An outstanding experience for every patient
Go to home page
For patients and visitors
About Us
Why choose us?
Keeping healthy

Data Protection, Confidentiality & Disclosure Policy 

Post Holder Responsible for Policy:
Information Governance Manager
Directorate Responsible for Policy:
Chief Executive's Directorate
Contact Details:

Salisbury District Hospital

01722 336262 Ext 4133

Date Written:
February 2005 (Data Protection & Confidentiality Policy.) Replaced by Data Protection, Confidentiality & Disclosure Policy March 2011.
Date Revised:
September 2014
Approved By:

Approved by Information Governance Steering Group

Ratified by Joint Board of Directors

Date Approved:

Approved 23rd May 2017

Next Due for Revision:
11th November 2018
Date Policy Becomes Live:
4th April 2005

Version Information

Version No. Author Review Date Description of Changes
IG Manager
31st May 2018
May 2018 OMB to extended for all IG Policies, Strategies and Guidance for an additional 6 months. Please be aware that the proposed new Standing Operating Procedures will not require approval from OMB. The OMB was assured that the policies for which an extension has been requested are still valid.

Table Of Contents

Employee Responsibilities
Management Responsibilities
Regulatory Compliance with Legislative and Contractual Requirement
Disclosure Exemptions under the Data Protection Act & Confidentiality: NHS Code of Practice
Working & Sharing Information
Procedures for Ensuring Safe Transfer of Information
Use of Patient Confidential Information for Clinical Training & Research
Use of Personal & Sensitive Information for Systems Testing & Development
The Right of Access to Information (Subject Access Requests)
Compliance & Assurance
Consequences of a Breach of Policy
15. Data Protection, Confidentiality and Disclosure Caldicott Work Plan 16. Monitoring Compliance of Confidentiality and Data Protection Review 17. Review Appendices



This policy replaced the previous Data Protection and Confidentiality Policy in 2011 and has been expanded to incorporate the disclosure of information using the telephone and intrusive technologies, the release of information to Community Health providers, the Police, Her Majesty’s Armed Forces, consent and the use of Information Sharing agreements and protocols.

This policy also mandates the use of Privacy Impact Assessments (PIAs), which are to be used to ensure that any new or amended policy, processes, procedure, or activity that involves the use of personal information, sensitive personal information, is appropriately assessed to establish and record how this impacts on the data subjects and to recommend appropriate action to mitigate this impact. Due to the very nature and objectives of this policy, the Information Governance Manager has deemed a PIA for this policy is not necessary.

PIAs are now mandatory in England for any new system (IT or otherwise), process, project, policy or technology which involves the processing or personal and/or sensitive data.

Salisbury NHS Foundation Trust is required to meet its legal obligations and NHS requirements concerning confidentiality and information security standards. The requirements within this policy are primarily based upon the Data Protection Act 1998 (DPA) and the NHS Code of Practice: Confidentiality (Code of Confidentiality). These are two key standards which cover the security and confidentiality of personal information within the NHS, United Kingdom and the European Economic Area.

A definition of personal information and sensitive information is included as Appendix A to this policy.

Like all NHS Organisations, Salisbury NHS Foundation Trust holds and processes information about its employees, patients and other individuals for various purposes (e.g. the effective provision of healthcare services or; for administrative purposes such as payroll). To comply with the Data Protection Act 1998 (DPA) personal identifiable information must be collected and used fairly, stored safely and not disclosed to unauthorised persons. The DPA and Code of Confidentiality apply to both manual and electronic data.

The Trust also has a duty to comply with additional guidance issued by the Department of Health, the NHS Executive, Monitor, and other professional bodies. All NHS employees have a duty of confidence to patients and colleagues under common law.

The failure of the Trust, and or employees, volunteers or contractors to comply with DPA legislation could potentially result in a subsequent investigation by the Information Commissioners Office, with the possible risk of being fined up to £500,000 for very serious breaches.

Compliance with the policy will provide assurance to the Trust and to individuals that all personal and sensitive information processed by the Trust is dealt with legally, securely, effectively and efficiently, in order to deliver the best possible care to patients.

The Trust will establish and maintain policies and procedures to ensure compliance with the requirements contained in the NHS Connecting for Health Information Governance Toolkit.



The Policy applies to the Trust and all employees, contractors, third party partner organisations, suppliers, directors, governors, volunteers and all honorary contracted staff (employees).

This policy covers records held and processed by Salisbury NHS Foundation Trust in any medium. The Trust is responsible for its own records under the terms of the DPA and it has submitted itself as a Data Controller to the Information Commissioner.

This policy covers all aspects of information within the organisation, including (but not limited to):

  • Patient/staff/client/service user information
  • Personal information
  • Organisational information

This policy covers all aspects of handling information, including (but not limited to):

  • Structured  and unstructured record systems – paper and electronic
  • Transmission of information – fax, email, post and telephone
  • Information systems managed and/or developed by, or used by the Trust

This policy covers all information systems purchased, developed and managed by, or on behalf of, the Trust and any individual, directly or otherwise engaged by the organisation.



Employee Responsibilities

As an employee of the Trust you are subject to an obligation of confidentiality to all personal, sensitive and commercial information processed by the Trust and as such you must adhere to the DPA, Caldicott Guidelines and NHS Information Security Procedures, which form part of all employee Terms and Conditions of Employment.

 All staff must sign a copy of the Trust’s Data Protection, Confidentiality and Information Security Declaration without exception. The declaration is attached to this Policy as Appendix B. Employees of external organisations who are provided with access to any personal, sensitive or commercial information processed by the Trust must sign Appendix B1 and suitable contractual arrangement to protect and indemnify the Trust against improper use must be in place.

 Professional bodies (e.g. National Midwifery Council (NWC), General Medical Council (GMC)) provide additional supplementary advice and guidance for their own disciplines. These guidelines should not conflict with this policy or legislative requirements.

 While you are at work you may have access to information about patients/colleagues and/or the Trust. You may come in to contact with this type of information during the course of your work or simply see, hear or read something while you are working. Circumstances may occur where you believe that a duty of care, either to the patient or to the staff member overrides the duty of confidentiality. In these circumstances you must discuss the matter with your supervisor/line manager in the first instance, or escalate it to the next senior manager and/or, where practicable, obtain advice from the Trust Caldicott Guardian or Information Governance Manager. The discussion and outcome must be thoroughly documented and retained for future reference.

A copy of these documents must be provided to the Information Governance Manager for audit purposes. Otherwise, you must keep this information confidential.

Any unauthorised disclosure of information by a member of staff may be considered as a disciplinary offence and could be subject to the Trusts Disciplinary Procedures.

This policy, and its supporting standards and work instructions, are fully endorsed by the Trust Board through the production of these documents and their minuted approval.



Management Responsibilities


4.1 The Chief Executive Officer

The Chief Executive Officer (CEO) has ultimate responsibility for the Data Protection, Confidentiality & Disclosure Policy within the Trust. Implementation of, and compliance with this policy is delegated to the Caldicott Guardian and designated Data Protection Officer, the Information Governance Manager and the members of the Information Governance Steering Group (IGSG).

4.2 Caldicott Guardian

The Caldicott Guardian is responsible for protecting the confidentiality of patient and service-users, and enabling appropriate information sharing with external and collaborative agencies.

The Guardian plays a key role in ensuring that NHS, Local Authorities with Community Health and Social Care Responsibilities and partner organisations satisfy the highest practical standards for handling patient identifiable information.

Acting as the 'conscience' of an organisation, the Guardian actively supports work to enable information sharing where it is appropriate to share, and advises on options for lawful and ethical processing of information.

The Caldicott Guardian also has a strategic role, which involves representing and championing Information Governance requirements and issues at Board or management team level and, where appropriate, at a range of levels within the organisation's overall governance framework.

4.3 Information Governance (IG) Manager

The IG Manager is designated as the Trust’s Data Protection Officer and is responsible for supporting the day to day IG function and works closely with the Caldicott Guardian on confidentiality and Data Protection maters such as, training, investigations and IG Compliance.

4.4 Directorate, General and Clinical Managers and Heads of Departments

Data Protection procedures will vary from department to department and across disciplines. It is the responsibility of Directorate, General, and Clinical Managers and Heads of Department to ensure adequate and compliant procedures are developed to handle personal data and sensitive personal data.

This includes the responsibility to ensure that new systems or procedures used for the processing of personal and sensitive personal date are carried out with reference to the ICO Privacy Impact Assessment Code of Practice.

General and Clinical Managers and Heads of Department may delegate the day to day running of operational procedures, but may not delegate overall responsibility for the handling of personal data and sensitive personal data within their departments.

4.5 Information Asset Owners (IAO) & Information Asset Administrators (IAA)

The Director or Directorate Manager of each directorate is identified as the Trust's IAO's. IAO’s assume particular responsibility for the electronic information systems (information assets) which process personal, sensitive or commercially sensitive information within their directorate. Their responsibilities are defined within the Trust Information Risk & Security Policy.

The IAO will ensure each information asset 'owned' by them, has an assigned IAA. The IAO must identify an appropriate member of staff as the IAA for any new electronic systems before the procurement, development or introduction of the new system commences.

The IAA’s role is also defined within the Trust Information Risk & Security Policy. The IAA will assume responsibility for the compliance with the DPA and this policy of the information asset for which they are the nominated IAA. However all employees involved in the procurement, development or introduction of such information assets, including health information systems, must ensure that best practice principles are incorporated during the procurement and design stage. This may mean introducing access controls or splitting information flows where one information flow is used for several purposes. Where for whatever reason an IAA has not been identified, the manager of the team or department procuring or developing the information assets must inform the directorate IAO and the Information Governance Manager of the directorate introducing the new asset.

The IAA will also be responsible for ensuring that the asset is audited against this policy before implementation and on a regular basis; at least annually. These audits must be provided to the IAO for approval.


Regulatory Compliance with Legislative and Contractual Requirement


Salisbury NHS Foundation Trust has a legal obligation to comply with all appropriate legislation in respect of Data, Information and IT Security. It is essential that patient identifiable information (PID) is handled, processed and released in a strictly controlled manner. This document sets out the Trusts policy for the management of confidential information.

5.1 The Data Protection Act 1998

The lawful and correct treatment of personal information is vital to the successful operation of, and maintaining the confidence with the Trust and the individuals with whom it deals. Therefore, the Trust will, through appropriate management and strict application of criteria and controls:

  • Observe fully conditions regarding the fair collection and use of information
  • Meet its legal obligations to specify the purposes for which information is used
  • Collect and process appropriate information and only to the extent that it is needed;
  • Use compliant process to fulfil operational needs to comply with any legal requirements;
  • Ensure the quality of information used is 100% accurate;
  • Apply strict checks to determine the length of time information is held and establish a compliant disposal process where necessary;
  • Audit compliance with legislation and appropriate standards and escalate findings to the IAO and IGSG.
  • Ensure that the rights of people about whom information is held can be fully exercised under the Act. (These include: the right to be informed that processing is being undertaken; the right of access to one’s personal information; the right to prevent processing in certain circumstances; the right to correct, rectify, block or erase information which is evidenced  as wrong.);
  • Take appropriate technical and organisational security measures to safeguard personal and sensitive personal information;
  • Ensure that personal information is not transferred abroad with suitable safeguards.

The Data Protection Act (1998) lays down regulations for the handling of personal data. For all such data it is essential to abide by the eight principles which govern the care and use made of the data.

A detailed list explanation of the 8 Data Protection Principles have been included in this policy in Appendix C.

The Act also dictates that information must only be disclosed on a need to know basis. Printouts and paper records must carry appropriate classification and markings in accordance with the Trust’s Information Risk & Security Policy and be treated with respect, disposed of in a secure manner, and staff must not disclose information outside the line of duty, or use any information for personal purposes.

In addition to these principles there are other conditions which have to be met and these are specified in the schedules of the act, full details are available at:

5.2 Notification to the Information Commissioner

The Data Protection Act 1998 requires every organisation that processes personal information to register with the Information Commissioner’s Office (ICO), unless they are exempt. Failure to do so is a criminal offence. Copies of Salisbury NHS Foundation Trust registration No Z6613850 is held by the Information Commissioners’ Office and is available to the public via the ICO’s website at:

All processing of personal or sensitive data by the Trust and its wholly owned subsidiaries will be registered under the Trust’s global notification.

This responsibility of maintaining the Trust’s registration will lie with the Information Governance Manager, who will to ensure that all uses and disclosures of personal data are specified within the registration.

It is also, essential that the Trust’s registration is kept up to date, Managers and all staff are responsible for informing the Information Governance Manger of any new uses of personal identifiable information or sensitive information. For further guidance on the type of personal data the Trust collects and the use and sharing of information refer to the Trust's data processing Policy.

5.3 Confidentiality: NHS Code of Practice & the Caldicott Committee Report

In 1997 the Caldicott Committee introduced stringent guidelines in the recording, access and use of personal data within the NHS. This document was called the Confidentiality: NHS Code of Practice.  This Code mandated Each NHS organisation is required to have a Caldicott Guardian; this was mandated for the NHS by Health Service Circular: HSC 1999/012. The mandate covers all organisations that have access to patient records.

5.4 Caldicott 2 Report

The original Caldicott Report, established six principles for NHS bodies (and parties contracting with such bodies) to adhere to in order to protect patient information and confidentiality. Despite these principles, and the provisions of the Data Protection Act 1998 that followed, there were almost 200 serious data protection breaches reported to the Information Commissioner relating to NHS bodies in 2012. Against this background, it is acknowledged that NHS staff have become more reluctant to share information given the potential sanctions in doing so inappropriately.

Accordingly, the government commissioned Dame Fiona Caldicott to conduct a further Information Governance Review (the “Review”) which was published at the end of April 2013.

“The duty to share information can be as important as the duty to protect patient confidentiality”. The Review highlights that for health professionals to act in a patient’s best interest, they need to have all the available information about the patient to do so. However, it is acknowledged that current information governance provisions (or at least the interpretation of them) have led to information not being shared when it should be. Accordingly, Recommendation 2 of the Review specifically states that:

“for the purposes of direct care, relevant personal confidential data should be shared among the registered and regulated health and social care professionals who have a legitimate relationship with the individual. 

Further, the Review also recognises that there are certain situations when sharing of personal information is not just preferable, but vital. An example given of this is within public health medicine in order to identify people at risk during an outbreak of an infectious disease, or to carry out health improvement and research exercises.

5.5 Caldicott Guardian Registration

All NHS Trusts are required to maintain and update their Caldicott Guardian registration managed by the Health & Social Care Information Centre (HSCIC). This function is carried out by the IG Manager.

5.6 Caldicott Principles

The Caldicott principles were recommended by the Caldicott Committee as a guide for the NHS for the use of, and transfer of patient identifiable information.

A seventh principle was added following the Caldicott 2 Report.

The seven principles provided by the Caldicott Report are the baseline for good practice:

  1. Justify the purpose for using confidential information
  2. Only use it when absolutely necessary
  3. Use the minimum that is required
  4. Access should be on a strict need to know basis
  5. Everyone must understand his or her responsibilities
  6. Understand and comply with the law
  7. The duty to share information can be as important as the duty to protect confidential information

A detailed explanation of the Seven Caldicott Principles are contained within Appendix D.



In order to be able to lawfully process the personal or sensitive personal information of an individual, the Trust must first obtain explicit, freely given, specific and informed consent from the subject. This is applicable to both employees and patients. This is fairly straight forward to manage for employees, but due to the very nature of health care this is not always that case when dealing with the information of patients. Therefore, where patients have consented to healthcare, it is considered reasonable to argue that consent has been ‘implied’, similarly research has consistently shown that patients are normally content for information to be disclosed to other organisations in order to provide that healthcare.

Notwithstanding this, it is still very important that reasonable efforts are made to ensure that patients understand how their information is to be used to support their healthcare and that they have no objections.

Where this has been done effectively, consent can be implied, providing that the information is shared no more widely than absolutely necessary, only information that is adequate, relevant and not excessive is shared and that “need to know” principles are enforced.

Patients entrust us with, or allow us to gather extremely sensitive information relating to their health and other matters as part of their seeking treatment.  They do so in confidence with a legitimate expectation that staff will respect their privacy and act appropriately.  In some circumstances patients may lack the competence to extend this trust, or may be unconscious, but this does not diminish the duty of confidence.  It is essential, if the legal requirements are to be met and the trust of patients is to be retained, that the NHS and Salisbury NHS Foundation Trust, provides, and is seen to provide, a confidential service. 

Personal or sensitive personal information that can identify any individual must not be used or disclosed for purposes other than for which it was provided without the individual's explicit consent, some other legal basis or where there is a robust public interest or legal justification to do so. 

Anonymised information is not confidential and may be disclosed in some circumstances.  Guidance contained in Confidentiality: NHS Code of Practice (November 2003) should be followed.

Specialist, staff information relating to consent is available in the Trust Integrated Clinical Information Database (ICID), Clinical Management: Consent

6.1 Consent & Compliance with the DPA and Code of Practice: Confidentiality

In order to promote a healthcare service which is open and transparent the Trust has developed a series of leaflets and posters which provide patients with specific information about how their information will be collected, stored, used and shared with partner organisations for the provision of continued healthcare. Similarly, the Trust website will include a dedicated page to make explicit reference to the how patient and staff information is processed:

6.2 Individuals who prohibit the Sharing or Processing of Personal or Sensitive Information

In accordance with Principle 6 of the DPA, data subjects have the right to object to the processing of their personal and/or sensitive data that is likely to cause or is causing damage or distress.

Where the Trust receives written instruction from an individual that they wish to object to the processing of their personal data, this objection will be considered by the Information Governance Manager and where appropriate, the Caldicott Guardian. Their decision will be fully documented and retained for future reference. The Trust will endeavour to comply with the request from the individual; however this may not always be possible.

Further guidance on the rights of the individual can be found here;

6.2.1 for the Provision of Health Care

Salisbury NHS Foundation Trust works with a number of NHS organisations and independent treatment centres to provide the patient with the best possible care. In order to do this, patient information may be shared securely to provide care in local, central and peripheral locations. If the patient chooses to prohibit this information from being disclosed to other health professionals involved in providing care, it might mean that the care that can be provided is limited and, in extremely rare circumstances, that it is not possible to offer certain treatment options.

However, sometimes the law requires that we disclose or report certain information, but that is only done after formal authority by the Courts or by a qualified health professional. Examples include reporting a serious crime which involves murder, manslaughter rape, treason, kidnapping, child abuse or infectious diseases that may endanger the safety of others, such as meningitis or measles, but not HIV/AIDS.

Additional guidance on dealing with such disclosures is contained in section seven of this policy.

6.2.2 to Relatives or Carers

Patient may wish to restrict the amount of information about their healthcare to their relatives. Patients should be encouraged to be very explicit if there is anyone that they do not want to be given information.

In the event of the patient being unable to give permission a person must be identified to act on behalf of the patient and permission obtained from him/her. It should however be noted that relatives, carers and even those documented as next of kin, do not necessarily have the right to access the personal or sensitive records of a patient.

In all cases, the wishes expressed by the patient must be appropriately documented in the Medical Records.


Disclosure Exemptions under the Data Protection Act & Confidentiality: NHS Code of Practice

In certain circumstances personal information may be disclosed, however it is vital that staff make an assessment of the need to disclose the information and document that the information has been released to whom for what reason. Further guidance is available from the Information Governance Team and the Confidentiality: NHS Code of Practice.

7.1 Disclosing Information against the Subject’s Wishes without the Presence of Consent

The responsibility of whether or not information should be withheld or disclosed without the subject’s consent, lies with the Senior Clinician involved at the time or the Senior Manager of the department and cannot be delegated. Circumstances where the subject’s right to confidentiality may be overridden are rare; examples of these situations are:

  • where it is in the vital interest of the subject
  • where the subject’s life may be in danger or cases when the subject may not be capable of making an appropriate decision
  • where there is serious danger to other people,
  • where there is a serious threat to the community
  • in other exceptional circumstances, based on professional consideration and consultation

All decisions to disclose or withhold information must be fully documented.

7.2 Disclosures Permitted Without the Persons Consent

The following disclosure of personal information is permitted under statute laws regarding the following:

  • Births and deaths
  • Notifiable communicable diseases
  • Poisonings and serious accidents at the work place
  • Terminations
  • The misuse of drugs
  • Offenders thought to be mentally disordered
  • Child abuse
  • Vulnerable adults
  • Road traffic accidents
  • Prevention/detection of a serious crime i.e. terrorism, murder

If in doubt, staff should seek guidance, in confidence, from the Clinician/Nurse in Charge, the appropriate Senior Nurse Manager/Directorate Manager, Caldicott Guardian or the Information Governance Manager.

7.3 Patient & Staff Disclosure Requests Made to the Police, Social & Probation Services under Section 29(3) of the Data Protection Act 1998: Crime, Taxation and Fraud

Guidance on the disclosure of personal or sensitive personal information to the Police, Probation, UK Border Force and Social Services is attached to this policy as Appendix E.

The Information Governance department will act as a central hub for the management of all such requests. Where any employee is in receipt of such a request, this must be immediately securely forwarded to the Information Governance Department for processing.

Where an emergency request is received, or the request is received out of normal office hours, disclosure may go ahead provided the employee dealing with the request completes a Data Protection Disclosure Record Appendix F and gains authorisation from the Caldicott Guardian, or another Senior Manager (The Duty on call Manager out of hours) prior to release. This is to ensure requests are appropriately scrutinised.

The agencies listed above do not have an absolute right to all information requested and the Trust does have the right to refuse where it is believed that the request is not valid or excessive.

A copy of the completed Disclosure Record must be sent to the IG Manager to ensure all disclosure requests are logged within the Trust. This can be sent via internal email.

Salisbury NHS Foundation Trust will support any member of staff who, using careful consideration and professional judgement, can satisfactorily justify any decision to disclose or withhold information in the interests of the subject, or the greater interests of the public.

7.3.1 Release of Information to NHS Fraud Department

As in 7.3 the Information Governance department will act as a central hub for the management of all such requests. Where any employee is in receipt of such a request, this must be immediately securely forwarded to the Information Governance Department for processing.

The agencies listed above do not have an absolute right to all information requested and the Trust does have the right to refuse where it is believed that the request is not valid or excessive.

7.4 Disclosure of Information about Armed Forces Personnel

Service Personnel (Members) of the UK, NATO and Commonwealth Armed Forces are entitled to full use of NHS hospitals on the same basis as civilians.

In addition to the normal action taken by NHS hospitals to ensure the relatives are notified of the admission of patients, it is essential that the appropriate Service Authority is notified as quickly as possible in order that the necessary administrative action can be performed. Failure to inform the Service Authority may lead to the Service patient concerned being reported as absent without leave from his/her unit.

Notification to the Service Authority may be made by telephone or secure email and should, where possible, include the following details in respect of the Service Personnel:

  • Name and address of the reporting hospital
  • Service number
  • Rank, name and initials
  • Unit and Address
  • Date of admission
  • Ward
  • Next of kin details, address and telephone number
  • Whether next of kin has been notified

It is important to note that duty of confidence still exists with Service Personnel and only the minimal information should be provided to the Service Authority. If specific or detailed health related information is requested, always discuss the request with the Service Personnel, and gain their consent to disclose.

For further information, advice and guidance contact the Information Governance Department on 01722 336262 extension 4133.

7.5 Non–Disclosure of Personal Information Contained in a Medical Record by a Clinician

An individual requesting access to their medical/personnel files may be refused access to parts of the information if an appropriate Clinician deems exposure to that information could cause physical or mental harm to the subject. In all cases reasons for non-disclosure should be documented and approved by the Caldicott Guardian or IG Manager. The Trust is not required to supply copies of medical records if the individual requesting the information has:

  • not provided enough support information in order for the information to be located
  • not supplied the appropriate fee or
  • the retrieval of the medical records requires disproportionate effort
  • the personal and/or sensitive information of 3rd parties must be redacted prior to release

All decisions to disclose or withhold information must be fully documented. 

7.6 Disclosure of Patient Information after Death

When a patient dies, it is unlikely that information relating to that individual remains legally confidential. However, an ethical obligation to the relatives of the deceased exists and health records of the deceased are public records and governed by the provisions of the Public Records Act 1958. This permits the use and disclosure of the information within them in only limited circumstances. The Access to Health Records Act 1990 permits access to the records of deceased by those with a claim arising the death of the patient.

This right of access is negated, however, if the individual concerned requested that a note denying access be included within the record prior to death (this might be part of a formal advance directive). The Trust Medical records Manager is responsible for compliance with this legislation. Guidance can be found within the Trust’s Access to Medical Records Policy. Additional advice and guidance relating to the disclosure of information arising due to death is available from the Caldicott Guardian, Lead Clinician, the Medical Records and IG Managers.

7.7 Disclosure of Personal and Sensitive Information by Telephone

7.7.1 General Guidance on the Use of Telephones to Communicate Personal Information

A patient or member of staff has a right to privacy, so when attempting to communicate with the subject by telephone you must talk to them directly, unless you have a justified reason to speak to someone on their behalf e.g. they have given their consent or it is in their best interests.

If you think you may need to contact the patient or a member of staff by phone, ask if you can call them at work, at home or on a mobile. Ask if you can leave messages. Document the consent obtained.

If you know the patient or staff members is unable to speak to you, or the recipient of the call tells you that they effectively act on the patient’s behalf, it is your responsibility to satisfy yourself that this is the case and only then you can pass limited information to the recipient.

Additional guidance on dealing with incoming and outgoing calls relating to individuals is provided in Appendix G Outgoing Telephone Calls and Appendix H Handling Incoming Calls.


Working & Sharing Information

In order for Salisbury NHS Foundation to remain compliant with the Data Protection Act 1998, Confidentiality: NHS Code of Practice and Information Security Regulations all 3rd Party Contractors, System Suppliers and Healthcare Partnership Agencies must formalise, document and sign legally binding agreements to permit the sharing of personal and sensitive personal information.

The following are examples of documents which may be required:

  • Contract between SFT and a 3rd party system suppliers
  • Contract to provide healthcare information between SFT and a private hospital  
  • Information sharing protocol between SFT & NHS Healthcare Partners  

8.1         3rd Party Contractors & Contracts

Before entering into any agreement to share information, a Privacy Impact Assessment must be completed.

There are a number of ways in which third parties may have access to information or other information held in systems, which will help determine how extensive the PIA needs to be, for example, a, assessment for cleaning contractors will be different from that carried out for a contractor connecting to the Trust IT network. Temporary access will also see different considerations to long-term access. It is essential that the nature and level of access is determined before the PIA is conducted and before the information governance elements of the contract are completed.

Third party access may be granted to electronic systems and networks, for example, the software for a patient system may be maintained by the developers, under contract. In this case it is quite likely that third party staff may have significant access to patient data. This situation clearly has Caldicott/Confidentiality and Data Protection Act 1998 (DPA) implications which require confidentiality and non-disclosure clauses to be included in the contract. It is also essential to know what security controls the third party has in place:

  • Do they have adequate security controls, policies and training?
  • Are staff screened prior to commencing employment?
  • Do they have the necessary skills to train their staff in Caldicott/confidentiality and data protection issues or should your organisation provide the training?

The Information Asset Administrator will be responsible for the completion of the PIA, which must be approved and sign off by the Information Asset Owner. 

In order to protect the Trust and mitigate any risks all contracts or protocols are required to contain the following:

  • Ownership of information & arrangements for retention or destruction following decommissioning of the service/system
  • To release personal data within the statutory 40 calendar days to comply with subject access received by the Trust
  • Definitions of Clinical Requirements to Share Images/Data and Reports
  • The facility to extract personal data in an anonymised or pseudonymised format
  • Audit of Systems, access, user account controls and reporting anomalies
  • Overview of Technical Solutions
  • Patient consent and legitimate relationships
  • Confidentiality
  • Data Protection including parameters of  disclosure of personal/corporate information
  • Access control framework
  • Error correction processes
  • Secure transit of patient identifiable Information
  • Key contacts
  • Liability
  • Information security standards including statement of compliance
  • Details of processing of data outside of the UK
  • Incident reporting procedures
  • Security transfer details
  • Retention schedule for information

Contracts with external 3rd party contractors must also be required to include statements regarding compulsory compliance with Freedom of Information requests.

Formal contracts entered into by the Trust must be reviewed by the Procurement Department prior to being signed, on behalf of the Trust. This will ensure that all contracts contain the legally binding terms and conditions. This includes the procurement of new systems and or services.

8.2     Data Sharing Agreements & Protocols (DSP) with other Healthcare Providers

In order for Salisbury NHS Foundation Trust to effectively manage and record, the use and transfer of personal data across Healthcare Partnership boundaries, the Trust has agreed to implement the use of data sharing agreements and protocols.

External organisations must comply with the Trust Remote Access Policy and relevant data sharing protocol.

A blank copy of the Trust’s Information Sharing Protocol is included as Appendix I

Please note that each Data Sharing Agreement/Protocol will require authorisation from the Caldicott Guardian or IG Manager prior to data being shared.

External employees will also be required to sign the Trust Data Protection, Confidentiality and Information Security Declaration attached to this policy as Appendix B1.


Procedures for Ensuring Safe Transfer of Information

Principle 7 of the DPA legislates that; all personal data must be kept secure.  Therefore, every member of staff has an obligation to confirm the right to share information and where applicable, to request proof of the identity of the recipient, before confidential personal and or sensitive information is passed on. Every member of staff is personally responsible to take precautions to ensure and maintain the security of confidential personal information both whilst it is in their possession and when it is being transferred from one person or organisation to another.

The following is a list of recommended procedures to ensure the safe transfer of information:

  •  Envelopes must be securely sealed, clearly addressed to a known contact and marked “confidential” and “addressee only”. A return postal code should also be marked on the envelope.
  • Telephone validation or “call back” procedures must be followed before disclosing information to someone you do not know to confirm their identity and authorisation. (Even when receiving a call from someone claiming to be a Trust employee).
  • Fax transfer is not safe and should be avoided wherever possible. Where it is necessary “Safe Haven” procedures must be followed. Refer to: The Trust Acceptable Use of Fax Policy.
  • Data held on disk or removable media of any type must be encrypted and the physical security of the device must be protected.
  • E-mailing patient confidential information is only permitted via the use of secure networks, or if it is appropriately encrypted. Refer to the Acceptable Use of Email & SMS Policy for additional guidance.
  • Confidential patient information must not be transmitted via the Internet without it being encrypted, or where system-to-system networks are known to be insecure.
  • When anonymised or pseudonymised information is shared, care must be taken to ensure that the method used is effective and individuals cannot be identified from the limited data set e.g. age and postcode together could be sufficient enough to reveal an individual’s identity. Refer to the Trust Acceptable use of Information Policy and the Information Commissioner’s Anonymisation Code of Practice.

Use of Patient Confidential Information for Clinical Training & Research

The use of information about patients is essential to research and the education and training of medical and other healthcare students and trainees. For most of these uses, anonymised information will be sufficient and should be used whenever practicable.

Most patients understand and accept that the education and training of medical and other healthcare students and trainees relies on their having access to information about patients.

10.1 Trainee Healthcare Professionals

Where trainee clinicians are part of the healthcare team providing or supporting a patient’s care, access to the patient’s personal information is permissible like other team members, as they have a legitimate professional relationship with the patient. The patient does however have the right to objects and where this occurs, the wishes of the patient must be respected.

Therefore, patients must be asked to provide their consent, to allow a trainee clinician to attend a consultation and it is the lead clinician’s responsibility to ensure that the patient is under no pressure to consent.

Additional advice and guidance is available from the General Medical Council GMC:

10.2 Making and Using Visual and Audio Recordings of Patients for Training

The use of visual and audio recordings of patients for training purposes is permitted. However, staff are required to follow the Trust Making and Using of Audio and Visual Recordings of Patients Policy to ensure full compliance with the Data Protection Act.


Use of Personal & Sensitive Information for Systems Testing & Development

The Information Commissioners Office advises that the use of personal data and sensitive personal data for system testing must be avoided wherever possible. Systems administrators and developers must develop alternative methods of system testing. Only where is has been proved that there is no practical alternative to using live data for this purpose, can live data be used. In this case, the use of this data must be fully risk assessed and approved by the Information Governance Manager and where patient data is included, also by the Caldicott Guardian. This must be undertaken before commencement of the testing/development.

Should the Information Commissioner receive a complaint about the use of personal data for system testing or development, their first question to the Trust would be to ask why no alternative to the use of live data had been found. Compliance with the above will prove assurance that appropriate steps will have been taken to establish if an alternative exists and if not, appropriate approval have been received before proceeding.

11.1 Key Risks to Personal Data in System Testing & Development

There are a number of general risks that exist whenever system testing is undertaken using live data and/or a live environment. These are:

  • unauthorised disclosure of data
  • unauthorised access to data
  • intentional corruption of data
  • unintentional corruption of data
  • compromise of source system data
  • loss of data
  • inadequacy of data
  • objections or complaints from data subjects
  • potential clinical risk

Any of the above risks can also lead to financial loss to the Trust and/or the person the information relates to. Such action could significantly damage the Trusts reputation.


The Right of Access to Information (Subject Access Requests)


Principle 6 of the DPA 1998 provides all individuals with the right to access personal information about themselves. The law also makes no distinction between the rights of adults and children. Therefore, children have the same rights as adults and all personal data must be processed in accordance with these rights.

These rights are:

  • right of subject access (e.g. to a copy of your medical records or staff files)
  • right to prevent processing likely to cause damage or distress
  • right to prevent processing for the purposes of direct marketing
  • rights in relation to automated decision taking
  • right to take action for compensation if the individual or others suffers damage
  • right to take action to rectify, block, erase or destroy inaccurate data
  • right to make a request to the Information Commissioner for an assessment to be made as to whether any provision of the Act has been contravened

It is widely anticipated that during 2015, a significant change to Data Protection legislation will take place. This is following a European Commission review, which has proposed a comprehensive reform. Consideration has therefore been given to the anticipated impact of Subject Access Requests. The changes are very likely to introduce a new right of access to audit trails contained within electronic information systems. Therefore from the date of approval of this policy amendment, the Trust will ensure that all new electronic information systems procured or developed will include functionality to be able to provide date subjects with this information.

12.1      Patient Access to their Medical Record

The DPA stipulates that the Trust upon receipt of a written request and appropriate fee. The patient’s information must be released to them, within 40 calendar days. This information must be provided in an intelligible format (clearly written in an unambiguous way). A glossary of terms should be provided to the patient wherever possible.

A patient requests for access to their medical record are managed by the Medical Records Department   under the Access to Medical Records Policy. All appropriate documents and guidance notes on how to make a Subject Access Requests are available as appendices.

For additional support, help, advice and guidance please contact either the Medical Records Manger on or IG Manager on 01722 425119 or 01722 336262 extensions 2119.

12.1.1 Complaints about Access to their Medical Record

If a patient or their representative is unhappy with the outcome of their access request, such examples may include, information withheld from them or they feel their information has been recorded incorrectly within their health record. To help rectify the complaint, the patient or their representative can go through the following channels:-

  • An informal meeting with the lead health professional may help to resolve the complaint
  • If the health professional feels that they cannot do anything for the patient, the patient can make a complaint through the Trust's Complaints procedure
  • A request for intervention can be made to the Trust’s Caldicott Guardian (Medical Director) or IG Manager
  • Ultimately, the patient may not wish to make a complaint through the NHS Complaints Procedure and can take their complaint direct to the Information Commissioner
  • Alternatively, if the patient or their representative wishes to do so, they may seek legal independent advice to pursue their complaint

12.2      Employees Access to their Employment Records

Employee personal information is governed by the DPA and their rights of access to information, privacy, dignity and confidentiality remain the same as for patients.

To ensure compliance and impartial management of all employee Subject Access Requests, the Information Governance department will act as a central hub for all such requests. Where any employee is in receipt of such a request, this must be immediately securely forwarded to the Information Governance Department for processing. Please refer to Appendix J.

For additional support, help, advice and guidance please contact either the Human Resources Department or IG Manager on 01722 425119 or 01722 336262 extensions 2119.


Compliance & Assurance

13.1 Information Governance Assessments:

The Information Governance assessment licence (ROCR/OR/0119/ft6/001/0) is the Information Governance Toolkit return which enables the Trust to measures its compliance with the information handling requirements by assessing themselves against the following initiatives:

Clinical Information Assurance.
Secondary Uses Assurance.
Corporate Information Assurance.
Information Governance Management.
Confidentiality and Data Protection Assurance.
Information Security Assurance.

The Toolkit is submitted annually at the end of March.


Consequences of a Breach of Policy


14.1 Disciplinary

A deliberate breach of this policy will be considered a serious disciplinary matter and will be dealt with accordingly. Examples of offences which may be considered to be gross misconduct (the list is not exhaustive) which may result in immediate dismissal are:

  • Unlawful disclosure of Personal Data and Sensitive Personal Data
  • Inappropriate use of Personal Data and Sensitive Personal Data
  • Accessing patient or staff personal data including medical records in the absence of a legitimate professional relationship (including accessing your own records)
  • Misuse of the Personal Data and Sensitive Personal Data which results in any claim being made against the Trust

14.2 Criminal Offence

Section 55 of the DPA states that it is generally unlawful for a person to "knowingly or recklessly without the consent of the data controller obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data" without the consent of those who control the data.

The current penalty for committing a section 55 offence is a maximum £5,000 fine if the case is heard in a Magistrates Court and an unlimited fine for cases tried in a Crown Court. Under the Criminal Justice and Immigration Act (CJIA) the Justice Secretary has the power to introduce new regulations that would allow a custodial sentence penalty to be available for the offences under Section 55 of the DPA.


15. Data Protection, Confidentiality and Disclosure Caldicott Work Plan 16. Monitoring Compliance of Confidentiality and Data Protection Review 17. Review Appendices


The IG Department will carry out the following duties to support the Caldicott Guardian:

15.1 Mandatory Training

It is mandated through the Health and Social Information Care (HSCIC) and Care Quality Commission (CQC) IG Toolkit, that all NHS employees must complete Information Governance Training annually. Data Protection and confidentiality will form a major part of the course content, which will be offered to all employees via a Computer Based Training package. For any member of staff who for whatever reasons (such as disability) the CBT is not appropriate, alternative methods of training will be made available by the IG Department.

The Trust will ensure that training courses/presentations will support this policy.  The training will ensure general awareness of the Data Protection and Caldicott Principles with more specific training for Information Guardians and other staff groups. 

15.1.1 Trust Induction

All new employees (and those returning to the Trust following a break in employment of more than 12 months) must attend IG training provided at Trust Induction. All staff will be provided with dedicated Data Protection, Caldicott and Confidentiality training. All staff will be provided with a copy of the following leaflets:

Guidance for staff Volunteers and Contractors Appendix L

Data Protection & Caldicott Summary Leaflet Appendix K

Induction Course Content:

  • Data Protection
  • Confidentiality
  • Information Security
  • Incident Reporting
  • Data Quality
  • Freedom of Information
  • Acceptable use of Information
  • Caldicott Principles

Trust Induction content, materials and leaflets will be reviewed annually and more frequently if impacting laws, processes, procedures or NHS guidance dictates otherwise.

15.1.2 Departmental Induction

Each new member of staff will be given appropriate training materials as part of their induction pack from their Departmental Manager. The information provided will be fully explained.

Managers and supervisory staff are responsible for ensuring that new staff and those returning after a significant period of absence are provided with a locally based information governance orientation training which should include but is not limited to:

  • The use of local fax machines
  • Postal procedures: internal and external post
  • Destruction of confidential waste including handover sheets etc.
  • Using NHS Mail to share patient information outside the Trust
  • Leaving telephone messages for patients, relatives and staff on answerphones
  • Access to secure areas
  • Safe and secure transportation of patient and staff information
  • Appropriate access to confidential information
  • Challenging visitors attempting to access secure areas within the site
  • Briefing new employees on departmental business continuity plans

15.1.3 Information Governance Peripatetic Sessions

These sessions will be made available to departments on request. The session content will be developed and delivered linked to the specific departmental needs. Therefore, training content may vary dependent on recent incidents, complaints and concerns raised by patients.

These sessions will include group exercises, scenario bases learning. In addition to this the following topics will be included:

Course Content:

  • Data Protection
  • Confidentiality
  • Disclosure: Armed Forces
  • Data Protection Exemptions
  • Consent to share Information
  • Information Security
  • Incident Reporting
  • Data Quality
  • Staff Responsibilities: Investigations, Incident management & Investigations
  • Handling Disclosure Requests: Section 29(3) Crime & Taxation, Child Protection, Vulnerable Adults
  • Freedom of Information

15.2 Confidentiality & Data Protection Awareness

The IG Department will promote the confidentiality, privacy and dignity of patient information to staff via the following mediums:

15.2.1 Articles in the following internal and external publications:

Inform (Informatics Newsletter)

Cascade Brief (Monthly briefing to Staff from the Trust Board)

Clinical Governance Newsletter (Designed by Clinicians for Clinicians)

CEO Weekly Message (Emailed to all staff)

15.2.2 Patient and Staff Posters and Leaflets

Salisbury NHS Foundation Trust will continue to promote staff and patient awareness of Data Protection and confidentiality through the continued use of credit card size leaflets posted to new patients with their appointment letters, with larger copies placed in public areas accompanied by posters.

15.2.3 Trust Screen Savers

The IG Department will ensure that the positive message of Data Protection and confidentiality is cascaded to staff, via the use of Trust’s automatic screensaver system.

16.     Monitoring Compliance of Confidentiality and Data Protection Review

Compliance with this policy will be monitored through regular confidentiality audits carried out by the Information Asset Administrators. Any incidents or potential concern will be raised with in the first instance with the Information Asset Owners and in the second instance the IG Manager or Caldicott Guardian. All potential breaches will be investigated in line with Trust policy.

All audits will be carried out in accordance with the ICO Confidentiality Audit Guidance: ICO

16.1   Staff knowledge

Staff knowledge and awareness will be audited by the IG Department annually using an automated questionnaire. The results will be collated to form a report to the Caldicott Guardian and the IGSG members.

16.2   Patient Experience

Patient experience will also be monitored via a personal survey managed by the IG Department. This survey will also include the evaluation of promotional leaflets, posters, consent to share information, privacy dignity, access to their medical record and information security.

Data from survey will be analysed and compiled by the IG Department and reports submitted to the Caldicott Guardian and the IGSG.

16.3   Data Protection & Confidentiality Compliance Visits

The IG department will carry out compliance visits throughout the Trust to be fed back to the departments, Directorate Managers and the Caldicott Guardian and IG Steering Group.

16.4 Communication & Implementation

This policy is to be made available to all Trust staff and observed by all members of staff, both clinical and administrative.

To ensure the success of this policy is integrated appropriately within the Trust, the IG Department have developed an Implementation Plan. This is included as Appendix M.

17. Review

This policy and associated documents will be reviewed annually by the Information Governance Department, and every three years by the Trust and Joint Boards or earlier if appropriate, to take into account any changes to legislation that may occur, and/or guidance from the Department of Health and/or the NHS Executive.






 Data Protection Definitions



 Trust Staff Data Protection, Confidentiality & Information Security Declaration



 Non Trust Staff Data Protection, Confidentiality & Information Security Declaration



 Data Protection Principles



 Caldicott Principles



 Disclosure of Information to the Police, Probation or Social Services



 Section 29 (3) Data Protection Disclosure Record



 Telephone Guidance: Outgoing Calls



 Telephone Guidance: Incoming Calls



 Information Sharing Protocol



 Guidance For Storage and Access to Staff Personal Files & Employment Records



 An Introduction to Data Protection & Caldicott Principles



 Guidance For Storage and Access to Staff Personal Files & Employment records


 Implementation Plan



 Department Destruction Logs



 Equality Analysis



 Checklist for Approval and Ratification Boards Procedural Documents



Diaries (Community Midwifery), Completion & Storage 



Page Last Updated: 11/09/2018 09:21 
Printed from Salisbury NHS Foundation Website