assurance auditing skills?

Relevant learning outcomes

#	Outcome
# 1	Outcome Review and prepare appropriate documentation for clinical information systems.
# 3	Outcome Apply the principles of “data protection by design” to new and existing clinical information systems.
# 4	Outcome Undertake information assurance audits, applying relevant legislation and guidance to clinical data flows.