Digital Mental Health Clinical and Technical Governance Standard

The governing body must assure itself that a culture of safety and quality improvement operates in the service, encompassing both clinical and technical components.

• How does the governing body understand and promote safety and quality?
• How does the governing body observe ethical standards in the delivery of services?
• How does the governing body set strategic direction, and define safety and quality roles and responsibilities?
• What information does the governing body use to monitor progress and report on strategies for safe and high-quality clinical care?

• An organisational charter or constitution
• Policy documents that describe the roles and responsibilities of the governing body and the workforce
• The service provider’s ethical principles, and processes for partnering with service users
• Strategic, business or risk management plans endorsed by the governing body that describe the priorities and strategic directions for safe and high-quality services
• Codes of conduct that are endorsed by the governing body
• Committee and meeting records in which clinical and technical governance, leadership, safety and quality culture, performance and effectiveness, or partnering with service users and their support people, are discussed
• Documented clinical and technical governance frameworks that are endorsed by the governing body
• Contracts with vendors/developers of digital mental health services that clearly define the roles and responsibilities in the governance and monitoring of digital mental health services (if applicable)
• An audit framework or schedule that is endorsed by the governing body
• Safety and quality performance and effectiveness data (including outcome measures), compliance reports and reports of clinical and technical incidents that are monitored by the governing body, managers or the clinical or technical governance committees
• Workforce safety survey reports
• Employee opinion survey reports
• A cultural assessment tool used by the service provider, and reports of assessments conducted
• Rainbow Tick assessment or accreditation
• An annual report that includes information on the service provider’s safety and quality performance and effectiveness
• Terms of reference or letter of appointment to the governing body that describes members’ safety and quality roles and responsibilities
• Communication with the workforce or service users on the clinical and technical governance frameworks for safety and quality performance.

The service provider’s clinical and technical governance frameworks are comprehensive and effective in improving clinical and technical safety and quality.

• Does the service provider have documented clinical and technical governance frameworks?
• How are the clinical and technical governance frameworks integrated in practice?
• How is the effectiveness of the clinical and technical governance frameworks reviewed?
   

• Documented clinical and technical governance frameworks
• Documented safety and quality goals and performance and effectiveness indicators for the services provided by the service provider
• A documented organisational and committee structure that is aligned to the clinical and technical governance frameworks
• Audit results showing compliance with the service provider’s clinical and technical governance frameworks, and management of safety and quality risks
• Reviews or evaluation reports on the effectiveness of the service provider’s safety and quality systems for services.

The health needs of diverse population groups, including Aboriginal and Torres Strait Islander peoples, are identified, and strategies are implemented to improve the safety and quality of care provided.

• How are the needs and priorities of diverse population groups considered and identified?
• What are the community-defined needs of Aboriginal and Torres Strait Islander peoples?
• What strategies are used to improve outcomes for diverse population groups using the services?
• How are these strategies monitored, evaluated, and reported?

• Policy documents that incorporate the safety and quality needs and priorities for diverse population groups, including Aboriginal and Torres Strait Islander peoples
• Documented goals and performance indicators for the targets and intended health outcomes for diverse population groups; these should be regularly monitored and reported to the governing body
• Committee and meeting records that describe the safety and quality priorities and strategies for diverse population groups, including Aboriginal and Torres Strait Islander peoples
• Evidence of previous or current engagement with Aboriginal communities about their mental health needs and priorities and their preferred strategies for digital mental health services
• Examples of specific strategies that have been implemented to meet the needs of diverse population groups, including Aboriginal and Torres Strait Islander peoples
• A current Reconciliation Action Plan, with reports of progress against actions in the plan
• Role descriptions and recruitment processes for cultural consultants
• Memorandum of understanding with partners from diverse population groups.

Business decisions put the safety and quality of care for service users and their support people first.

• How are safety and quality issues considered when making business decisions?
• How are decisions about the safety and quality of care documented?

• Committee and meeting records – such as those from finance, audit and strategic planning committees – that show that the safety and quality of digital mental health care is considered in business decision-making
• Strategic plans, operational plans or business plans that outline the potential impact of decisions on the safety and quality of care on service users
• Business proposal templates that include consideration of safety and quality risks
• A register of safety and quality risks that includes actions to manage the identified risks
• A conflict-of-interest register.

The design, development, and delivery of digital mental health services are in line with the service provider’s endorsed ethical principles.

• How are ethical principles applied when making business decisions?

• Committee and meeting records – such as those from finance, and strategic planning committees – that show that ethics is considered in business decision-making
• Strategic plans, operational plans or business plans that outline ethical issues and their potential effect on service users
• Business proposal templates that include consideration of ethical matters
• Policy documents that include the organisation’s ethical framework and principles, possibly including whistle blower provisions
• A code of conduct that outlines ethical principles and the standard of behaviours and actions expected.

Service providers work with clinical, peer worker and technical leaders to optimise the safety and quality of care delivered by digital mental health services.

• How do clinical leaders contribute to the clinical governance of the service?
• How do peer workers contribute to clinical and technical governance of the service?
• How do technical leaders contribute to the technical governance of the service?
• How does the service provider ensure that the workforce operates within the clinical and technical governance frameworks?

• Policy documents that outline the delegated safety and quality roles and responsibilities of clinical and technical leaders
• Documents that outline the leadership capability framework
• Employment or contract documents that describe the safety and quality roles and responsibilities of clinical and technical leaders
• Documented workforce performance appraisals or contract reviews that include feedback to clinical and technical leaders on the performance of safety and quality roles and responsibilities
• A code of conduct that outlines the standard of expected behaviours and actions
• Training documents relating to workforce safety and quality roles and responsibilities
• Results of clinical and technical audits of the performance of the workforce under the clinical and technical governance frameworks
• Documented results of clinical and technical audits, and actions taken to deal with any identified issues
• Policy documents that outline performance review and performance management processes.

The service provider has current, comprehensive and effective policies, procedures and protocols that cover safety and quality risks and compliance with legislation and regulations.

• How does the service provider ensure that its policy documents are current, comprehensive, and effective?
• How does the service provider ensure that its policy documents comply with legislation, regulations, and national, state or territory requirements?

• Documented processes for developing, authorising, and monitoring the implementation of the service provider’s policy documents
• A register of policy document reviews, including the date of effect, dates that policy documents were amended, and a prioritised schedule for review
• Examples of policy documents that have been reviewed in response to identified risks, or changes in legislation, regulation, or best practice
• Committee and meeting records that describe the governance structure, delegations, roles, and responsibilities for overseeing the development of policy documents
• Results of audits of healthcare records and clinical practice for compliance with policy documents
• Results from workforce surveys and feedback on policy documents
• Data and feedback from risk management, incident management and complaints management systems, and evidence that these data are used to update policy documents
• Communication with the workforce on new or updated policy documents
• Training documents on new or amended policy documents or use of policy documents
• Schedules and timelines for statutory reporting.

An effective quality improvement system is operating for digital mental health services, and includes improvement of service user experience and outcomes.

• How does the quality improvement system reflect the service provider’s safety and quality priorities and strategic direction?
• How does the service provider identify and document safety and quality risks and opportunities for improvement?
• What processes are used to ensure that the actions taken to manage identified risks and improvements are effective?

• Policy documents that describe the processes and accountability for monitoring the safety and quality of services
• Documented safety and quality performance measures
• A schedule for internal or external audits
• Audit reports, and presentations of analysis of safety and quality performance data
• Feedback from the workforce about the use of safety and quality systems
• Feedback from service users about their involvement in the review of safety and quality performance data
• A quality improvement register and a plan that includes actions to deal with issues identified
• Examples of specific quality improvement activities that have been implemented and evaluated
• Committee and meeting records in which reports, presentations, and safety and quality performance data are regularly reviewed and reported to the governing body or relevant committees
• Training documents about the service provider’s quality improvement system
• Communication with the workforce and service users that provides feedback about safety and quality of services
• Published research on digital mental health service safety, outcomes and quality.

Accurate and timely information on clinical and technical safety and quality performance of digital mental health services is provided to key stakeholders.

• What processes are used to ensure stakeholders are provided with accurate and timely information about safety and quality performance?

• Reports on safety and quality performance data that are provided to the governing body, the workforce or service users
• Committee and meeting records in which safety and quality indicators, data or recommendations by the governing body are discussed
• Committee and meeting records in which the appropriateness and accessibility of the service provider’s safety and quality performance information are discussed
• A communication strategy that describes processes for disseminating information about safety and quality performance
• Communication with the workforce and service users and their support people about the service provider’s safety and quality performance
• Records of safety and quality performance information published in annual reports, newsletters or other media
• Reporting templates and calendars.
   

The service provider identifies and manages risk effectively.

• How does the service provider identify and document risk?
• What processes does the service provider use to set priorities for, and manage, risks?
• How does the service provider use the risk management system to improve safety and quality?
   

• Policy documents that describe the processes for implementing and monitoring the risk management system
• Policy documents that describe the reporting lines, and roles and responsibilities of the workforce when dealing with emergencies and disasters
• A risk register that includes actions to manage identified risks
• Reports on safety and quality data that are analysed to identify and monitor safety and quality risks
• Data analysis and reports on safety and quality performance trends
• Feedback from the workforce on safety and quality risks, and the effectiveness of the risk management system
• Committee and meeting records about oversight of the risk management system, or the review of clinical, technical, and other data collections
• Committee and meeting records in which risk, and the appropriateness and accessibility of safety and quality performance information are discussed
• Audit schedule and reports on compliance with the policies, procedures and protocols of the service provider’s risk management system
• Communication with the workforce and service users and their support people on risks and risk management
• Published records of safety and quality performance information – for example, annual reports, newsletters, newspaper articles, radio items, and websites
• A business continuity plan, or emergency and disaster management plan
• Training documents about risk management, and the management of emergencies and disasters, including cybersecurity risks and threats.
   

Clinical and technical incidents are identified and managed appropriately, and action is taken to improve safety and quality.

• How does the service provider identify and manage incidents?
• How are the workforce and service users involved in reviewing incidents?
• How is the incident management and investigation system used to improve safety and quality?

• An incident management and investigation system in which clinical and technical incidents are documented, analysed, and reviewed
• Policy documents about reporting, investigating and managing clinical and technical incidents
• Information on clinical and technical incidents and the actions taken to manage identified risks, and how these actions are incorporated into the service provider’s risk management system or quality improvement plan
• Training documents about recognising, reporting, investigating and analysing incidents, adverse events and near misses
• Committee and meeting records that describe the incident management and investigation system, and the strategies and actions to reduce risk
• Committee and meeting records that show workforce and service user involvement in the analysis of organisational safety and quality performance data
• Clinical and technical incident reporting forms and tools that are accessible to the workforce and service users
• Information and resources that support the workforce and service users to report clinical and technical incidents
• Feedback from the workforce and service users about their involvement in the review and analysis of organisational safety and quality performance data
• Examples of specific improvement activities that have been implemented and evaluated to reduce the risk of incidents identified through the incident management and investigation system
• Results of completed clinical or technical incident investigations
• Audit results showing compliance with the incident management and investigation system.

An open disclosure process is used to enable the service provider, clinicians and its peer workers and technicians to communicate openly with service users and, if relevant, their support people, about unexpected healthcare outcomes or harm from using its services.

• How is the workforce trained and supported to discuss incidents that have caused harm to service users?
• How is information from the open disclosure program used to improve safety and quality?

• Policy documents that are consistent with the principles and processes outlined in the Australian Open Disclosure Framework
• Reports by the service provider about open disclosure events
• Information and data on open disclosure presented to the governing body and relevant committees
• Committee and meeting records about issues and outcomes related to open disclosure.

Feedback from the workforce, service users and their support people is used to improve the safety and quality of digital mental health services.

• How does the service provider collect service user experience feedback?
• How does the service provider collect feedback from the workforce?
• How are service user experience data and workforce feedback used to improve safety and quality?

• Tools used for collecting service user feedback
• Committee or meeting records about the selection of service user experience questions, and review of service user feedback
• Data analysis and reports of service user feedback or surveys used to evaluate the service provider’s performance
• Strategic, business and quality improvement plans that incorporate service user feedback.

An effective complaints management system is in place and used to improve safety and quality of digital mental health services.

• What processes are used to ensure that complaints are received, reviewed, and resolved in a prompt and compassionate manner?
• How are complaints data used to improve safety and quality?
• What processes are used to review the effectiveness of the complaints management system?

• Policy documents that describe the processes for recording, managing, and reporting complaints
• A complaints register that includes responses and actions to deal with identified issues, and a schedule for review of these responses
• Training documents about the complaints management system
• Service user information and resources about the service provider’s complaints mechanisms
• Feedback from the workforce on the effectiveness of the complaints management system
• Feedback from service users and their support people on reported complaints data
• Results of audits of compliance with complaints management policies
• Evaluation reports that note the effectiveness of responses and improvements in service delivery
• Committee and meeting records in which trends in complaints and complaints management are discussed
• Reports or briefings on complaints provided to the governing body, the workforce or service users
• A quality improvement plan that includes actions to deal with issues identified
• Examples of improvement activities that have been implemented and evaluated.

The diversity of service users and their support people, and high-risk groups, are considered in the planning and delivery of digital mental health services.

• What are the sociodemographic characteristics of the service user population and their support people?
• How do these characteristics affect the risk of harm to service users?
• How is this information used to plan service delivery and manage inherent risks for service users and their support people?
• How are the needs of high-risk groups catered for?

• The demographic data for the service provider and its service user communities that are used for strategic planning purposes
• The service provider’s risk profile, including details of service safety and quality risks, and their potential impact
• Results of an assessment or survey of mental health service needs that can be met by digital mental health services
• Strategic or business plans that reflect the diversity of the service user population and their support people
• Training documents about diversity and cultural awareness
• Service user information that is available in formats and languages that reflect the diversity of the service user population
• Reports on interpreter use and access (if relevant)
• Examples of actions taken to meet the needs of high-risk service users (for example, cultural awareness events).

Comprehensive, accurate, integrated, and accessible healthcare records are maintained and available as required.

• How does the service provider ensure that healthcare records are accurate and integrated (if applicable)?
• How does the service provider ensure the privacy and security of healthcare records?

• Policy documents about healthcare record management, including use, storage, security, consent and sharing of service user information
• Results of audits of healthcare records for compliance with policies, procedures, or protocols on healthcare records management, including access to healthcare records and sharing of information
• Results of audits of the accuracy, integration, and currency of healthcare records
• Committee and meeting records in which the governance of the service provider’s data and information technology systems is monitored or discussed
• A code of conduct that includes privacy and confidentiality of service user information
• Signed workforce confidentiality agreements
• Secure digital storage systems
• Observations that services are password protected
• Records of ethics approvals for research activities that involve sharing service user information
• Templates for issuing login and password details for digital healthcare records systems
• Results of audits of the use of a unique identifier in the healthcare records management system
• Training documents about the healthcare records management system
• Systems that enable combining of data from many information systems.

Clinical information shared with the My Health Record system is shared securely in compliance with service users’ wishes. Information held in the My Health Record system is accurate, complete, and accessible to authorised persons.

• Is the information provided to the My Health Record system by the service provider consistent with the legislative requirements of that system?
• If so, what processes does the provider have in place to ensure the accuracy and completeness of clinical information it provides to My Health Record?

• Policy documents that describe the service provider’s processes for uploading information to the My Health Record system, including the requirement to use national patient and provider identifiers and standard national terminologies
• Evidence of information provided by the service provider to the My Health Record system
• Results of audits of information provided to the My Health Record system about conformance with the service provider’s policy and processes.

Members of the governing body and the workforce understand the approach to, and their roles and responsibilities for, safe and high-quality digital mental health services.

• What information is provided to new members of the governing body and the workforce about their roles and responsibilities for the safety and quality of services?

• Orientation and induction documents that detail the safety and quality roles and responsibilities of the workforce and the governing body
• Attendance records for orientation and induction training
• Reports on evaluation of orientation and induction training content.

The workforce is appropriately trained to meet the need of the service provider to provide safe and high-quality digital mental health care.

• How does the service provider assess the skill levels of members of the workforce, identify gaps and mediate them?
• What training does the service provider provide about safety and quality?
• How does the service provider identify workforce training needs to ensure that workforce skills are current and meet the service provider’s service delivery requirements?

• Policy documents about orientation and training of the workforce
• Employment records that detail the skills and competencies required of each position, as well as the safety and quality roles and responsibilities
• Evidence of assessment of the workforce’s needs for education and competency-based training
• A schedule of workforce education and competency-based training that includes the requirements of the NSQDMH Standards
• Orientation manuals, education resources or records of attendance at workforce training
• Results of audits of the proportion of the workforce with completed performance reviews
• Skills appraisals and records of competencies for the workforce
• Feedback from the workforce about their training needs
• Reviews and evaluation reports of education and training programs
• Communication to the workforce about annual training requirements.

Digital mental health services are culturally safe and meet the needs of Aboriginal and Torres Strait Islander service users and their support people.

• What strategies does the service provider have to provide culturally safe services that meet the needs of its Aboriginal and Torres Strait Islander service users and their support people?

• A policy document that outlines the service provider’s approach to cultural safety, including strategies and training to improve cultural safety, cultural respect, and cultural competency
• Communication to the workforce about cultural safety, cultural respect, and cultural competence
• Records of attendance at cultural safety training
• Skills appraisal and records of competencies for the workforce in cultural safety, cultural respect, and cultural competence
• Feedback from service users who identify as Aboriginal and Torres Strait Islander about their experience of the cultural safety of the services.

The service provider routinely reviews and discusses individuals’ performance, and systematically collects information on individuals’ safety and quality training needs.

• What are the service provider’s performance review processes?
• What processes are used to identify the training needs for each member of the workforce?
• How is this information incorporated into the service provider’s training systems?

• Policy documents about the performance review process for the workforce
• Documented performance development systems that meet professional development guidelines and credentialing requirements
• Results of audits of the proportion of the workforce with completed performance reviews, including actions taken to deliver identified training and development needs
• Mentoring or peer-review reports
• Feedback from the workforce about their training needs
• Review and evaluation reports about education and training
• Committee and meeting records in which performance review and credentialing of clinicians are discussed.

Clinicians and peer workers are appropriately skilled and experienced to perform their roles safely, and to provide services within an agreed scope of practice.

• What processes are used to ensure that clinicians and peer workers have the appropriate qualifications, experience, professional standing, competencies, and other relevant professional attributes?
• What processes are used to ensure that clinicians and peer workers are working within the agreed scope of practice when designing services or providing care to service users?
• How does the service provider match the services provided with the skills and capability of the workforce?

• Policy documents about the scope of clinical practice for clinicians and peer workers in the context of the service provider’s needs and capability and the digital mental health services delivered
• Committee and meeting documents that include information on the roles, responsibilities, accountabilities and monitoring of scope of clinical practice for the clinical and peer workforces
• Results of audits of position descriptions, duty statements and employment contracts against the requirements and recommendations of clinical practice and professional guidelines
• Reports of key performance indicators for clinicians and peer workers
• Workforce performance appraisal and feedback records that show a review of the scope of clinical practice for the clinical and peer workforces
• Peer-review reports
• Evaluation of the service provider’s clinical services targets
• Procedure manuals or guidelines for new digital mental health services
• Defined competency standards for new digital mental health services
• Planning documents for introduction of new digital mental health services (including consideration of workforce, equipment, procedures and scope of clinical practice)
• Training documents about new digital mental health services
• Communication to the workforce that defines the scope of clinical practice for new digital mental health services.

Technicians are appropriately skilled and experienced to perform their roles safely.

• What processes are used to ensure that technicians have the appropriate qualifications, experience, professional standing, competencies, and other relevant professional attributes?
• What processes are used to ensure that technicians are working within the agreed scope of their expertise when designing or supporting services?
• How does the service provider match the services provided with the skills and capability of the technical workforce?

• Policy documents that describe the formal processes for selecting and appointing or contracting the technical workforce
• A register of technical workforce qualifications and areas of expertise
• Documented recruitment and procurement processes that ensure that technicians are matched to positions, and have the required skills, experience, and qualifications to perform their roles and responsibilities
• Employment and contract documents that define the roles of technical supervisors
• Evidence that the service provider has verified technicians’ qualifications before employment
• Documented performance reviews or peer reviews for the technical workforce.

Every member of the workforce understands and enacts their roles and responsibilities for the safety and quality of digital mental health services.

• How are members of the workforce informed about, and supported to fulfil, their roles and responsibilities for safety and quality?

• Policy documents that outline the delegated safety and quality roles and responsibilities of the workforce
• Employment documents or contracts that describe the safety and quality roles, responsibilities, and accountabilities of the workforce
• An organisational chart and delegations policy that show clinical and technical governance reporting lines and relationships
• Training documents about safety and quality roles and responsibilities of the workforce
• Communication to the workforce about their safety and quality roles and responsibilities
• Performance appraisals that include feedback to the workforce about delegated safety and quality roles and responsibilities
• Results of workforce surveys or feedback regarding their safety and quality roles and responsibilities.

The digital and physical environments support safe and high-quality digital mental health care appropriate to the service user’s needs. The terms and conditions for the service user to engage with the digital mental health service are transparent and support safe care.

• How does the service provider ensure that the design of the environment supports the quality of care provided to service users?
• How does the service provider ensure that devices and infrastructure are safe and maintained in good working order?
• How does the service provider assess their terms and conditions to ensure they are fair and transparent and do not mislead service users?

• Policy documents that describe the service provider’s:
  • requirements for maintaining devices and infrastructure
  • reporting lines and accountability for actions, including during emergency situations
• A strategic plan for digital assets, devices, and infrastructure
• A maintenance schedule for devices and infrastructure
• Results of audits of compliance with maintenance schedules and inspections of digital devices and infrastructure
• Results of audits of the use of a pre-purchase checklist and risk assessment to identify suitability of all new digital devices and infrastructure.

Aspects of the digital mental health service environment that can increase risks of harm from abuse and exploitation are identified and managed, and steps are taken to ensure the dignity of service users is maintained.

• What systems are in place to prevent the abuse and exploitation of service users?

• Policy documents that describe the service provider’s requirements to prevent abuse and exploitation of service users in the digital environment and to protect their dignity
• Checklists and contract specifications for services that outline the requirements to prevent abuse and exploitation of service users and to protect their dignity
• Information resources for service users about prevention from abuse and exploitation and protection of dignity
• Results of audits of services – that is, systems to prevent abuse and exploitation
• Analysis of incidents, complaints, and feedback data from service users about abuse, exploitation and loss of dignity in the digital environment, and any actions taken to remedy that.

Aspects of the digital mental health service environment that can increase risks of harm to children and young people are identified and managed.

• How does the service provider ensure that the design of services supports the safety of children and young people?
• What processes are in place to protect the safety of children and young people?

• Policy documents that describe the service provider’s:
  • requirements for ensuring that children and young people are protected from harm and exploitation
  • reporting lines and accountability for actions to protect children and young people from harm, abuse and exploitation
• Results of audits of compliance with policies that minimise the risk of harm to children and young people
• Observations of the design and use of interventions that reduce risks relating to potential harm to children and young people
• Analysis of incident reports relating to harm to children and young people, and action taken to deal with issues identified
• A risk register and quality improvement plan that includes information from an analysis of incidents relating to harm to children and young people.

The impact of a digital mental health service on privacy rights and legislative obligations is assessed, and risks to the privacy of a service user are managed, minimised, or eliminated.

• Has the service provider conducted a privacy impact assessment that identifies and manages privacy risks of each service?
• What processes are in place to assess the security of the service and protect the privacy of service users?

• A completed privacy impact assessment for each service
• Committee meetings in which the results of the privacy impact assessments are discussed
• A register of actions taken to remedy issues identified by the privacy impact assessments
• Observation that the design of the service aligns with the privacy impact assessments.

Each digital mental health service has a readily available privacy policy that meets the needs of service users.

• Does each service have an up-to-date privacy policy?
• Are these privacy policies easy to find and easy to understand for service users?
• Does the privacy policy protect service users’ privacy rights and give them the choices expected to protect their rights?

• Policy or contract documents that describe the service provider’s requirements for the privacy policy of a service, ensuring that service users’ privacy is protected
• Results of audits of compliance of services with privacy policy requirements
• Observation of privacy policies of services
• Feedback from service users on the ease of access to privacy policies and the ease of understanding and transparency
• Analysis of incident reports about the compliance of services with privacy laws, privacy principles and best practice
• A risk register and quality improvement plan that includes information from an analysis of incidents relating to privacy policy of services.

Service users and, where relevant, their support people are informed when the privacy policy of a digital mental health service they currently use changes.

• How does the service provider monitor the need for changes to the privacy policies of its services?
• What processes are in place to advise service users of changes to privacy policies?

• Policy document that describes the service provider’s requirement that service users be advised of changes to privacy policies in a timely way
• Contracts with services that specify timely notification to the service provider of changes to privacy policies
• Results of audits of compliance with the policy requirement to notify service users of a change in privacy policy
• Information provided to service users about changes in privacy policy
• Analysis of complaints from service users about a failure to be advised of a change in the privacy policy of a service.

Appropriate systems are in place to manage data, and the use of data is transparent to service users.

• What systems are in place for the collection, use, disclosure, storage, transmission, retention, and destruction of data?
• How are service users informed about the types of data collected and how the information is used?
• Is the service user made aware of who has access to their data?
• What processes are in place to inform service users when requests to get their data are granted?
• What processes are in place to protect service users who use services anonymously?
• How is the re-identification of data prevented?
• How does the service provider manage service user legacy data?

• Policy documents that describe the service provider’s requirement to inform service users about the collection, use, disclosure, storage, transmission, retention, and destruction of data
• Product information that includes details about the information collected and who will have access to the service user’s data
• Results of audits of compliance with the policy requirements for data collection, use and sharing
• Communication to service users about the data collected, how it is used and who has access to it
• Analysis of incident reports relating to how data are collected, used, disclosed, stored, transmitted, retained or destroyed
• Committee or meeting records in which the collection, use, disclosure, storage, transmission, retention or destruction of data are discussed, and actions taken to remedy any issues
• Communication to service users about the granting of a request by a third party to use their data
• Policy documents that describe the service provider’s duty to protect the anonymity of service users when requested
• Policy documents that describe the service provider’s duty to prevent the re-identification of anonymous or de-identified data
• Analysis of complaints by service users about the anonymity of their data not being protected.

Service users have control of how their data are collected, stored, distributed and used.

• How does the service provider get consent from service users for the use of their data for any purpose beyond direct care?
• Does the service provider have processes to de-identify data that are used in research?
• Does the service provider offer service users the opportunity to opt out of data sharing?
• What processes are in place for service users to view and copy their data or to request for them to be deleted?

• A policy document that
  • describes the service provider’s need for service users to consent to their personal data and records being used for any purpose beyond direct care
  • provides service users with the option to opt out from sharing personal data and records
  • allows service users to view and copy their personal data and records
  • allows service users to request deletion of their personal data and records
• A policy document outlining requirements for the de-identification of personal data and records that are used in research
• Consent forms for service users to consent to personal data and records being used
• Observation of processes to allow service users to opt out of sharing their personal data and records
• Procedures about how to respond to requests to view, copy or delete personal data and records
• Analysis of incident reports relating to the use of personal data and records without consent
• Notifications to service users when deletion of personal data is complete.

The service user is fully informed of the direct costs associated with using a digital mental health service and the foreseeable indirect contributors to cost.

• How does the service provider inform service users about the costs and data requirements for using its services?

• Policy documents about providing information about the costs and data requirements of using services to users
• Communication to service users about the costs and data requirements
• Observation of information provided to service users about costs and data requirements of using services
• Analysis of feedback and complaints from service users about costs or data requirements
• Survey of service users about the information provided about costs and data requirements of the services
• Product information statements.

In-product sales or advertising do not mislead, exploit, or disadvantage service users.

• Do the service provider’s services use in-product sales or advertising?
• How does the service provider review legal and regulatory requirements about in-product sales or advertising?
• What processes are in place to ensure that any in-product sales or advertising is appropriate for the intended users of its services?

• Policy documents about in-product advertising and sales
• Audit results that show conformance with policy requirements
• Analysis of feedback or complaints relating to the inclusion of advertising or sales within services
• Guidelines about how to decide what might be considered appropriate advertising for service user groups
• Observation of the information provided to service users on in-product sales and advertising.

An information security management system is in place that protects the security and stability of digital mental health services.

• Does the service provider have information security management systems in place?
• Does it take a risk-based approach to information security management?
• Are the roles and responsibilities for information security management clear?

• Policy documents or contracts relating to the service provider’s information security management system
• Position descriptions that assign responsibilities for information security management actions
• An audit and review schedule for information security
• Reports from audits or reviews of information security management and action plans that remedy any identified issues
• Analysis of incidents relating to information security management
• Committee or meeting minutes that discuss or assess information security management of services
• Records of conducting an information and data inventory
• Feedback from the workforce on information security management.

Disruption to the digital mental health service from any cause is minimised through effective planning and communication.

• How does the service provider manage updates and patches to services?
• What processes are in place to ensure that services can run effectively when there is a change or an interruption to the service?
• How does the service provider communicate with service users about any changes, interruptions, or discontinuation of the service?

• Policy documents about backup and recovery processes and about managing updates and patches to the platform and operating systems
• Committee and meeting records that show planning for backup and recovery and managing updates and patches
• Periodic review of backup and recovery systems
• Communication to service users advising of service changes, interruptions or discontinuation of services
• Analysis of incidents relating to changes to platform or operating systems, and action plans addressing any issues identified
• Results of service user surveys on the communication provided about changes or interruptions to the service.