This is a bit off topic but I can’t think of anywhere else where people may have educated opinions about this.
I’ve been told that I’m not to store records of M&M discussions on our team SharePoint or even on my P drive because it’s not secure enough. Apparently on paper in a folder in my office is much more secure. Do you think this is the right way of going about this? I’m not super keen on being responsible for a pile of paper in my unlocked office (swipecard into department but beyond that I don’t know who’s going into my office when I’m not here). Are there any better solutions?
I don’t know the details of your system but this is basically nonsensical advice. A competent set-up and configuration either on-prem or in one of the big cloud providers are sufficient for medical-in-confidence documents. State-level actors can probably penetrate cloud providers but they can also penetrate your office if they care that much. Much of what we all do is discoverable via OIA anyway.
I would be taking the line that it is their job to provide you with a suitable environment to store such documents. If this is not being provided to you by them, why not and when is this going to happen?
I hope this makes some sense to you. I am happy to have a conversation if that would be of help to you.
Thanks for your response - I was unsure if it was just me that found it nonsensical. The SharePoint we use is administered by healthAlliance i.e. it’s an ‘official’ means of storage.
I think the concern is around it being accessible in the case of an HDC complaint or similar - but they’d get access to paper documents anyway. If they’re that concerned, I’m not sure why it’s being written down in the first place. I’ll definitely follow up about getting an appropriate storage solution.
M and M meetings are interesting in this sense. I had a loose understanding of some of the protections about them but have done a bit of quick reading.
M and M meetings ideally come under the frame work of “Protected Quality Assurance Activities”
This document is a good read (if you haven’t seen it already)
And here’s an example of what a Protected Quality Assurance Activities looks like in legislation
Massive caveat - I am not a lawyer.,But I suspect that the folks who have told you that you can’t put M&M records on a team Sharepoint or personal drive have more of an internal lens on this rather than risk of external breaches.
The reason for applying the legislative protection around QAA is nicely explained in the MOH summary
“The confidentiality provision is based on the premise that QAAs can only be effective if the health practitioners involved are able to participate in them fully and frankly, without fear of recrimination. By protecting the confidentiality of information gathered as part of a QAA and by providing participants with immunity from civil liability, the current protection is considered to provide medical practitioners with such an environment.”
This document from RACS is also worth a read
So in essence, I would hope that the push back you’re getting is related to ensuring that the environment for disclosure and discussion is an enabling one, and this may (albeit paradoxically) be enhanced by having a single analogue source of truth.
As analogue is a dirty word here… it’s worth noting that the RACS document linked below does talk about electronic record keeping, however I think this is with the expectation of a structured centralised, auditable and secure tool rather than more of a filing cabinet model (i.e. Sharepoint or a network drive)
I’m now going to go back to work on Monday and see if our department M&Ms are gazetted in legislation…
Your organisation should have a legal practice and a privacy practice - and also an information security practice. These areas should be providing advice on the storage of official information. HealthAlliance is part of Te Whatu Ora, which is a Crown Agency and is subject to the Official Information Act… all official information is discoverable, though release may be limited in part or in full depending on the criteira of the Act (so storing information in an official system should not be immediately construed as placing that information at risk of a breach). But if earlier commenters are correct and the concern is more about the system itself being not-fit-for-purpose then you need to be asking for an appropriately secured electronic document management system (EDMS).
The Protective Security Requirements https://protectivesecurity.govt.nz/ are provide a whole lot of useful reference information about the ways agencies of the crown should be protecting information - both electronically and physically. Chances are your office does not meet the requirements if the material is sufficiently of ‘need to know’ concern that you aren’t happy seeing it stored in your office space which is open to authorised colleagues.
Very much personal opinion (and I work for the Ministry of course) but you should have an EDMS which can be secured down to those with need-to-know and your information should be stored there as a single-source-of-truth with access auditability, online backup and more then being part-and-parcel.
