Governance: From recording to learning lessons

The organisation must have structured systems for recording whistleblowing concerns, their outcomes and any resulting action taken to resolve the concern.  It is important that these systems are able to hold records in a way that takes full account of the need for staff confidentiality, the requirements of the General Data Protection Regulation and the Data Protection Act 2018, and the current Scottish Government Records Management Code of Practice. 

Confidentiality and data protection

It is essential that recording systems are able to maintain confidentiality, and that access to personal data (such as the person’s identity and other personal information) is restricted.  In some cases, this will mean that only one person or a very select (and specific) group can access this personal data.  The person raising the concern should be informed as to who their personal data will or may be shared with and the body sharing the personal data must ensure that they have a lawful basis for sharing that data.

Every data controller and data processor (i.e. anyone that is receiving a concern a and applying the Standards) must satisfy themselves that they are meeting the requirements of the General Data Protection Regulation and the Data Protection Act 2018, as well as their own duties of confidentiality.  This relates both to the personal data of the person raising the concern and to all personal data and confidential information used in applying the Standards.

For example, the organisation should consider matters including, but not limited to, compliance with data protection law and confidentiality requirements when:

• recording a concern and setting limits on who will have access to the information being processed in relation to the concern raised, based on an assessment of what is needed for the process, and
• taking appropriate technical and organisational measures to preserve the integrity and security of the information;

Likewise, anyone that is receiving a concern and applying the Standards should give consideration to:

• deciding who the concern will be shared with and why
• finding out whether anyone sharing their own personal data understand who their personal data may or will need to be shared with, and under what circumstances, and
• assessing who else might need to be informed of the identify of the person raising the concern and why.

Information relating to the concern can be shared more widely than the person’s personal details, though care must still be taken to do this lawfully and to consider who will have access to this information and what assumptions may be made about who raised the concern.  This information should be shared only where it is necessary to resolve or investigate the concern.  There should be a presumption against sharing information unless there is good reason to do so, to reduce risks for patients and/or the organisation.

All managers and the organisation’s confidential contact or whistleblowing ambassador must be able to record concerns.  However, they must not be able to access other records, unless they have good reason to do so, and have been given specific permission. 

It may be appropriate to hold personal data about the person who has raised the concern in a different part of the system from that which contains details of the concern raised and handling of the case.  Each organisation’s IT arrangements will vary, to reflect their structures and the size of the organisation.

Enabling reporting

The organisation must ensure that systems allow for full reporting of all concerns raised under this procedure, regardless of who they have been raised with.  There will be some members of staff who need access to data specifically for reporting purposes.  As a minimum this would include the organisation’s confidential contact or whistleblowing ambassador and the whistleblowing champion (for boards).  Most organisations will need to ensure that others can also access some or all of this information, and it is for each organisation to establish how best to ensure effective reporting arrangements.

It is essential to record all information on whistleblowing concerns (including concerns raised anonymously) as follows:

1. person’s name, work location (where appropriate), and contact details (mindful of their preferred method of contact) – access to this information must be restricted
2. the nature of the concern raised
3. if the concern was raised on behalf of another person, whether that other person has given consent to do so
4. what role the person raising the concern has (e.g. nurse, technician, doctor, administrator, etc)
5. date the concern was received
6. date the event occurred
7. how the whistleblowing concern was received
8. service area to which the whistleblowing concern refers
9. whether the concern includes an element of bullying and harassment and/or other HR issue
10. whether the concern raises issues of patient safety
11. whether the person has already experienced detriment as a result of raising this concern
12. date the concern was closed at the early resolution stage (where appropriate)
13. date the concern was escalated to the investigation stage (where appropriate)
14. date the concern was closed at the investigation stage (where appropriate)
15. outcome of the investigation at each stage
16. findings in relation to safety concerns and potential harm
17. findings in relation to concerns of fraud or administrative failures, and
18. action taken to remedy any findings.

Reporting whistleblowing concerns

All NHS service providers must record and review information in relation to concerns raised about their services on a quarterly basis. 

Data required for these quarterly reports is based on these key performance indicators (KPIs):

• a statement outlining learning, changes or improvements to services or procedures as a result of consideration of whistleblowing concerns
• a statement to report the experiences of all those involved in the whistleblowing procedure (where this can be provided without compromising confidentiality)
• a statement to report on levels of staff perceptions, awareness and training
• the total number of concerns received
• concerns closed at stage 1 and stage 2 of the whistleblowing procedure as a percentage of all concerns closed
• concerns upheld, partially upheld and not upheld at each stage of the whistleblowing procedure as a percentage of all concerns closed in full at each stage
• the average time in working days for a full response to concerns at each stage of the whistleblowing procedure
• the number and percentage of concerns at each stage which were closed in full within the set timescales of 5 and 20 working days
• the number of concerns at stage 1 where an extension was authorised as a percentage of all concerns at stage 1, and
• the number of concerns at stage 2 where an extension was authorised as a percentage of all concerns at stage 2.

Performance at stage 2 and extensions

The timescale of 20 working days for a concern to be closed at the investigation stage aims to ensure cases are progressed as efficiently as possible; while overall timescales will be measured, there is no performance measure or KPI that sets down how many cases must be closed within this timescale. 

Extensions to timescales should be signed off by senior leadership, and only when it is clear that additional time is needed to ensure a thorough and robust investigation of the issues of concern.  If an extension is granted, those involved must all be informed of indicative revised timescales and regular updates on progress must be sent every 20 working days.

Any related HR processes should progress in parallel with an investigation into the concerns raised through this procedure.  Every effort should be made to avoid delay in this procedure as a result of associated HR procedures, as this could raise the risk of unsafe or ineffective service delivery.

Senior management review

Concerns must be analysed for trend information to ensure service failures are identified and appropriate action is taken.  Quarterly reporting to senior management helps to identify how services could be improved or internal policies and procedures updated.  Where appropriate, this review must also consider any recommendations made by the INWO in relation to the investigation of NHS whistleblowing concerns.

The outcomes of these reviews should be reported via the organisation's governance structure to the NHS board for review by its members, or equivalent governing body.

Reporting from primary care and other contracted services

NHS boards are responsible for ensuring all primary care and other contracted service providers supply the appropriate KPI information to their board as soon as possible after the end of the quarter. 

For contracted services, the contract or service level agreement must set out the requirements in relation to reporting concerns. 

In instances where no concerns have been raised within either primary care or other contracted services, there is no need to provide a quarterly return to the board, but annual reports must still be submitted, setting out the concerns that have been raised over the year, or an explanation that there have been no concerns raised.  The board should use this longer-term monitoring of the raising of concerns to gain assurances that staff have confidence in the systems in place.
 

The two key ways of learning from concerns are:

• identifying improvements based on the findings of an investigation
• using statistical analysis of concerns raised at a departmental or organisational level to identify recurrent themes, trends or patterns of concerns.

Improvements following investigations

When an investigation identifies that there is a need for change, the organisation must proactively explore the root causes of the concern, how widespread the issue is and the likelihood of recurrence. 

Investigations may identify improvements which are applicable across other services or clinical departments, and it is important for senior leaders to ensure that every opportunity is taken to explore when service improvements can lead to wider organisational learning.

Statistical analysis

Statistical analysis can be used to identify trends, themes and patterns from the concerns raised across a department or service.  Given the potential for different routes to be used to raise concerns, and for confidentiality concerns to limit the number of people informed of them, it is particularly important that the outcomes of concerns are reported and analysed. 

Where a pattern is identified, this must be fully explored to identify if there are any shared root causes which should be addressed.  For example, several concerns raised about cleaning services may reflect a more significant issue in relation to the delivery of cleaning services within a department.

Boards must publish an annual report setting out performance in handling whistleblowing concerns.  This should summarise and build on the quarterly reports produced by the board, including performance against the requirements of the Standards, KPIs, the issues that have been raised and the actions that have been or will be taken to improve services as a result of concerns. 

Boards must work with their services providers (including primary care) to ensure they get the required information so that this annual report covers all the NHS services provided through the board.  Integration joint board (IJB) reporting must also be covered in this report, unless a separate annual report covering all IJB services is published by the IJB itself.  The annual report must also include concerns raised by students and volunteers about NHS services. 

This provides the opportunity for boards to show that they have listened to their staff, addressed the concerns raised and made improvements to services.  A focus on the lessons learned will demonstrate that concerns are taken seriously and that staff are treated well through the process.

An increase in the number of whistleblowing concerns is not necessarily a cause for concern; it may reflect a shift towards a culture that values the raising of concerns as opportunities to learn and improve.  However, an increase in anonymous whistleblowing concerns may be driven by different considerations, and potentially a culture that does not value the raising of concerns.  Likewise, very low numbers of concerns being reported may indicate a lack of confidence in the processes and support in place.  The data should be considered in the context of existing trends and benchmarking data.  The reason for any major variations must be fully explored, and appropriate action taken in response. 

Every effort must be made during the preparation of these reports to ensure that the identities of those involved in whistleblowing concerns cannot be discerned from the information or context provided in the report.  This is particularly relevant where small numbers of cases are involved.  In such instances it may be necessary to provide more limited information.

These reports must be easily accessible to members of the public and available in alternative formats as requested.

As well as publicising performance in relation to concerns handling, all providers should show that they encourage staff to speak up, and that doing so leads to improvements in services.  This can be achieved through sharing the learning from concerns as widely as possible, and by publicising good news stories on a regular basis.  This could be through staff newsletters, leaflets, posters or on staff intranet pages, to ensure that staff across the organisation have easy access to it.  This helps to show staff that raising concerns can influence service delivery and improve the profile and transparency of the whistleblowing procedure. 

Openly and regularly discussing improvements that have been made as a result of concerns raised by staff at a team or departmental level will also encourage staff to raise their concerns.  This must be done carefully and with sensitivity, to ensure appropriate confidentiality is maintained.  However, the benefits of gaining staff trust through discussing and sharing improvements should be explored when possible.