An outstanding experience for every patient
 

Data Protection, Confidentiality & Disclosure Policy 

Post Holder Responsible for Policy:
Information Governance Manager
Directorate Responsible for Policy:
Chief Executive's Directorate
Contact Details:

Salisbury District Hospital

01722 336262 Ext 4133

Date Written:
February 2005 (Data Protection & Confidentiality Policy.) Replaced by Data Protection, Confidentiality & Disclosure Policy March 2011.
Date Revised:
February 2012
Approved By:

Approved by Joint Board of Directors

Date Approved:

17th July 2013

Next Due for Revision:
October 2014
Date Policy Becomes Live:
4th April 2005

Version Information

Version No. Author Review Date Description of Changes
1
.
3
Information Governance Manager
17th July 2013
The review date for this policy is extended to October 2014.

Table Of Contents

Introduction
Scope
Your Responsibilities
Responsibilities
Regulatory Compliance with Legislative and Contractual Requirement
Consent
Disclosure Exemptions under the Data Protection Act & Confidentiality: NHS Code of Practice
Working & Sharing Information in Partnership to Support Healthcare
Procedures for Ensuring Safe Transfer of Information
Use of Patient Confidential Information for Clinical Training
Use of Patient Information for Systems Testing
Privacy Impact Assessment (PIA)
The Right of Access to Information (Subject Access Requests)
Compliance & Assurance
15. Consequences of a Breach of Policy
16. Data Protection, Confidentiality and Disclosure Caldicott Work Plan
17. Monitoring Compliance of Confidentiality
18. Review
19. Equality Impact Assessment
20. Appendices
Top

 
Introduction

 

This Policy replaces the previous Data Protection and Confidentiality Policy and has been expanded to incorporate the disclosure of information using the telephone, the release of information to Social Services, the Police, and Armed Forces, consent and the use of Information Sharing agreements and protocols.

 

This policy also mandates the use of Privacy Impact Assessments which are to be used to ensure that any new processes and procedures that involve the use of personal information or intrusive technologies and how this impacts on the protection of personal information.

 

PIAs are now mandatory in England for any new system (IT or otherwise), process, project, policy or technology which involves personal and/or processing must ensure that PIA’s are carried out.

 

Salisbury NHS Foundation Trust is required to meet its legal obligations and NHS requirements concerning confidentiality and information security standards. The requirements within this Policy are primarily based upon the Data Protection Act 1998 (DPA) and the NHS Code of Practice: Confidentiality (Code of Confidentiality). These are two key pieces of legislation cover the security and confidentiality of personal information within the NHS, United Kingdom and the European Economic Area.

 

A definition of personal information and sensitive information is included as Appendix A to this Policy.

 

Like all NHS Organisations, Salisbury NHS Foundation Trust holds and processes information about its employees, patients and other individuals for various purposes (e.g. the effective provision of healthcare services or; for administrative purposes such as payroll). To comply with the Data Protection Act 1998 (DPA) personal identifiable information must be collected and used fairly, stored safely and not disclosed to unauthorised persons. The DPA and Code of Confidentiality apply to both manual and electronic data.

 

The Trust also has a duty to comply with additional guidance issued by the Department of Health, the NHS Executive, Monitor, and other professional bodies.

 

Failure of the Trust, and or employees, volunteers or contractors to comply with DPA legislation could potentially result in a subsequent investigation by the Information Commissioners Office, with the possible risk of being fined up to £500,000 for very serious breaches.

 

All NHS employees have a duty of confidence to patient under common law. Furthermore statute law imposes legal obligations regarding confidentiality of patient date whether it is manually documented or collected and held within computer systems.

 

This policy gives assurance to the Trust and to individuals that personal information is dealt with legally, securely, effectively and efficiently, in order to deliver the best possible care to patients.

The Trust will establish and maintain policies and procedures to ensure compliance with the requirements contained in the NHS Connecting for Health Information Governance Toolkit.

Top

 
Scope

 

This Policy covers records held and processed by Salisbury NHS Foundation Trust. The Trust is responsible for its own records under the terms of the DPA and it has submitted itself as a Data Controller to the Information Commissioner.

 

This policy covers all aspects of information within the organisation, including (but not limited to):

 

·                      Patient/staff/client/service user information

·                      Personal information

·                      Organisational information

 

This policy covers all aspects of handling information, including (but not limited to):

 

·                      Structured  and unstructured record systems – paper and electronic

·                      Transmission of information – fax, email, post and telephone

·                     Information systems managed by or used by the Trust

 

This policy covers all information systems purchased, developed and managed by, or on behalf of, the Trust and any individual, directly or otherwise employed by the organisation.

Top

 
Your Responsibilities

 

While you are at work you may have access to information about patients/colleagues and/or the Trust. You may come in to contact with this type of information during the course of your work or simply see, hear or read something while you are working. In these circumstances where duty of care, either to the patient or the staff member overrides the duty of confidentiality, you must discuss the matter with your supervisor/line manager in the first instance or escalate it to the next senior manager and/or obtain advice from the Trust Caldicott Guardian or Information Governance Manager. Otherwise, you must keep this information confidential.

 

As an employee (honorary), volunteer, or contractor of the Trust you are subject to an obligation of confidentiality and must adhere to the DPA, Caldicott Guidelines and NHS Information Security Procedures which form part of all employees, contractors, volunteers and honorary staffs Terms and Conditions of Employment.

 

All staff must sign a copy of the Trust’s Data Protection, Confidentiality and Information Security Declaration without exception. The declaration is attached to this Policy as Appendix B.

 

Professional bodies (e.g. National Midwifery Council (NWC), General Medical Council (GMC)) provide additional supplementary advice and guidance for their own disciplines. These guidelines should not conflict with this Policy or legislative requirements.

 

Access to Health Records Act 1990 provides access rights to the records of deceased patients by relatives, or those who may have a claim, to deceased patient’s records.

 

This policy, and its supporting standards and work instructions, are fully endorsed by the Trust Board through the production of these documents and their minuted approval.

Any unauthorised disclosure of information by a member of staff will be considered as a disciplinary offence and will be subject to the Trusts Disciplinary Procedures.

Top

 
Responsibilities

4.1 The Chief Executive Officer

The Chief Executive Officer (CEO) has overall responsibility for the Data Protection Policy within the Trust. Implementation of, and compliance with this Policy is delegated to the Caldicott Guardian and designated Data Protection Officer the Information Governance Manager and the members of the Information Governance Steering Group. 

4.2 Caldicott Guardian

The Caldicott Guardian is responsible for protecting the confidentiality of patient and service-users information and enabling appropriate information sharing with external and collaborative agencies. They will act as the conscience of the Trust; the Caldicott Guardian actively supports work to enable information sharing where appropriate and advises on options for lawful and ethical processing of information.

The Guardian plays a key role in ensuring that NHS, Councils with Social Services Responsibilities and partner organisations satisfy the highest practical standards for handling patient identifiable information.

Acting as the 'conscience' of an organisation, the Guardian actively supports work to enable information sharing where it is appropriate to share, and advises on options for lawful and ethical processing of information.

The Caldicott Guardian also has a strategic role, which involves representing and championing Information Governance requirements and issues at Board or management team level and, where appropriate, at a range of levels within the organisation's overall governance framework.

4.3 Information Governance (IG) Manager

The IG Manager is responsible for supporting the day to day function and works closely with the Caldicott Guardian on confidentiality and Data Protection training, investigations and issues.

4.4 Directorate, General and Clinical Managers and Heads of Departments

Data Protection procedures will vary from department to department and across disciplines. It is the responsibility of Directorate, General, and Clinical Managers and Heads of Department to ensure adequate and compliant procedures are developed to handle personal data and sensitive personal data.

 

This includes the responsibility to ensure that new systems or procedures used for the processing of personal data are carried out with reference to the ICO Privacy Impact Assessment Guidance and Handbook.

 

General and Clinical Managers and Heads of Department may delegate the day to day running of operational procedures but may not delegate overall responsibility for the handling of personal data and sensitive personal data within their departments.

4.5 Information Asset Administrators

Each computer system/database will have a designated application and/or system administrator/manager. A list of these nominated personnel will be maintained as part of the Asset Register which forms part of the Trust’s Information Security Management System.

The IG Manager will ensure that all databases that require registration are registered in accordance with the Act’s requirements and these registrations are reviewed on a regular basis.

 

The day to day responsibilities for enforcing the Policy will be devolved to the Information Asset Owners and Administrators and other nominated personnel.

 

In order to fulfil their roles, the IG Manager, will ensure that regular training is provided, to remind these personnel of these responsibilities, and the most effective way of ensuring adequate information security and confidentiality.

Top

 
Regulatory Compliance with Legislative and Contractual Requirement

Salisbury NHS Foundation Trust has a legal obligation to comply with all appropriate legislation in respect of Data, Information and IT Security. It is essential that patient identifiable information (PID) is handled, processed and released in a strictly controlled manner. This document sets out the Trusts policy for the management of confidential information.

 

5.1 The Data Protection Act 1998

 

The lawful and correct treatment of personal information is vital to the successful operation of, and maintaining the confidence with the Trust and the individuals’ with whom it deals. Therefore, the Trust will, through appropriate management and strict application of criteria and controls:

 

·       Observe fully conditions regarding the fair collection and use of information;

·       Meet its legal obligations to specify the purposes for which information is used;

·       Collect and process appropriate information and only to the extent that it is needed

·       to fulfil operational needs or to comply with any legal requirements;

·       Ensure the quality of information used;

·       Apply strict checks to determine the length of time information is held;

·       Ensure that the rights of people about whom information is held can be fully exercised under the Act. (These include: the right to be informed that processing is being undertaken; the right of access to one’s personal information; the right to prevent processing in certain circumstances; the right to correct, rectify, block or erase information which is regarded as wrong.);

·       Take appropriate technical and organisational security measures to safeguard personal information;

·       Ensure that personal information is not transferred abroad with suitable safeguards.

 

The Data Protection Act (1998) lays down regulations for the handling of personal data. For all such data it is essential to abide by the eight principles which govern the care and use made of the data.

 

A detailed list explanation of the 8 Data Protection Principles have been included in this policy in Appendix C.

 

The Act also dictates that information should only be disclosed on a need to know basis. Printouts and paper records must be treated with respect, disposed of in a secure manner, and staff must not disclose information outside the line of duty.

 

In addition to these principles there are other conditions which have to be met and these are specified in the schedules of the act, full details are available at: http://www.legislation.hmso.gov.uk/acts/acts1998/19980029.htm.

 

5.2  Notification to the Information Commissioner

 

Before personal data are held on computer, it is necessary to notify the Office of the Information Commissioner. Copies of Salisbury NHS Foundation Trust registration No Z6613850 is held by the Information Commissioners’ Office and is available to the public via the ICO’s website at: http://www.esd.informationcommissioner.gov.uk/esd/DoSearch.asp?reg=3005554

 

Therefore, all applications/databases required under law to be registered for Data protection purposes will be registered under the Trust’s global notification. 

Failure to register personal data or knowingly to use data other than as registered will constitute an offence under the DPA, this may result in Salisbury NHS Foundation Trust and/or individual employees being prosecuted and or fined.

This registration is checked regularly by the Information Governance Manager to ensure that all uses and disclosure of personal data are specified within the registration.

It is also, essential that the Trust’s registration is kept up to date, and Managers and all staff are responsible for informing the Information Governance Manger of any new uses of personal identifiable information. For further guidance on the type of personal data the Trust collects and the use and sharing of information refer to the Trust’s Data Processing Policy.

 

5.3 Confidentiality: NHS Code of Practice & the Caldicott Committee Report

In 1997 the Caldicott Committee introduced stringent guidelines in the recording, access and use of personal data within the NHS. This document was called the Confidentiality: NHS Code of Practice.  This Code mandated Each NHS organisation is required to have a Caldicott Guardian; this was mandated for the NHS by Health Service Circular: HSC 1999/012. The mandate covers all organisations that have access to patient records, so it includes Acute Trusts, Ambulance Trusts, Mental Health Trusts, Primary Care Trusts, Strategic Health Authorities, and special health authorities such as NHS Direct.

5.3.1 Caldicott Guardian Registration 

All NHS Trusts are required to maintain and update their Caldicott Guardian Registration managed by Connecting for Health. This function is carried out by the IG Manager and a copy of the registration documentation is accessible on the Connecting for Health website: http://www.connectingforhealth.nhs.uk/systemsandservices/ssd/prodserv/caldicottcert.pdf

 

5.4 Caldicott Principles

 

The Caldicott principles were recommended by the Caldicott Committee as a guide for the NHS for the use of, and transfer of patient identifiable information.

The six principles provided by the Caldicott Report are the baseline for good practice:

 

1.                            Justify the purpose for using confidential information

2.                            Only use it when absolutely necessary

3.                            Use the minimum that is required

4.                            Access should be on a strict need to know basis

5.                            Everyone must understand his or her responsibilities

6.                            Understand and comply with the law

A detailed explanation of the Six Caldicott Guardian Principles are contained within Appendix D

 

Top

 
Consent

 

Where patients have consented to healthcare, research has consistently shown that they are normally content for information to be disclosed in order to provide that healthcare.

 

However, it is still very important that reasonable efforts are made to ensure that patients understand how their information is to be used to support their healthcare and that they have no objections.

 

Where this has been done effectively, consent can be implied, providing that the information is shared no more widely than absolutely necessary and that “need to know” principles are enforced. This is particularly important where the use or disclosure of information, whilst an important element of modern healthcare provision, is neither obvious nor easy to understand. It is particularly important to check that patients understand and are content for information to be disclosed to other organisations or agencies contributing to their health care.

 

Patients entrust us with, or allow us to gather sensitive information relating to their health and other matters as part of their seeking treatment.  They do so in confidence and they have the legitimate expectation that staff will respect their privacy and act appropriately.  In some circumstances patients may lack the competence to extend this trust, or may be unconscious, but this does not diminish the duty of confidence.  It is essential, if the legal requirements are to be met and the trust of patients is to be retained, that the NHS provides, and is seen to provide, a confidential service.  Information that can identify individual patients must not be used or disclosed for purposes other than healthcare without the individual's explicit consent, some other legal basis or where there is a robust public interest or legal justification to do so. 

 

Anonymised information is not confidential and may be disclosed in some circumstances.  Guidance contained in Confidentiality: NHS Code of Practice (November 2003) should be followed.

 

6.1 Consent & Compliance with the DPA and Confidentiality: Code of Practice

 

In order to promote a healthcare service which is open and transparent about how patient information is used and processed the Trust has developed a series of leaflets and posters which provide specific information about how their information will be collected, stored, used and shared with partner organisations for the provision of continued healthcare.

 

Specialist, staff information relating to consent is available in the Trust Integrated Clinical Information Database (ICID), Clinical Management: Consent

6.2 Patient’s who prohibit the Sharing of Health Information

6.2.1 for the Provision of Health Care

 

Salisbury NHS Foundation Trust works with a number of NHS organisations and independent treatment centres to provide the patient with the best possible care. In order to do this patient information may be shared securely (with their consent) to provide care in local, central and peripheral locations. If the patient chooses to prohibit this information from being disclosed to other health professionals involved in providing care, it might mean that the care that can be provided is limited and, in extremely rare circumstances, that it is not possible to offer certain treatment options.

However, sometimes the law requires that we disclose or report certain information, but that is only done after formal authority by the Courts or by a qualified health professional. Examples include reporting a serious crime which involves murder, manslaughter rape, treason, kidnapping, child abuse or infectious diseases that may endanger the safety of others, such as meningitis or measles, but not HIV/AIDS.

Additional guidance on dealing with such disclosures is contained in section seven of this policy.

6.2.2 to Relatives or Carers

Patient may wish to restrict the amount of information about their healthcare to their relatives. Patients should be encouraged to be very explicit if there is anyone that they do not want to be given information.

 

In the event of the patient being unable to give permission a person must be identified to act on behalf of the patient and permission obtained from him/her.

 

In all cases, the wishes expressed by the patient must be appropriately documented in the Medical Records.

Top

 
Disclosure Exemptions under the Data Protection Act & Confidentiality: NHS Code of Practice

In certain circumstances personal information may be disclosed, however it is vital that staff make an assessment of the need to disclose the information and document that the information has been released to whom for what reason. Further guidance is available from the Information Governance Team and the Confidentiality: NHS Code of Practice.

It is important to note that personal identifiable information permitted to be released in the above circumstances must remain compliant with the remaining Data Protection Principles:

3.        Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4.        Personal data shall be accurate and, where necessary, kept up to date.

5.        Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6.        Personal data shall be processed in accordance with the rights of data subjects under this Act.

7.        Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8.        Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

7.1 Disclosing Information against the Patient's Wishes without the Presence of Consent

The responsibility of whether or not information should be withheld or disclosed without the patient's consent, lies with the Senior Clinician involved at the time and cannot be delegated.

Circumstances where the patient's right to confidentiality may be overridden are rare; examples of these situations are:

·         where the patient's life may be in danger or cases when the patient may not be capable of making an appropriate decision

·         where there is serious danger to other people, where the rights of others may supersede those of the patient

·          where there is a serious threat to the healthcare professional

·          Where there is a serious threat to the community

·         in other exceptional circumstances, based on professional consideration and consultation

 

7.2 Disclosures Permitted Without the Persons Consent

 

The following disclosure of personal information is permitted under statute laws regarding the following:

 

·           Births and deaths

·           Notifiable communicable diseases

·           Poisonings and serious accidents at the work place

·           Terminations

·           The misuse of drugs

·           Offenders thought to be mentally disordered

·           Child abuse

·           Road traffic accidents

·           Prevention/detection of a serious crime i.e. terrorism, murder

 

If in doubt, staff should seek guidance, in confidence, from the Clinician/Nurse in Charge, the appropriate Senior Nurse Manager/Directorate Manager, Caldicott Guardian or the Information Governance Manager on 01722 425119 or 07722 336262 extension 2119.

 

7.3 Patient & Staff Disclosure Requests Made to the Police, Social & Probation Services under Section 29(3) of the Data Protection Act 1998: Crime, Taxation and Fraud

Guidance on the Disclosure of Personal Information to the Police, Probation and Social Services is attached to this policy as Appendix E.

All staff are required to complete a Data Protection Disclosure Record Appendix F and gain authorisation from the Caldicott Guardian, Named Nurses for Vulnerable Adults or Child Protection, the IG Manager or Senior Manager prior to release. This is to ensure requests are appropriately scrutinised.

A copy of the completed Disclosure Record must be sent to the IG Manager to ensure all disclosure requests are logged within the Trust. This can be sent via internal email.

Salisbury NHS Foundation Trust will support any member of staff who, using careful consideration and professional judgement, can satisfactorily justify any decision to disclose or withhold information against a patient's wishes.

7.3.1 Release of Information to NHS Fraud Department

Managers are required under Section 29(3) of the DPA to provide information to the NHS Fraud Department when they receive a formal written request for information relating to an investigation relating to fraud.

If information is agreed to be released it must still be processed in compliance with the remaining Data Protection Act Principles e.g.

3. Personal data must be adequate, relevant and not excessive

4. Data must be accurate and up to date.

7. Data must be kept secure at all times

8. Data to be transferred outside the UK must have adequate protection surrounding it.

All staff are required to complete a Data Protection Disclosure Record Appendix F and gain authorisation from the Caldicott Guardian, IG Manager or Senior Manager prior to release. This is to ensure requests are appropriately scrutinised.

A copy of the completed Disclosure Record must be sent to the IG Manager to ensure all disclosure requests are logged within the Trust.

Salisbury NHS Foundation Trust will support any member of staff who, using careful consideration and professional judgement, can satisfactorily justify any decision to disclose or withhold information against a patient's wishes.

7.4 Disclosure of Information about Armed Forces Personnel

Service Personnel (Members) of the UK, NATO and Commonwealth Armed Forces are entitled to full use of NHS hospitals on the same basis as civilians.

In addition to the normal action taken by NHS hospitals to ensure the relatives are notified of the admission of Service patients, it is essential that the appropriate Service Authority is notified as quickly as possible in order that the necessary administrative action can be performed. Failure to inform the Service Authority may lead to the Service patient concerned being reported as absent without leave from his/her unit.

 

Notification to the Service Authority may be made by telephone or fax and should, where possible, include the following details in respect of the Service Personnel:

 

  • Name and address of the reporting hospital
  • Service number
  • Rank, name and initials
  • Unit and Address
  • Date of admission
  • Ward
  • Next of kin details, address and telephone number
  • Whether next of kin has been notified

It is important to note that duty of confidence still exists with Service Personnel and only the minimal information should be provided to the Service Authority. If specific or detailed health related information is requested, always discuss the request with the Service Personnel, and gain their consent to disclose.

 

Additional guidance and contact details of Service Authority Offices are included in the Department of Health: Health Service Guidance: Arrangements between the Ministry of Defence, NATO, the Commonwealth Armed Services and the NHS.

 

For further information, advice and guidance contact the Information Governance Department on 01722 336262 extension 4133.

 

7.5 Non–Disclosure of Personal Information Contained in a Medical Record by a Clinician

 

An individual requesting access to their medical/personnel files may be refused access to parts of the information if an appropriate Clinician deems exposure to that information could cause physical or mental harm to the patient. Clinicians should be prepared to justify their reasons in a court of law if necessary. In all cases reasons for non-disclosure should be documented.

The Trust is not required to supply copies of medical records if the individual requesting the information has:

·         not provided enough support information in order for the information to be located

·         not supplied the appropriate fee or

·         the retrieval of the medical records requires disproportionate effort

·         the identity of a 3rd party would be revealed if disclosure were to take place

 

7.6 Disclosure of Patient Information after Death

 

When a patient dies, it is unlikely that information relating to that individual remains legally confidential. However, an ethical obligation to the relatives of the deceased exists and health records of the deceased are public records and governed by the provisions of the Public Records Act 1958. This permits the use and disclosure of the information within them in only limited circumstances. The Access to Health Records Act 1990 permits access to the records of deceased by those with a claim arising the death of the patient.

 

This right of access is negated, however, if the individual concerned requested that a note denying access be included within the record prior to death (this might be part of a formal advance directive).

 

Additional advice and guidance relating to the disclosure of information arising due to death is available from the Caldicott Guardian, Lead Clinician, the Medical Records and IG Managers.

 

7.7 Disclosure of Personal and Sensitive Information by Telephone

 

7.7.1 General Guidance on the Use of Telephones to Communicate Personal Information

 

A patient has a right to privacy so we must talk to the patient, unless we have a justified reason to speak to someone on their behalf, e.g. they have given their consent or it is in their best interests.

 

Avoid “alarmist” language such as ‘it’s confidential’ or jargon like ‘fast track’.  If you think you may need to contact the patient by phone, ask if you can call them at work, at home or on a mobile. Ask if you can leave messages.

 

If you know the patient is unable to speak to you, or the recipient of the call tells you that they effectively act on the patient’s behalf, then you can pass limited information to the recipient.

 

Additional guidance on dealing with incoming and outgoing calls relating to individuals is provided in Appendix G Outgoing Telephone Calls and Appendix H Handling Incoming Calls.

Top

 
Working & Sharing Information in Partnership to Support Healthcare

 

In order for Salisbury NHS Foundation to remain compliant with the Data Protection Act 1998, Confidentiality: NHS Code of Practice and Information Security Regulations all 3rd Party Contractors, System Suppliers and Healthcare Partnership Agencies must formalise document and sign legally binding agreements.

 

The following are examples of documents which may be required:

 

  • Contract between SFT and a 3rd party system suppliers (iPM) Contract to provide healthcare information between SFT and a private hospital (Nuffield)
  • Information sharing protocol between NHS Healthcare Partners (Warminster Hospital & SFT)

8.1         3rd Party Contractors & Contracts

 

There are a number of ways in which third parties may have access to information or other information held in systems, which will help determine how extensive the risk assessment needs to be, for example, a risk assessment for cleaning contractors will be different from that carried out for a contractor connecting to the Trust network. Temporary access will also see different considerations to long-term access. It is essential that the nature and level of access is determined before the risk assessment is conducted and before the information governance elements of the contract are completed.

 

Third party access may be granted to electronic systems and networks, for example, the software for a patient system may be maintained by the developers, under contract. In this case it is quite likely that third party staff may have significant access to patient data. This situation clearly has Caldicott/Confidentiality and Data Protection Act 1998 (DPA) implications which require confidentiality and non-disclosure clauses to be included in the contract. It is also essential to know what security controls the third party has in place:

·           Do they have adequate security controls, policies and training?

·           Are staff screened prior to commencing employment?

·           Do they have the necessary skills to train their staff in Caldicott/confidentiality and data protection issues or should your organisation provide the training?

Therefore, in order to protect the Trust and mitigate any risks all contracts or protocols are required to contain the following:

 

·       Ownership of information

·       Definitions of Clinical Requirements to Share Images/Data and Reports

·       Audit of Systems, access, user account controls and reporting anomalies

·       Overview of Technical Solutions

·       Patient consent and Legitimate Relationships

·       Confidentiality

·       Data Protection including parameters of  disclosure of personal/corporate information

·       Access Control Framework

·       Error Correction Processes

·       Secure Transit of Patient Identifiable Information

·       Key Contacts

·       Liability

·       Information Security Standards including Statement of Compliance

·       Details of processing of data outside of the UK

·       Incident Reporting Procedures

·       Security transfer details

Contracts with external 3rd party Contractors will also be required to include statements regarding Freedom of Information Requests.

 

Formal contracts entered into by the Trust must be reviewed by the Procurement Department prior to being signed, on behalf of the Trust. This will ensure that all contracts contain the legally binding terms and conditions. This includes the procurement of new systems and or services.

 

8.2         Data Sharing Agreements & Protocols (DSP) with other NHS Healthcare Providers

 

In order for Salisbury NHS Foundation Trust to effectively manage and record, the use and transfer of personal data across Healthcare Partnership boundaries the Trust has agreed to implement the use of data sharing agreements and protocols.

 

External organisations must comply with the Trust Remote Access Policy and relevant data sharing protocol.

 

These are available on request from the Informatics Department via the IT Service Desk on 01722 336262 extension 2040 or call the Infrastructure architect on 01722 425007.

 

Please note that each Data Sharing Agreement/Protocol will require authorisation from the Caldicott Guardian or IG Manager prior to data being shared.

 

External employees will also be required to sign the Trust Data protection, Confidentiality and Information Security Declaration attached to this policy as Appendix B.

Top

 
Procedures for Ensuring Safe Transfer of Information

 

Principle 7 of the DPA legislates that; all personal data must be kept secure.  Therefore, every member of staff has an obligation to request proof of identity before confidential personal information is passed on. Every member of staff is personally responsible to take precautions to ensure the security of confidential personal information both whilst it is in their possession and when it is being transferred from one person or organisation to another.

 

The following is a list of recommended procedures to ensure the safe transfer of information:

 

·           Envelopes must be securely sealed, clearly addressed to a known contact and marked “confidential” and “addressee only”. A return Post Code should also be marked on the envelope.

 

·           Telephone validation or “call back” procedures must be followed before disclosing information to someone you do not know to confirm their identity and authorisation.

·           Fax transfer is not safe and should be avoided wherever possible. Where it is necessary “Safe Haven” procedures must be followed. Refer to: The Trust Acceptable Use of Fax Policy.

 

·           Data held on disk should be encrypted and the physical security of the disk must be protected i.e. Encrypted to prevent unauthorised access or stored under lock and key.

·           E-mailing patient confidential information is only permitted if it is encrypted. Refer to the Acceptable Use of Email Policy for additional guidance.

 

·           Confidential patient information must not be transmitted via the Internet without it being encrypted, or where system-to-system networks are known to be secure.

·           When anonymised or pseudonymised information is shared, care should be taken to ensure that the method used is effective and individuals cannot be identified from the limited data set e.g. age and postcode together could be sufficient enough to reveal an individual’s identity. Refer to the Trust Acceptable use of Information Policy.

Employees must refer to the Trust Mobile Computing Policy for additional specific guidance.

Top

 
Use of Patient Confidential Information for Clinical Training

 

The use of information about patients is essential to the education and training of medical and other healthcare students and trainees. For most of these uses, anonymised information will be sufficient and should be used whenever practicable.

 

Most patients understand and accept that the education and training of medical and other healthcare students and trainees relies on their having access to information about patients.

 

10.1 Trainee Healthcare Professionals

 

If trainee clinicians are part of the healthcare team providing or supporting a patient’s care, they can have access to the patient’s personal information like other team members, unless the patient objects.

 

Therefore, patients must be asked to provide their consent, to allow a trainee clinician sitting in on a consultation and it is the lead clinician’s responsibility to ensure that the patient is under no pressure to consent.

Additional advice and guidance is available from the General medical Council GMC: http://www.gmc-uk.org/guidance/ethical_guidance/consent_guidance_index.asp

10.2 Making and Using Visual and Audio Recordings of Patients for Training

 

The use of visual and audio recordings of patients for training purposes is permitted. However, staff are required to follow the Trust Making & Using Visual and Audio Recording of Patients for Training Policy to ensure full compliance with the Data Protection Act.

 

Top

 
Use of Patient Information for Systems Testing

The ICO advises that the use of personal data for system testing should be avoided. Where there is no practical alternative to using live data for this purpose, systems administrators should develop alternative methods of system testing. Should the Information Commissioner receive a complaint about the use of personal data for system testing, their first question to the data controller would be to ask why no alternative to the use of live data had been found.

 

11.1 Key Risks to Personal Data in System Testing

There are a number of general risks that exist whenever system testing is undertaken using live data and/or a live environment. These are:

·         unauthorized access to data

·         unauthorized disclosure of data

·         intentional corruption of data

·         unintentional corruption of data

·         compromise of source system data

·         loss of data

·         inadequacy of data

·         objections from customers

Any of the above risks can also lead to financial loss to the Trust and/or the person the information relates to. Such action could significantly damage the Trusts reputation.

Additional guidance is available from the British Standards Institute: Guidance on using Personal data to test systems

Top

 
Privacy Impact Assessment (PIA)

In 2008 the Cabinet Secretary commissioned a review of Data Handling Procedures within Government in recognition of the keen public interest in the safe handling and sharing of personal data. The report following this review, known as the Data Handling Review, was published in June 2008. The report established mandatory Privacy Impact Assessments (PIAs) for all Government Departments for certain initiatives. It stated that all Government Departments will “introduce Privacy Impact Assessments, which ensure that privacy issues are factored into plans from the start, and those planning services are clear about their aims. Similarly, information risk management will be considered as part of the Government’s “Gateway” reviews that monitor progress of the most important projects”.

Therefore, the Trust has introduced the Privacy Impact Assessment Policy which includes guidance and templates for carrying out a PIA.

The following are examples of when PIA’s are required:

·         New IT System

·         New Policy

·         New Procedures

·         Working in partnership with other agencies

Top

 
The Right of Access to Information (Subject Access Requests)

Principle 6 of the DPA 1998 provides all individuals with the right to access personal information about themselves. The law also makes no distinction between the rights of adults and children. Therefore, children have the same rights as adults and all personal data must be processed in accordance with these rights.

These rights are:

  • right of subject access (e.g. to a copy of your medical records or staff files)
  • right to prevent processing likely to cause damage or distress
  • right to prevent processing for the purposes of direct marketing
  • rights in relation to automated decision taking
  • right to take action for compensation if the individual or others suffers damage
  • right to take action to rectify, block, erase or destroy inaccurate data
  • right to make a request to the Information Commissioner for an assessment to be made as to whether any provision of the Act has been contravened

To ensure the Trust processes personal data in compliance with these rights the following procedures are in place:

 

13.1     Patient Access to their Medical Record

 

The DPA stipulates that the Trust upon receipt of a written request and appropriate fee. The patient’s information must be released to them, within 40 calendar days. This information must be provided in an intelligible format (clearly written in an unambiguous way).

A patient requests for access to their medical record are managed by the Medical Records Department under the Access to medical Records Policy. All appropriate documents and guidance notes on how to make a Subject Access Requests are available as appendices.

For additional support, help, advice and guidance please contact either the Medical Records Manger on or IG Manager on 01722 425119 or 01722 336262 extensions 2119.

13.1.1 Complaints about Access to their Medical Record

If a patient or their representative is unhappy with the outcome of their access request, such examples may include, information withheld from them or they feel their information has been recorded incorrectly within their health record. To help rectify the complaint, the patient or their representative can go through the following channels:-

 

·         An informal meeting with the lead health professional may help to resolve the complaint

 

·         If the health professional feels that they cannot do anything for the patient, the patient can make a complaint through the Trust's Complaints procedure

 

·         A request for intervention can be made to the Trust’s Caldicott Guardian (Medical Director) or IG Manager

 

·         Ultimately, the patient may not wish to make a complaint through the NHS Complaints Procedure and can take their complaint direct to the Information Commissioner.

·         Alternatively, if the patient or their representative wishes to do so, they may seek legal independent advice to pursue their complaint.

 

13.2              Employees Access to their Personnel Record

 

Employee personal information is governed by the DPA and their rights of access to information, privacy, dignity and confidentiality remain the same as patients.

All appropriate guidance on relating to the storage and access to employee’s information have been developed by the Human Resources Department and included as Appendix I.

For additional support, help, advice and guidance please contact either the Human Resources Department or IG Manager on 01722 425119 or 01722 336262 extensions 2119.

Top

 
Compliance & Assurance

14.1 Information Governance Assessments:

 

The Information Governance assessment licence (ROCR/OR/0119/ft6/001/0) is the Information Governance Toolkit return which enables the Trust to measures its compliance with the information handling requirements by assessing themselves against the following initiatives:

  • Information Governance Management
  • Confidentiality and Data Protection Assurance
  • Information Security Assurance
  • Clinical Information Assurance
  • Secondary Uses Assurance
  • Corporate Information Assurance

The Toolkit is submitted annually at the end of March.

 

14.2 Data Protection Act 1998 Compliance

Compliance with the Data Protection Act is mandatory and the Trust will ensure that it keeps an up to date register of all purposes for processing personal data and makes the required notification with the Information Commissioner's Officer. Click here on this link to view Salisbury NHS Foundation Trust - Registry Details. 

Top

 
15. Consequences of a Breach of Policy
16. Data Protection, Confidentiality and Disclosure Caldicott Work Plan
17. Monitoring Compliance of Confidentiality
18. Review
19. Equality Impact Assessment
20. Appendices

 

15.1 Disciplinary

 

A breach of this Policy in your use of the Trust’s information will be considered a serious disciplinary matter and will be dealt with accordingly. Examples of offences which may be considered to be gross misconduct (the list is not exhaustive) which may result in immediate dismissal are:

 

·       Unlawful disclosure of Personal Data and Sensitive Personal Data

·       Inappropriate use of Personal Data and Sensitive Personal Data

·       Accessing patient or staff personal data including medical records in the absence of a legitimate professional relationship

·       Misuse of the Personal Data and Sensitive Personal Data which results in any claim being made against the Trust

 

    15.2 Criminal Offences

 

The Data Protection Act 1998 makes it an offence to “knowingly or recklessly” obtain or disclose data. This makes the action of “data theft”, to be a criminal act. The Criminal Justice and Immigration Act 2008 makes two changes to section 55 of the DPA.

 

The first increases the penalties for this offence, the second ads a defence for reasons of journalism. This change in the law sends a very clear signal that Data Protection must be a priority and that it is completely unacceptable to be cavalier with people’s personal information.

 

The potential financial penalty which could be awarded for a breach of the Data Protection Act is £500,000.00

 

16.  Data Protection,  Confidentiality and Disclosure Caldicott Work  Plan

 

The IG Department will carry out the following duties to support the Caldicott Guardian:

 

16.1 Mandatory Training

 

It is mandated through the NHS Connecting for Health IG Toolkit, that all NHS employees must annual complete a refresher Information Governance Training. Data Protection and confidentiality will form a major part of the course, computer based training package content.

 

The Trust will ensure that training courses/presentations will support this policy.  The training will ensure general awareness of the Data Protection and Caldicott Principles with more specific training for Information Guardians and other staff groups. 

 

16.1.1 Trust Induction

 

All new staff will attend the IG Training provided at Trust Induction. All staff will be provided with dedicated Data Protection, Caldicott and Confidentiality training. All staff will be provided with a copy of the following leaflets:

 

Guidance for staff Volunteers and Contractors Appendix J

Data Protection & Caldicott Summary Leaflet Appendix K

Induction Course Content: 

  • Data Protection
  • Confidentiality
  • Information Security
  • Incident Reporting
  • Data Quality
  •  Freedom of Information
  • Acceptable use of Information

Trust Induction content, materials and leaflets will be viewed a minimum of once a year and sooner if impacting laws, processes, procedures or NHS guidance dictates otherwise.

 

16.1.2 Departmental Induction

 

Each new member of staff will be given appropriate training materials as part of their induction pack from their Departmental Manager. The information provided will be fully explained.

 

16.1.3 Monthly Information Governance: Data Protection, Confidentiality & Disclosure Training

 

The IG Department will schedule a minimum of 10 sessions throughout the year. These sessions will include group exercises, scenario bases learning and a knowledge assessment. In addition to this the following topics will be included:


Course Content:

  •  Data Protection
  •  Staff Responsibilities: Investigations, Incident management & Investigations
  •  Confidentiality
  •  Handling Disclosure Requests: Section 29(3) Crime & Taxation, Child Protection, Vulnerable Adults
  •  Disclosure: Armed Forces
  •  Data Protection Exemptions
  •  Consent to share Information
  •  Information Security
  •    Incident Reporting
  •  Data Quality
  •  Freedom of Information

16.1.4 Information Governance Peripatetic Sessions

These sessions will be made available to departments on request basis only. The session content will be developed and delivered linked to the specific departmental needs. Therefore, training content may vary dependent on recent incidents, complaints and concerns raised by patients.

16.2 Confidentiality & Data Protection Awareness

 

The IG Department will promote the confidentiality, privacy and dignity of patient information to staff via the following mediums:

 

16.2.1 Articles in the following internal and external publications:

 

  • Health News Weekly
  • Inform (Informatics Newsletter)
  • In Touch (Quarterly Newsletter)
  • Recycling Newsletter (New)
  • Cascade Brief (Monthly briefing to Staff from the Trust Board)
  • Clinical Governance Newsletter (Designed by Clinicians for Clinicians)
  • CEO Weekly Message (Emailed to all staff)

16.2.2 Patient and Staff Posters and Leaflets

 

Salisbury NHS Foundation Trust will continue to promote staff and patient awareness of Data Protection and confidentiality through the continued use of credit card size leaflets posted to new patients with their appointment letters, with larger copies placed in public areas accompanied by posters.

 

16.2.3 Trust Screen Savers

 

The IG Department will ensure that the positive message of Data Protection and confidentiality is cascaded to staff, via the use of Trust’s automatic screensaver system.

 

17.     Monitoring Compliance of Confidentiality

 

Compliance against this policy will be monitored thorough compliance to Trust polices, regular confidentiality audits carried out by the Information Asset/System Administrators. Any incidents or potential concern will be raised with in the first instance with the Directorate and Departmental Managers, and in the second instance the IG Manager or Caldicott Guardian. All potential breaches will be investigated in line with Trust Policy.

 

All audits will be carried out in accordance with the ICO Confidentiality Audit Guidance: ICO

 

17.1 Staff knowledge

 

Staff knowledge and awareness will be audited annually using an automated questionnaire. The results will be collated to form a report to the Caldicott Guardian and the IGSG members.

 

17.2  Patient Experience

 

Patient experience will also be monitored via a personal survey managed by the IG Department.

 

This survey will also include the evaluation of promotional leaflets, posters, consent to share information, privacy dignity, access to their medical record and information security.

 

Data from each survey will be analysed and compiled by the IG Department and reports submitted to the Caldicott Guardian and the IGSG.

 

17.3  Data Protection & Confidentiality Compliance Visits

 

The IG department will carry out compliance visits throughout the Trust to be fed back to the departments, Directorate Managers and the Caldicott Guardian and IG Steering Group.

 

17.4 Communication & Implementation

 

This policy is to be made available to all Trust staff and observed by all members of staff, both clinical and administrative.

To ensure the success of this policy is integrated appropriately within the Trust, the IG Department have developed a Policy Implementation Plan. This is included as Appendix M.

18.    Review

 

This policy and associated documents will be reviewed annually by the Information Governance Department, and every three years by the Trust and Joint Boards or earlier if appropriate, to take into account any changes to legislation that may occur, and/or guidance from the Department of Health and/or the NHS Executive.

 

19.  Equality Impact Assessment

Salisbury NHS Foundation Trust aims to design and implement services and policies that meet the diverse needs of its services, population and workforce, ensuring that none are placed at a disadvantage over others. This document has been assessed against the Trust’s Equality Impact assessment Tool. This document has been assessed as not relevant to the duty. A copy of the completed Impact Assessment has been included as Appendix L.

 

20. Appendices

 

 

 Appendix

Description

Atachment

 A

 Data Protection Definitions

 

 B

Data Protection, Confidentiality & Information Security Declaration 

 

 C

Data Protection Principles 

  

 D

 Caldicott Guardian Principles

 

 E

Disclosure of Information to the Police, Probation or Social Services 

 

 F

 Section 29 (3) Data Protection Disclosure Record

   

 G

Telephone Guidance: Outgoing Calls  

 

 H

 Telephone Guidance: Incoming Calls

   

 I

Guidance for Managers and Staff: Storage and Access to Personal Information 

 

 J

 Guidance for Staff, Volunteers & Contractors

 K

 Data Protection & Caldicott Summary Leaflet

 

 L

 Equality Impact Assessment

 

 M

 Implementation Plan

 

 N

 Subject Access Request Advice & Guidance

 

O

Information Sharing Protocol 

 

 

 

 

Top
Page Last Updated: 08/05/2014 10:14 
Printed from Salisbury NHS Foundation Website http://www.salisbury.nhs.uk