An outstanding experience for every patient
Go to home page
Home
For patients and visitors
About Us
Why choose us?
Foundation
Keeping healthy
 

Data Processing Policy 

Post Holder Responsible for Policy:
Information Governance Manager
Directorate Responsible for Policy:
Chief Executive's Directorate
Contact Details:

Salisbury District Hospital

01722 336262 Ext 4133

Date Written:
December 2009
Date Revised:
February 2015
Approved By:

Approved by Operational Management Board

 

Date Approved:

Approved 26th January 2016

Next Due for Revision:
1st December 2017
Date Policy Becomes Live:
8th February 2010

Version Information

Version No. Author Review Date Description of Changes
2
.
2
Information Governance Manager
January 2016
The IG Manager has reviewed this policy and recommends that the Operational Management Board approve the extension of the data Processing Policy until after the EU Data Protection Directive becomes Law during 2016-17 as no changes are currently required.

Table Of Contents

Introduction
Legal Duty to Register with the ICO
Information Governance Responsibility to ICO Registry
Changes to the Processing or Use of Personal Identifiable Information
Where is Information Sent
Right of Redress
Review
References
Information Governance Contact Details
Equality Analysis
Privacy Impact Assessment
Implementation Plan
Appendices
 
 
Top

 
Introduction

 

The Information Commissioner’s Office maintains a public register of organisations. Each register entry includes the name and address of the organisation and a general description about the processing of personal information by the organisation. Individuals can consult the register to find out what processing of personal information is being carried out by the organisation.

The principle purpose of having notification and the public register is transparency and openness. It is a basic principle of Data Protection that employees and the public should know (or should be able to find out) who is processing their personal information and why.

The Trust has a comprehensive range of policies supporting the information governance agenda; references must be made to these alongside this policy. Legal and professional guidance should also be considered where appropriate.

What is personal/sensitive Information?

Personal information is any data, such as physical, physiological, mental, economic, political, religious or social factors, which relate to living identifiable individuals.

 

Personal Information

                    Sensitive Information

·       Forename, Surname or Initials

·  Sexuality

·       Date of Birth

·  Ethnicity

·       Gender

·  Physical or mental condition

·       Address or Postcode

·  Religious belief or other beliefs of a similar nature

·       Occupation

·  Financial details

·       Identity Number (e.g. NHS, National Insurance number)

·  Offences committed or alleged offences/Court proceedings

 

·  Political opinion/Trade Union Membership

 

What is a data subject?

A data subject is the person the information is written about.

Information Commissioners Registry

The Data Protection Act 1998 requires organisations who handle personal information to notify and register their organisation with the Information Commissioners Office (ICO) unless an exemption applies. Failure to notify is a criminal offence. 

Top

 
Legal Duty to Register with the ICO

 

Salisbury NHS Foundation Trust has a legal duty to keep the Trust’s Notification Registry up to date and inform the ICO of any amendments or additional use of personal identifiable information.  Failure to submit a change in processing notification to the ICO the Trust is a criminal offence.

Top

 
Information Governance Responsibility to ICO Registry

 

It is the responsibility of the Information Governance Manager to review and maintain the Trust’s Data Protection Notification Registration. The current processing notification includes the purposes listed below;

3.1.  Staff Administration

3.10  Property Management

3.2  Accounts & Records

3.11  Accounting & Auditing

3.3  Health Administration & Service

3.12  Licensing & Registration

3.4  Research

3.13  Information & Databank Administration

3.5  Crime Prevention & Persecution

3.14  Journalism & Media

3.6  Public Health

3.15  Data Matching

3.7  Pastoral Care

3.16  Trading/Sharing of personal information

3.8   Advertising, Marketing & Public Relations

3.17 System Development & testing

3.9   Fundraising

3.16  Trading/Sharing of personal information

 

3.1      Staff Administration:

Why do we use it:

Appointments or removals, pay, discipline, superannuation, work management or other personnel matters in relation to the staff of the Trust.

What type of Information is it:

Personal Details, Education and Training Details, Employment Details
Financial Details
Goods or Services Provided
Racial or Ethnic Origin
Religious or Other Beliefs Of A Similar Nature
Trade Union Membership
Physical or Mental Health or Condition
Offences (Including Alleged Offences)
Criminal Proceedings, Outcomes And Sentences

Where does the information come from, what do we share and with whom:

Data subjects themselves
Relatives, guardians or other persons associated with the data subject
Current, past or prospective employers of the data subject
Healthcare, social and welfare advisers or practitioners
Business associates and other professional advisers
Employees and agents of the data controller
Persons making an enquiry or complaint


Financial organisations and advisers
Survey and research organisations
Trade, employer associations and professional bodies
Police forces
Central Government
Voluntary and charitable organisations

 

3.2      Accounts & Records:

Why do we use it:

Keeping accounts related to any business or other activity carried on by the data controller, or deciding whether to accept any person as a customer or supplier, or keeping records of purchases, sales or other transactions for the purpose of ensuring that the requisite payments and deliveries are made or services provided by him/her or in respect of those transactions, or for the purpose of making financial or management forecasts to assist them  in the conduct of any such business or activity.

What type of Information is it:

Personal Details

Financial Details

Goods or Service Provided

Where does the information come from, what do we share and with whom:

Data subjects themselves
Relatives, guardians or other persons associated with the data subject
Current, past or prospective employers of the data subject
Healthcare, social and welfare advisers or practitioners
Suppliers, providers of goods or services
Financial organisations and advisers
Credit reference agencies
Debt collection and tracing agencies
Survey and research organisations
Traders in personal data
Police forces
Voluntary and charitable organisations

3.3      Health Administration & Services:

Why do we use it:

The provision of patient care and administration of health care services in NHS Hospitals or Community Services or Family Practice.

What type of Information is it:

Personal Details
Family, Lifestyle and Social Circumstances
Education and Training Details
Employment Details
Financial Details
Racial or Ethnic Origin
Religious or Other Beliefs Of A Similar Nature
Trade Union Membership
Physical or Mental Health or Condition
Sexual Life

Where does the information come from, what do we share and with whom:

Register of births & deaths

Legal representatives

Data subjects themselves
Relatives, guardians or other persons associated with the data subject
Current, past or prospective employers of the data subject
Healthcare, social and welfare advisers or practitioners
Education, training establishments and examining bodies
Business associates and other professional advisers
Employees and agents of the data controller
Suppliers, providers of goods or services
Persons making an enquiry or complaint
Financial organisations and advisers
Traders in personal data
Trade, employer associations and professional bodies
Police forces
Local Government
Central Government
Voluntary and charitable organisations
Data processors

3.4      Research:

Why do we use it:

Research in any field, including market, health, lifestyle, scientific or technical research for the provision of healthcare.

What type of Information is it:

Personal Details
Family, Lifestyle and Social Circumstances
Education and Training Details
Employment Details
Financial Details
Goods or Services Provided
Racial or Ethnic Origin
Religious or Other Beliefs Of A Similar Nature
Physical or Mental Health or Condition
Sexual Life

Where does the information come from, what do we share and with whom:

Data subjects themselves
Relatives, guardians or other persons associated with the data subject
Healthcare, social and welfare advisers or practitioners
Education, training establishments and examining bodies
Business associates and other professional advisers
Employees and agents of the data controller
Suppliers, providers of goods or services
Persons making an enquiry or complaint
Financial organisations and advisers
Survey and research organisations
Traders in personal data
Local Government
Central Government
Voluntary and charitable organisations
Data processors

3.5    Crime Prevention and Prosecution of Offenders:

Why do we use it:

Crime prevention and detection and the apprehension and prosecution of offenders. This includes the use of closed-circuit television for the monitoring and collection of sound and/or visual images for the purpose of maintaining the security of premises, for preventing crime and investigating crime.

What type of Information is it:

Personal Details
Family, Lifestyle and Social Circumstances
Offences (Including Alleged Offences)
Criminal Proceedings, Outcomes And Sentences

Sound and/or visual images

Personal appearance and behaviour

Where does the information come from, what do we share and with whom:

Security organisations

Data subjects themselves
Relatives, guardians or other persons associated with the data subject
Employees and agents of the data controller
Suppliers, providers of goods or services
Persons making an enquiry or complaint
Police forces

3.6 Public Health:

Why do we use it:

Prevention & Control of disease within the community

What type of Information is it:

Personal Details
Family, Lifestyle and Social Circumstances
Racial or Ethnic Origin
Religious or Other Beliefs Of A Similar Nature
Sexual Life

Where does the information come from, what do we share and with whom:

Data subjects themselves
Relatives, guardians or other persons associated with the data subject
Healthcare, social and welfare advisers or practitioners
Education, training establishments and examining bodies
Suppliers, providers of goods or services
Survey and research organisations
Central Government

3.7 Pastoral Care 

Why do we use it:

The administration of pastoral care by a vicar or minister of religion

What type of Information is it:

Personal Details
Family, Lifestyle and Social Circumstances
Education and Training Details
Racial or Ethnic Origin
Religious or Other Beliefs Of A Similar Nature
Physical or Mental Health or Condition

Where does the information come from, what do we share and with whom:

Data subjects themselves
Relatives, guardians or other persons associated with the data subject
Central Government
Voluntary and charitable organisations
Religious organisations

3.8 Advertising, Marketing & Public Relations:

Why do we use it:

Advertising or marketing the business of the data controller, activity, goods or services and promoting public relations in connection with that business or activity, or those goods or services

What type of Information is it:

Personal Details
Family, Lifestyle and Social Circumstances
Education and Training Details
Racial or Ethnic Origin
Physical or Mental Health or Condition

Sexual Life

Where does the information come from, what do we share and with whom:

Data subjects themselves
Relatives, guardians or other persons associated with the data subject
Business associates and other professional advisers
Suppliers, providers of goods or services

3.9 Fundraising:

Why do we use it:

Fundraising in support of the objectives of the Trust.

What type of Information is it:

Personal Details
Financial Details

Where does the information come from, what do we share and with whom:

Charities Commission

Data subjects themselves
Employees and agents of the data controller
Voluntary and charitable organisations

3.10  Property Management:

Why do we use it:

The management and administration of land, property and residential property and the estate management of other organisations. 

What type of Information is it: 

Personal Details
Employment Details
Financial Details
Goods or Services Provided

Where does the information come from, what do we share and with whom:

Data subjects themselves
Employees and agents of Salisbury NHS Foundation Trust

3.11  Accounting and Auditing:

Why do we use it:

The provision of accounting and related services; the provision of an audit where such an audit is required by statute 

What type of Information is it:

Staff including volunteers, agents, temporary and casual workers
Customers and clients
Suppliers
Members or supporters
Complainants, correspondents and enquirers
Relatives, guardians and associates of the data subject
Advisers, consultants and other professional experts
Patients

Where does the information come from, what do we share and with whom:

Data subjects themselves
Relatives, guardians or other persons associated with the data subject
Current, past or prospective employers of the data subject
Healthcare, social and welfare advisers or practitioners
Education, training establishments and examining bodies

Business associates and other professional advisers
Employees and agents of the data controller
Other companies in the same group as the data controller
Suppliers, providers of goods or services
Persons making an enquiry or complaint
Debt collection and tracing agencies
Survey and research organisations
Trade, employer associations and professional bodies
Police forces
Local Government
Central Government
Voluntary and charitable organisations
Religious organisations

3.12  Licensing and Registration:

Why do we use it:

The administration of licensing or maintenance of official registers.

What type of Information is it:

Personal Details
Family, Lifestyle and Social Circumstances
Education and Training Details
Employment Details
Financial Details
Goods or Services Provided
Racial or Ethnic Origin
Religious or Other Beliefs Of A Similar Nature
Physical or Mental Health or Condition

Where does the information come from, what do we share and with whom:

Data subjects themselves
Relatives, guardians or other persons associated with the data subject
Current, past or prospective employers of the data subject
Healthcare, social and welfare advisers or practitioners
Education, training establishments and examining bodies
Business associates and other professional advisers
Employees and agents of the data controller
Police forces
Local Government
Central Government
Ombudsmen and regulatory authorities

3.13  Information and Databank Administration:

Why do we use it:

Maintenance of information or databanks as a reference tool or general resource. This includes catalogues, lists, directories and bibliographic data bases.

What type of Information is it:

Personal Details
Family, Lifestyle and Social Circumstances
Education and Training Details
Employment Details
Financial Details
Goods or Services Provided
Racial or Ethnic Origin
Religious or Other Beliefs Of A Similar Nature
Trade Union Membership
Physical or Mental Health or Condition
Sexual Life
Offences (Including Alleged Offences)

Where does the information come from, what do we share and with whom:

Data subjects themselves
Relatives, guardians or other persons associated with the data subject
Current, past or prospective employers of the data subject
Healthcare, social and welfare advisers or practitioners
Education, training establishments and examining bodies
Business associates and other professional advisers
Employees and agents of the data controller
Other companies in the same group as the data controller
Suppliers, providers of goods or services
Persons making an enquiry or complaint
Survey and research organisations
Trade, employer associations and professional bodies
Local Government
Central Government
Voluntary and charitable organisations
Ombudsmen and regulatory authorities
The media
Data processors

3.14  Journalism & Media:

Why do we use it:

Publication by any data controller in relation to journalism, artistic or literary purposes made or intended to be made available to the public or any section of the public.

What type of Information is it:

Staff including volunteers, agents, temporary and casual workers
Suppliers
Members or supporters
Complainants, correspondents and enquirers
Relatives, guardians and associates of the data subject
Advisers, consultants and other professional experts
Patients

Where does the information come from, what do we share and with whom:

Personal Details
Family, Lifestyle and Social Circumstances
Education and Training Details
Employment Details
Financial Details
Goods or Services Provided
Racial or Ethnic Origin
Physical or Mental Health or Condition

Photographic images

Text or articles and reports

3.15  Data Matching:

Why do we use it:

National fraud initiative – data matching

Prevention and detection of fraud

What type of Information is it:

Personal Details
Education and Training Details
Employment Details
Financial Details
Goods or Services Provided

Where does the information come from, what do we share and with whom:

Data subjects themselves
Current, past or prospective employers of the data subject
Healthcare, social and welfare advisers or practitioners
Education, training establishments and examining bodies
Employees and agents of the data controller
Suppliers, providers of goods or services
Financial organisations and advisers
Police forces
Local Government
Central Government
Ombudsmen and regulatory authorities
Data processors

The NHS South Coast Audit Team work in partnership with Salisbury NHS Foundation Trust to investigate allegations of fraud and corruption.

3.16 Trading/Sharing of personal information:

Why do we use it:

The sale, hire or exchange of personal information

What type of Information is it:

Personal Details
Financial Details
Goods or Services Provided

Where does the information come from, what do we share and with whom:

Data subjects themselves
Employees and agents of the data controller
Business associates and other professional advisers
Complainants, correspondents and enquirers

Other companies in the same group as the data controller
Suppliers, providers of goods or services
Data processors

3.17 System Development & Testing

Why do we use it:

To enable the Trust to use personal information for systems development and testing purposes.

What type of Information is it:

Personal Details

Family, Lifestyle and Social Circumstances

Education and Training Details

Employment Details

Financial Details

Racial or Ethnic Origin

Religious or Other Beliefs Of A Similar Nature

Trade Union Membership

Physical or Mental Health or Condition

Sexual Life

Where does the information come from, what do we share and with whom:

Data subjects themselves

Relatives, guardians or other persons associated with the data subject

Current, past or prospective employers of the data subject

Healthcare, social and welfare advisers or practitioners

Education, training establishments and examining bodies

Business associates and other professional advisers

Employees and agents of the data controller

Suppliers, providers of goods or services

Financial organisations and advisers

Traders in personal data

Trade, employer associations and professional bodies

Police forces

Local Government

Central Government

Voluntary and charitable organisations

Data processors

Top

 
Changes to the Processing or Use of Personal Identifiable Information

All employees have a duty and a responsibility to ensure that personal identifiable information is processed within the law and not used or processed for any purpose not included in the Trust’s Notification Registration.

If you or your department wish to process information for any other purpose not listed in this policy, authorisation must be obtained from the Information Governance Department prior to the processing, transfer or the sharing of data.

Please use Appendix A to request a new purpose.

 

Top

 
Where is Information Sent

Data collected, stored and used by SFT can, when necessary, be transferred worldwide. This information is appropriately protected in accordance with Principle 7 of the Data Protection Act 1998: Personal Data must be kept secure. Compliance is achieved through the Trust’s Information Risk & Security Strategy, Policies and Procedures.

Top

 
Right of Redress

 

The Information Governance Department may refuse, or terminate the processing of personal data if it does not comply with both Schedule 1 and 2 of the Data Protection Act 1998.

If you disagree with the decision made by the Information Governance Manager you have a right of appeal via the following members of the Information Governance Steering Group (IGSG), who monitor the Trust’s compliance to the Data Protection Act 1998:

  • Medical Director
  • Finance Director
  • Director of Corporate Development
  • Nursing Director

 

Top

 
Review

This policy and associated documents will be reviewed annually by the Information Governance Department and every three years by the Operational Management Board and Joint Boards of Directors, or earlier if appropriate, to take into account the strategic direction Salisbury NHS Foundation Trust and support the legislation that may occur, and/or guidance from the Department of Health and/or the NHS Executive.

 

Top

 
References

Top

 
Information Governance Contact Details

Additional information relating to the processing of personal information carried out by Salisbury NHS Foundation Trust is available from the: Information Governance Department on extension 01722 336262 4133 or 5921 or via email: Information.Governance@salisbury.nhs.uk

Top

 
Equality Analysis

Salisbury NHS Foundation Trust aims to design and implement services and policies that meet the diverse needs of its services, population and workforce, ensuring that none are placed at a disadvantage over others. This document has been assessed against the Trust’s Equality Impact assessment Tool. A copy of the completed Impact Assessment has been included as Appendix B.

Top

 
Privacy Impact Assessment

Please refer to Appendix C.

Top

 
Implementation Plan

 Please refer to Appendix D.
Top

 
Appendices

Appendix

Description

Attachment

A

Request for Additional Use of Personal Information

Appendix A DPP.pdf

B

Equality Analysis

 Appendix B DPP.pdf

C

Privacy Impact Assessment

Appendix C DPP.pdf 

D

Implementation Plan

Appendix D DPP.pdf 

Top

 
 

Top

 
 

Top
Page Last Updated: 13/03/2017 15:10 
Printed from Salisbury NHS Foundation Website http://www.salisbury.nhs.uk