SH IG 18

Data Protection & Confidentiality Policy

Version: 9

Summary This policy provides the framework to ensure that the Trust complies with the requirements of the General Data Protection Regulations May 2018, Data Protection Act 2018; Caldicott Principles and NHS Code of Confidentiality.

Keywords Data Protection Act; General Data Protection Regulations; Caldicott Guardian; principles; confidentiality; information governance; ;

Target audience All staff employed by Southern Health NHS Foundation Trust, Contractors, Volunteers Interns, Apprentices, Governors and Non- Executive Directors who have access to confidential personal information

Date issued July 2021

Approved & Information Governance Group Date of meeting: Ratified by 05/07/2021

Next review date July 2022

Author Lesley Barrington, Head of Information Assurance

Executive Director Heather Mitchell, Director of Strategy & Infrastructure Transformation / SIRO / Data Protection Officer Mayura Deshpande, Caldicott Guardian

Equality Impact Assessment (for policies only)

The Equality Impact Assessment has been completed. The assessment document is held centrally and is available by contacting [email protected]

1 SH IG 18 Data Protection & Confidentiality Policy Version 9 July 2021

Version Control

Change Record

Date Author Version Section Reason for Change

07/02/13 Lesley Barrington V2 Inclusion of reference to Impact Assessment Procedure and Template. 24/03/13 Lesley Barrington V2 Update of SIRO and Caldicott Guardian 10/12/13 Lesley Barrington V3 All Minor updates and amendments 10/12/13 Lesley Barrington V3 3.3 Update re. Caldicott Review 10/12/13 Lesley Barrington V3 5.2 Update re. Caldicott Review – inclusion of new principle 7. – information sharing 10/12/13 Lesley Barrington V3 5.3 Update re. newly published HSCIC Guide to Confidentiality – inclusion of 5 rules 10/12/13 Lesley Barrington V3 11 Updated references July 2015 Louise Hartland 3 18 Updated TNA (Appendix 1) March Lesley Barrington 4 6 & 7 Updated job titles 2016 4 8 Addition 4.9 – reference to IGG 11 inclusion of Health and Social Care (Safety and Quality) Act 2015 17 Updated references and websites Included reference to IG SIRI incident reporting process App 2 Updated Equality IA Screening Tool Sept 2016 Sharon France 4 5.9 Paragraph 4 Change to HRA process R&D to Log requests 11 Supporting Evidence All Remove reference to withdrawn policy SH IG 19 February Lesley Barrington 5 All Review in light of new General Data Protection 2018 Regulation May 2018 31/01/19 Lesley Barrington 6 All Annual review – minor amendments Addition of 4.9 Addition of 5.1.8 – legal basis Addition of 5.1.9 – criminal offence data 29/04/19 Donna Woolley 6 4 & 15 Legacy name change: generic email from HP-TR. to SHFT 17/02/20 Lesley Barrington 7 All Annual review – minor amendments 16/06/20 Lesley Barrington 8 4.2 Minor amendment - Updating and clarification regarding data subject rights regarding “right to rectification” – approved by Caldicott Guardian 01/06/2021 Lesley Barrington 9 All Annual review – minor amendments: Updating of generic email address from nhs.net Page 10 – inclusion of new CG principle 8 07/07/2021 Donna Woolley 9 3, 8 & 13 Name change to secure SHFT email domain

Reviewers/contributors

Name Position Version Reviewed & Date

Information Governance Group Membership Dv02 – 09/01/2012 Information Governance Group Membership / IG Leads V3 – 12/12/2013 Clinical and Area Directors V3 - 12/12/2013 Helen McCormack Caldicott Guardian V3 – 13/12/2013 Jennifer Dolman Clinical Director V3 – 13/12/2013 Information Governance Group Membership V4 – 14/03/2016 Information Governance Group Membership V4 12/09/2016 Information Governance Group Membership V5 – Feb 2018 Information Governance Group Membership V6 – 11/03/2019 Information Governance Group Membership V7 – 17/02/2020 Mayura Deshpande Caldicott Guardian V8 – 16/06/2020

2 SH IG 18 Data Protection & Confidentiality Policy Version 9 July 2021

Data Protection & Confidentiality Policy

Information on a page

This page summarises the key information or key steps in a process to follow. This does not negate the need to be aware of and to follow the further detail provided in the document.

Data Protection and Confidentiality are legal requirements on all staff working in the Trust. The purpose of this policy is to ensure that and information held and processed by the Trust or held and processed on its behalf by Third Parties, is handled in a safe and secure manner which complies with legislation and best practice relating to data protection and confidentiality.

The UK Data Protection Act (DPA) 2018 and General Data Protection Regulations (GDPR/DPA 18) came into force on 25th May 2018.

The key principles in the new Regulations are the same as the DPA – but some of the language has changed – i.e. instead of “schedules and conditions” there are “recitals and articles”.

Data Protection should not been seen as a barrier to processing and sharing information – as long as a defined “legal basis” has been identified and recorded.

GDPR/UK DPA 18 brings in a new “principle” of “transparency and accountability”. This means that Data Controllers (i.e. the Trust) has to ensure that Data Subjects (i.e. public; patients; staff) are aware of the processing of their personal data – and this information is readily available to them. To achieve this, the Trust public and staff intranet websites have been updated.

As a public authority (i.e. NHS), the Trust does not rely on “consent” to process Data Subject’s information. Refer to the Trusts Privacy Notice, available on the Trust website: https://www.southernhealth.nhs.uk/patients-and-carers/your-information-your-rights/

However, staff should always consider gaining consent from patients when considering whether to share information (i.e. further processing) – and SH IG 46 and SH IG 48 should be reviewed. Consent to share information should be recorded on the appropriate clinical record keeping system and/or paper as appropriate.

All staff must complete annual Information Governance Training – which covers Data Protection and Confidentiality. See SH IG 17 Information Governance Policy

Staff must respect a Data Subject’s right to confidentiality and must not access patient or staff information on any system (electronic or paper) that relates to family (including spouses; children; parents etc.) or friends, even if it is considered to be within their role in the organisation. Failure to comply could result in disciplinary action.

If staff require advice or support on any Data Protection or Confidentiality matter, they should contact the Information Assurance Team: [email protected] in the first instance, who may escalate the issue to either the Data Protection Officer or Caldicott Guardian.

3 SH IG 18 Data Protection & Confidentiality Policy Version 9 July 2021

Contents

Section Title Page 1. Introduction 5

2. Scope 6

3. Duties and responsibilities 6

4. Main content 7 4.1 GDPR Article 5 – principles 8 4.2 GDPR – data subjects rights 9 4.3 Privacy Notice 9 4.4 Lawful/legal basis 9 4.5 Caldicott Principles 9 4.6 Confidentiality: NHS Code of Practice 10 4.7 Patient confidentiality 11 4.8 Staff confidentiality 12 4.9 Exemptions to confidentiality 12 4.10 Disclosing information against subject’s wishes 12 4.11 Non-disclosure 13 4.12 Personal identifiable data in Medical Research 13 4.13 Data Protection Impact Assessment 13

5. Training requirements 14

6. Monitoring compliance 14

7. Document review 14

8. Associated Trust documents 14

9. Supporting references 14

10. Definitions 15

Appendices 1. GDPR/UK DPA 18 Processing – legal framework 16

4 SH IG 18 Data Protection & Confidentiality Policy Version 9 July 2021

Data Protection & Confidentiality Policy

1. Introduction

This document describes Southern Health NHS Foundation Trust (the Trust) policy on Data Protection (General Data Protection Regulations 2018/UK Data Protection Act 2018); NHS Code of Confidentiality and Caldicott requirements, and employees’ responsibilities for the safeguarding of confidential information held both manually (non-computer in a structured filing system) and electronically.

The Trust holds and manages a great deal of personal and confidential information relating to patients, service users and carers, the public and employees of the NHS.

Data protection laws exist to strike a balance between the rights of individuals to privacy and the ability of organisations to use data for legitimate business purposes.

The General Data Protection Regulation and UK Data Protection Act 2018 came into force on 25th May 2018 and replace the which came into force on 1st March 2000. The Regulation/DPA is concerned with "personal and sensitive data" about living, identifiable individuals which is "automatically processed or manually stored as part of a relevant filing system or accessible record”. It need not be particularly sensitive information, indeed it can be as little as a name and address.

The Regulation/DPA is divided to “Recitals” and “Articles” and works in two ways, giving individuals certain rights whilst requiring those who record and use personal information certain responsibilities. The Regulations incorporates the following principles which are binding for all organisations processing data:

Article 5 Principles relating to processing of personal data

Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency');

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes ('purpose limitation');

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation');

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy');

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ('storage limitation');

5 SH IG 18 Data Protection & Confidentiality Policy Version 9 July 2021

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').

ALL STAFF HAVE A LEGAL DUTY TO PROTECT THE PRIVACY OF INFORMATION ABOUT INDIVIDUALS

2. Scope

This policy covers all identifiable information created, processed and stored on living individuals, patients or staff. Throughout this document the term “patient” is used to refer to an individual who is receiving a service from the Trust, and this term includes those people who are also known as “Service Users”, and “Clients”. Similarly the terms “clinician” and “health professional” are used, but should be interpreted as encompassing social care staff and NHS practitioners.

3. Duties and responsibilities

The Trust has established a structure to deliver information governance, to meet the requirements of data protection and confidentiality.

3.1 The Chief Executive has a duty to ensure that:  staff are aware of the need to comply with the GDPR/UK DPA 18, in particular with the rights of patients wishing to access personal information and or their health records.  staff are aware of requirements of the common law duty of confidence as set out in Confidentiality: NHS Code of Practice.  arrangements with third parties who process personal data on behalf of the Trust are subject to a written contract which stipulates appropriate security and confidentiality.

3.2 The Trust’s Caldicott Guardian is the Deputy Medical Director. The Caldicott Guardian is responsible for agreeing and reviewing protocols for governing the transfer and disclosure of personal confidential data across the Trust and supporting agencies. To assist with the volume and diversity of this task the Caldicott Guardian is supported by the Head of Information Assurance.

3.3 The Senior Information Risk Owner (SIRO) has ultimate responsibility for the management and mitigation of risks associated with the Trusts information management processes. This responsibility is formally delegated from the Chief Executive via a letter of delegation. The SIRO shall:  Be accountable for the management and protection of all Information Assets  Take overall ownership of the Information Risk Management Policy  Provide a focal point for managing information risks and incidents  Lead on Business Continuity in the context of Information Risk  Act as champion for Information Risk on the Board  Advise the Board on the effectiveness of Information Risk Management  Ensure that Information Risk Assessments and management processes are embedded  Lead and foster a culture for protecting and using information and data;

6 SH IG 18 Data Protection & Confidentiality Policy Version 9 July 2021

 Lead communications on Information Governance and Security throughout the organisation  Chair the Information Governance Group (IGG).

3.4 The Data Protection Officer has overall responsibility for managing and effectively implementing all activities necessary to achieve compliance with the GDPR/UK DPA 18 throughout the Trust:  To inform and advise the organisation and its employees about their obligations to comply with the GDPR/DPA 18 and other data protection laws  To monitor compliance with the GDPR/UK DPA 18 and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits  To be the first point of contact for supervisory authorities and for individuals whose data is processed (patients/staff) [delegated to the Head of Information Assurance]

3.5 The Head of Information Assurance main responsibility is to:  Facilitate all the data protection and Caldicott functions within the Trust to support the above  Advise and update the Trust in relation to directives/guidance from the Information Commissioner and the Department of Health; NHS England; NHS Digital  Maintain an up to date Notification under the GDPR/UK DPA 18 with the regulatory body (Information Commissioner’s Office).  Via the Information Governance Framework – ensure that the Caldicott Guardian, Data Protection Officer and Senior Information Risk Owner (SIRO) are informed of relevant issues and decisions are recorded

3.6 Senior Operational/Clinical/Service Managers are responsible for ensuring compliance with policies and that staff attend and pass the annual mandatory IG training, and breaches and issues raised by staff are acted upon. Managers are also responsible for ensuring that Information Asset Owners and Administrators are appointed (see SH IG 17).

3.7 The Information Governance Group, is chaired by the SIRO/Data Protection Officer and is the forum responsible for ensuring that the Trust complies with the GDPR/UK DPA 18. It meets bi-monthly – and reports to Audit Assurance & Risk Committee, which reports to Trust Board. [See SH IG 17 Information Governance Policy for detail.]

3.8 All staff have the responsibility of ensuring that patients are informed about the Trust Privacy Notice – which details information processing and rights. This should be done at an appropriate time to the patient, taking into account their health and well being at the time.

4. Main content

The General Data Protection Regulations/UK DPA 2018: Principles and Practices to ensure compliance:

4.1 GDPR Article 5: Data Protection Principles: 1. Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject [lawfulness, fairness and transparency] 2. Personal data shall be collected only for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes [purpose limitation] 3. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed [data minimisation]

7 SH IG 18 Data Protection & Confidentiality Policy Version 9 July 2021

4. Personal data processed shall be accurate and, where necessary, kept up to date [accuracy] 5. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed [storage limitation] 6. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical of organisation measures [integrity and confidentiality]

4.2 Under the GDPR/UK DPA 18, data subjects have certain rights, which must be upheld:

 Be informed - through privacy notices (see below) and Data Protection Impact Assessments

 GDPR Article 13 – Right of Access – via Subject Access Requests [Refer to SH IG 12 Access to Personal Records Procedure]

 GDPR Article 16 - Rectification - to have inaccuracies corrected. However, it should be noted that diagnosis and clinical opinion is a matter of clinical judgement and cannot be changed solely at the patient’s request. [Refer to SH IG 07 Amending Inaccuracies Procedure]

 GDPR Article 17 – Right to Erasure - to have information erased (right to be forgotten). This right is not absolute and only applies in certain circumstances. The right to erasure does not apply to NHS organisations as the legal basis for processing is “public task” – i.e. carried out in the public interest or in the exercise of official authority.

 GDPR Article 21 - Object to processing Article 21 of the GDPR gives individuals the right to object to the processing of their personal data at any time. This effectively allows individuals to stop or prevent an organisation from processing their personal data. An objection may be in relation to all of the personal data an organisation holds about an individual or only to certain information. It may also only relate to a particular purpose the organisation is processing the data for.

The right to object only applies in certain circumstances. Whether it applies depends on the purposes for processing and the organisations lawful basis for processing. From the Trusts perspective, individuals can object as the Trust is processing information under the legal basis of “public task”.

However, even in these circumstances this is not an absolute right, and the Trust can refuse to comply if:  The Trust can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual (which in this case may include a clinical risk assessment of the individual’s circumstances)  or the processing is for the establishment, exercise or defense of legal claims.

In these circumstances, if the individual is objecting to having clinical information kept in an electronic format, (i.e. in RiO) then this should be raised with the Records Team via email: [email protected] who will support the team to manage the process. Ultimately, it is the decision of the Caldicott Guardian whether the objection is to be upheld or refused, depending on the clinical circumstances.

 Prevent automated decision-making and profiling

8 SH IG 18 Data Protection & Confidentiality Policy Version 9 July 2021

 Data portability – have information provided in electronic format and not hinder the data subject's transmission of personal data to a new data controller

 Consent to process - silence, pre-ticked boxes or inactivity does not constitute consent to process

4.3 Privacy Notice GDPR requires data controllers to provide certain information to people whose data they hold and use; this is known as a Privacy Notice (PN). The Trust publishes it’s Privacy Notice on the Trust Public Website: https://www.southernhealth.nhs.uk/patients-and-carers/your- information-your-rights/

4.4 Lawful/legal basis for processing

GDPR/DPA 18 requires that all organisations identify the legal basis for any processing (i.e. collecting, using, storing etc.) of personal or special category information relating to data subjects (patients and staff).

As a publically funded body, the legal basis for processing this information is GDPR Article 6 1(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Special Categories of personal data - Racial or ethnic origin; political opinions; religious or philosophical beliefs; trade-union membership; processing of genetic data; biometric data (for the purpose of uniquely identifying a natural person); data concerning health; data concerning a natural person’s sex life or sexual orientation:

Article 9 2(h) - Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional

For more information relating to lawful basis – refer to Appendix 1.

4.5 Caldicott Principles for handling personal confidential data:

1. Justify the purpose(s) Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed, by an appropriate Guardian.

2. Don't use personal confidential data unless it is absolutely necessary Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).

3. Use the minimum necessary personal confidential data Where the use of personal confidential data is considered to be essential, the inclusion of each individual item of information should be considered and justified so that the minimum amount of identifiable information is transferred or accessible as is necessary for a given function to be carried out.

9 SH IG 18 Data Protection & Confidentiality Policy Version 9 July 2021

4. Access to personal confidential data should be on a strict need-to-know basis Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one information flow is used for several purposes. Health care organisations should be aware of the research conducted within the organisation, and should ensure research teams are accountable to them (from MRC Executive Summary – Personal Information in Medical Research).

5. Everyone with access to personal confidential data should be aware of their responsibilities The organisation must ensure that those handling personal confidential data, both clinical and non-clinical staff, are made fully aware of their responsibilities and obligations to respect patient confidentiality.

6. Understand and comply with the law Every use of personal confidential data must be lawful. The Caldicott Guardian, Director of Health Technology and Outcomes, is responsible for ensuring that the organisation complies with legal requirements.

7. The duty to share information can be as important as the duty to protect patient confidentiality Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

8. Inform patients and service users about how their confidential information is used A range of steps should be taken to ensure no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this. These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information – in some cases, greater engagement will be required. See the Trust Privacy Notice: https://www.southernhealth.nhs.uk/patients-and-carers/privacy-notice/

The Health and Social Care (Safety and Quality) Act 2015 includes a legal duty requiring health and adult social care bodies to share information where this will facilitate care for an individual. [Refer to SH IG 46 Information Sharing Policy for details]

4.6 The 'Confidentiality: NHS Code of Practice' https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/200146/Confid entiality_-_NHS_Code_of_Practice.pdf was published by the Department of Health following major consultation in 2002/2003. The consultation included patients, carers and citizens; the NHS; other health care providers; professional bodies and regulators. The guidance was drafted and delivered by a working group made up of key representatives from these areas. The Code of Practice is a guide to required practice for those who work within or under contract to NHS organisations concerning confidentiality and patients’ consent to the use of their health records. This document uses the term ‘staff’ a convenience to refer to all those to whom this code of practice should apply. Whilst directed at NHS staff, the Code is also relevant to any one working in and around health services. This includes local authority staff working in integrated teams and private and voluntary sector staff.

This document: a. introduces the concept of confidentiality;

10 SH IG 18 Data Protection & Confidentiality Policy Version 9 July 2021

b. describes what a confidential service should look like; c. provides a high level description of the main legal requirements; d. recommends a generic decision support tool for sharing/disclosing information; e. lists examples of particular information disclosure scenarios.

Also available is the Supplementary Guidance: Public Interest Disclosures – published in November 2010 which provides guidance to NHS staff in making what are often difficult decisions on whether a breach of patient confidentiality can be justified in the public interest.

Following the publication of the Caldicott Review in March 2013, the Health & Social Care Information Centre published “A guide to confidentiality in health and social care” which identified five rules for treating confidential information with respect:

Rule 1: Confidential information about service users or patients should be treated confidentially and respectfully

Rule 2: Member of a care team should share confidential information when it is needed for the safe and effective care of an individual

Rule 3: Information that is shared for the benefit of the community should be anonymised

Rule 4: An individual’s right to object to the sharing of confidential information about them should be respected

Rule 5: Organisations should put policies, procedures and systems in place to ensure the confidentiality rules are followed

The full version is available here: https://www.gov.uk/government/publications/the- information-governance-review

4.7 Patient Confidentiality Health information is collected from patients in confidence and attracts a common law duty of confidence until it has been effectively anonymised. This legal duty prohibits information use and disclosure without consent – effectively providing individuals with a degree of control over who sees information they provide in confidence. This duty can only be overridden if there is a statutory requirement, a court order, or if there is a robust public interest justification.

On admission and/or on first contact with the service for a particular matter, all patients should be asked which relatives, friends or carers they wish to receive information regarding treatment and progress, and those they specifically do not give permission to receive information. This information must be recorded in the clinical records – i.e. electronic patient systems, or in the paper records.

In cases where relatives have been heavily involved in patient care, the patient must be explicitly asked as to what level these relatives can be kept informed. This is particularly important in cases where relatives are requesting information on the patient’s condition, perhaps before the patient has been informed.

For further guidance – refer to SH IG 46 Information Sharing Policy and SH IG 48 Information Sharing - Staff Guidance

As a research active organisation staff might screen patients’ records to identify any potential research participants with the Consultants permission. Patients may also be approached by staff regarding participation in a particular research study in order to obtain consent.

11 SH IG 18 Data Protection & Confidentiality Policy Version 9 July 2021

In the event of the patient being unable to give permission the Mental Capacity Act 2005 must be followed. Staff should refer to the Mental Capacity Act Policy and procedures for detail.

In all cases, the wishes expressed must be appropriately documented in the patient’s clinical records.

4.8 Staff Confidentiality All staff are required to keep confidential any information regarding patients and staff, only informing those that have a need to know. In particular, telephone conversations and electronic communications should be conducted in a confidential manner.

Confidential information must not be disclosed to unauthorised parties without prior discussion and confirmation with a senior manager in the Trust. Staff must not process any personal information in contravention of the GDPR/UK DPA 18.

Staff must not access patient or staff information on any system (electronic or paper) that relates to family (including spouses; children; parents etc.) or friends, even if it is considered to be within their role in the organisation.

Any breaches of these requirements will potentially be regarded as serious misconduct and as such may result in disciplinary action.

All staff have a confidentiality clause in their contract of employment. The Trust has an approved Data Protection and Confidentiality clause in all contracts with 3rd party contractors and suppliers who process personal information.

4.9 Exemptions to confidentiality In certain circumstances personal information may be disclosed and guidance is below. However it is vital in each case that staff make an assessment of the need to disclose the information and document that the information has been released to whom and for what reason. If they are in any doubt, they should seek advice from their Team Manager/Senior Clinician or the Caldicott Guardian.

4.10 Disclosing Information against the Subject's wishes The responsibility to withhold or disclose information without the data subject's consent lies with the senior manager or senior clinician involved at the time and cannot be delegated.

Circumstances where the subject's right to confidentiality may be overridden are rare. Examples of these situations are:  Where the subject's life may be in danger, or cases in which s/he may not be capable of forming an appropriate decision  Where there is serious danger to other people, where the rights of others may supersede those of the subject, for example a risk to children or the serious misuse of drugs  Where there is a serious threat to the healthcare professional or other staff  Where there is a serious threat to the community  In other exceptional circumstances, based on professional consideration and consultation.

The following are examples where disclosure without consent is required:  Births and deaths - National Health Service Act 1977  Notifiable communicable diseases - Public Health (Control of Diseases) Act 1984  Poisonings and serious accidents at the work place - Health & Safety at Work Act 1974  Terminations - Abortion Regulations 1991  Child abuse - Children’s Act 1989 and The Protection of Children Act 1999

12 SH IG 18 Data Protection & Confidentiality Policy Version 9 July 2021

 Drug Addicts - Drugs (Notification of Supply to Addicts) Regulations 1973  Road traffic accidents - Road Traffic Act 1988  Prevention/detection of a serious crime e.g. terrorism, murder - The Crime and Disorder Act 1998

If in doubt, staff should seek guidance, in confidence, from the senior Clinician or the appropriate Senior Manager or the Information Governance Manager or the Caldicott Guardian.

The Trust will support any member of staff who, after using careful consideration, professional judgement, and has sought guidance from their manager, can satisfactorily justify and has documented any decision to disclose or withhold information against a patient's wishes.

4.11 Non–Disclosure of personal information contained in a health record An individual requesting access to their health records may be refused access to parts of the information if an appropriate clinician deems exposure to that information could cause physical or mental harm to the data subject or a third party. Clinicians should be prepared to justify their reasons in a court of law if necessary. In all cases reasons for non-disclosure must be documented.

Where access would disclose information relating to or provided by a third party, consent for release must be sought from the third party concerned, unless that third party is a health professional who had provided the information as part of their duty of care. Where the third party does not consent, the information may be disclosed provided the identity of the third party is not revealed. The Information Commissioner’s Code of Practice suggests that this might be done by omitting names and identifying particulars from the records. Care should be taken to ensure that the information if released is genuinely anonymous.

Further guidance is available from SH IG 12 Access to Personal Records Procedure and the Records Team – email: [email protected]

The Information Commissioner’s Guide provides guidance on issues of law concerning the right of access to personal data: https://ico.org.uk/for-organisations/guide-to-data- protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of- access/

4.12 Personal Identifiable Data in Medical Research All project based research within the Trust must comply with the Data Protection & Caldicott Guardian Principles as set out within this Policy, be registered by the Research and Development Department and undergo review through the NHS Health Research Authority (HRA) approval process to provide assurance to our Trust, our patients and the public that all research meets the necessary legal and compliance standards.

4.13 Data Protection Impact Assessment Procedure and Template All projects and processes that involve processing personal information or intrusive technologies give rise to privacy issues and concerns. To enable the Trust to address the privacy concerns and risks the GDPR/UK DPA 18 requires a Data Protection Impact Assessment (DPIA) be completed, and signed off by the Data Protection Officer and/or the Information Governance Group. [Refer to SH IG 29 Privacy Impact Assessment Procedure and Template for details.]

13 SH IG 18 Data Protection & Confidentiality Policy Version 9 July 2021

5. Training requirements

All staff are required to complete the annual mandatory Information Governance Training, which includes modules on data protection and confidentiality. Monthly reports will be provided to operational managers to ensure compliance, and this will be monitored via the Division Specific Performance Review process and the Information Governance Group

6. Monitoring Compliance

Element to be Lead Tool Frequency Reporting arrangements monitored & Head of NHS October Via the Information Governance Protection Information Digital and March Group Toolkit Assurance DSPT – annually

7. Document review

The document will be reviewed annually, or sooner if changes in legislation occur or new best practice evidence becomes available.

8. Associated trust documents  SH IG 12 Access to Personal/Clinical Records Procedure  SH IG 29 Privacy Impact Assessment Procedure and Template  SH IG 46 Information Sharing Policy & Guidance  SH IG 07 Amending Inaccuracies in Records Procedure  SH IG 62 Information Governance Incident Reporting Procedure  SH HR 06 Disclosure and Barring Service (BDS) and Employment Checks Policy  SH IG 13 Information Lifecycle Police

9. Supporting references

 The Caldicott Manual – NHS Executive http://www.nationalhealthexecutive.com/  UK Information Commissioners Office website https://ico.org.uk/ for General Data Protection Regulations 2018 o Medical Research Council - Personal Information in Medical Research (Executive Summary) o Information: To share or not to share? The Information Governance Review (known as the Caldicott 2 Review); Department of Health; March 2013  Information: To Share or not to Share – Government Response to the Caldicott Review; Department of Health; September 2013 https://www.gov.uk/government/organisations/department-of-health  NHS Code of Confidentiality https://digital.nhs.uk/search?q=confidentiality&s=s  A guide to confidentiality in health and social care – treating confidential information with respect; Health & Social Care Information Centre; V1.1 September 2013 https://digital.nhs.uk/search?q=confidentiality&s=s  Health Research Authority: http://www.hra.nhs.uk/about-the-hra/our-plans-and- projects/assessment-approval/  Confidentiality, Privacy and Data Protection e-learning resource available: https://www.hra.nhs.uk/planning-and-improving-research/learning/e-learning/  Southern Health Research and Development website: http://www.southernhealth.nhs.uk/research/

14 SH IG 18 Data Protection & Confidentiality Policy Version 9 July 2021

10 Definitions

 The General Data Protection Regulation (GDPR/UK DPA 18) May 2018 and UK Data Protection Act 2018 provide controls on the handling of personal identifiable information for all living individuals. Central to the Act is compliance with the principles (above), designed to protect the rights of individuals about whom personal data is processed whether an electronic or a paper record.

 The Access to Health Records Act 1990 provides controls on the management and disclosure of health records for deceased patients. Thus the personal representative of the deceased or a person who might have a claim arising from the patient’s death can apply to request access to the files.

 The Caldicott Report 1997 provides guidance to the NHS on the use and protection of personal confidential data/information, and emphasises the need for controls over the availability of such information and access to it. It makes a series of recommendations which led to the requirement for all NHS organisations to appoint a Caldicott Guardian who is responsible for compliance with the 6 (original) Caldicott confidentiality principles.

A review of the Caldicott Principles took place during 2012, chaired by Dame Fiona Caldicott. The report “The Information Governance Review – To share or not to share” was published in April 2013, which included an added Principle. The recommendations from the report were ratified by the Government in September 2013. See sections 5.2 and 5.3 for detail.

 The Common Law Duty of Confidentiality prohibits use and disclosure of information, provided in confidence unless there is a statutory requirement or court order to do so. Such information may be disclosed only for purposes that the data subject has been informed about and has consented to, provided also that there are no statutory restrictions on disclosure. This duty is not absolute, but should only be overridden if the holder of the information can justify disclosure as being in the public interest, for example, to protect the vital interests of the data subjects or another person, or for the prevention or detection of a serious crime.

 The NHS Code of Confidentiality (2003) provides the standards and framework that all staff working within the NHS must adhere to (see below).

15 SH IG 18 Data Protection & Confidentiality Policy Version 9 July 2021

Appendix 1: GDPR/UK DPA 18 Processing – legal basis

 Personal data – any information relating to an identifiable person who can be directly or indirectly identified – name; identification number, location data or online identifier o Personal data that has been pseudonymised can fall within the scope depending on how difficult it is to attribute the pseudonym to an individual Lawfulness of processing personal data – Article 6

6; 1 a the data subject has given consent to the processing of his or her personal data for one of more specific purposes: 6; 1 b processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract 6; 1 c processing is necessary for compliance with a legal obligation to which the data controller is subject 6; 1 d processing is necessary in order to protect the vital interests of the data subject or of another natural person

6; 1 e processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller *see below for detail of legal obligations

6; 1 f processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

*6; 1-e – legal obligations

 Health and Social Care (Quality & Safety) Act 2015  Health & Social Care Act 2012  Care Act 2014  The Children Act 1989  The Children Act 2004  Childcare Act 2006  Children (Leaving Care) Act 2000  Children and Families Act 2014  National Health Service Act 1977  National Health Service Act 2006  Education Act 2002  Special Education Needs and Disability Regulations 2014  Localism Act 2011  Immigration and Asylum Act 1999  Crime and Disorder Act 1998 [*See table at the end for the detail of the relevant sections of the above legislation]

Sensitive data – “special categories of personal data” Article 9 – Processing of special categories of personal data

16 SH IG 18 Data Protection & Confidentiality Policy Version 9 July 2021

1. Racial or ethnic origin; political opinions; religious or philosophical beliefs; trade-union membership; processing of genetic data; biometric data (for the purpose of uniquely identifying a natural person); data concerning health; data concerning a natural person’s sex life or sexual orientation – SHALL BE PROHIBITED ***[see below]

2. Paragraph 1 shall NOT APPLY if one of the following applies: 2 (a) The data subject has given EXPLICIT consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject 2 (b) Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, in so far as it is authorised by Union or member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject 2 (c) Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent [Capacity Act would apply – or if the person is at risk i.e. Mental Health Act Assessment] 2 (d) Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects 2 (e) Processing relates to personal data which are manifestly made public by the data subject 2 (f) Processing is necessary for the establishment, exercise or defence or legal claims or whenever courts are acting in the judicial capacity.

2 (g) Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject

2 (h) Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3 Paragraph 3: Personal data referred to in para 1 may be processed for the purposes referred to in point (h) of para 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies 2 (i) Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, particular professional secrecy; or

17 SH IG 18 Data Protection & Confidentiality Policy Version 9 July 2021

2 (j) Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject

*Legislation table

Legislation Legal gateway Organisati on Health and Social Section 3(1),(2)(a)(b): All Care (Quality & (1)This section applies in relation to information about an Safety) Act 2015 individual that is held by a relevant health or adult social care commissioner or provider (“the relevant person”). (2)The relevant person must ensure that the information is disclosed to (a)persons working for the relevant person, and (b)any other relevant health or adult social care commissioner or provider with whom the relevant person communicates about the individual. Health & Social Part 5 – contains guidance about specific duties of co-operation, All Care Act 2012 including creating a Health and Wellbeing Board, which must, for the purpose of advancing the health and wellbeing of the people in its area, encourage persons who arrange for the provision of any health or social care services in that area to work in an integrated manner. Care Act 2014 Section 1 – (1) The general duty of a local authority, in Local exercising a function under this Part in the case of an individual, authorities is to promote that individual’s well-being. Well-being in this Part includes: (b) physical and mental health and emotional well-being; (c) protection from abuse and neglect; (f) social and economic well-being; Care Act 2014 Section 3 – Local authorities must exercise their functions under Local this Part with a view to ensuring the integration of care and authorities support provision with health provision and health-related provision where it considers that this would— (a) promote the well-being of adults in its area with needs for care and support and the well-being of carers in its area, (b) contribute to the prevention or delay of the development by adults in its area of needs for care and support or the development by carers in its area of needs for support, or (c) improve the quality of care and support for adults, and of support for carers, provided in its area (including the outcomes that are achieved from such provision). The Children Act Section 47(9)(11): All 1989 Where a local authority are conducting enquiries under this section, it shall be the duty of any person mentioned in subsection (11) to assist them with those enquiries (in particular by providing relevant information and advice). The persons are—. (a) any local authority; (d) any Local Health Board , Special Health Authority, Primary Care Trust, National Health Service trust or NHS foundation trust; and

18 SH IG 18 Data Protection & Confidentiality Policy Version 9 July 2021

(e) Any person authorised by the Secretary of State for the purposes of this section. The Children Act A local authority may also request help from those listed above Local 1989 in connection with its functions under Part 3 of the Act. Part 3 of authorities the Act, which comprises of sections 17-30 allows for local authorities to provide various types of support for children and families The Children Act Section 10 – Co-operation to improve well-being. Local 2004 (2) The arrangements are to be made with a view to improving authorities the well-being of children in the local authority’s area so far as CCG’s relating to—. (a) Physical and mental health and emotional well-being; (b) Protection from harm and neglect; (e) Social and economic well-being. (4) For the purposes of this section each of the following is a relevant partner: District councils The police The probation service Youth offending teams (YOTs) Health and Wellbeing Board. Any clinical commissioning group for an area any part of which falls within the area of the authority The Children Act Section 11 – Arrangements to safeguard and promote welfare. All 2004 The section applies to (a) a local authority in England (b) a district council which is not such an authority; (c) a Strategic Health Authority; (d) a Special Health Authority, so far as exercising functions in relation to England, designated by order made by the Secretary of State for the purposes of this section; (e) a Primary Care Trust; (f) an NHS trust all or most of whose hospitals, establishments and facilities are situated in England; (g) an NHS foundation trust; Childcare Act Section 1 - General duties of local authority in relation to well- Local 2006 being of young children. authorities (1)An English local authority must—. (a)improve the well-being of young children in their area, and (2) In this Act “well-being”, in relation to children, means their well-being so far as relating to—. (a) Physical and mental health and emotional well-being; (b) Protection from harm and neglect; (e) Social and economic well-being. Children (Leaving The main purpose of the Act is to help young people who have Local Care) Act 2000 been looked after by a local authority, move from care into living authorities independently in as stable a fashion as possible. To do this it amends the Children Act 1989 (c.41) to place a duty on local authorities to assess and meet need. The responsible local authority is under a duty to assess and meet the care and support needs of eligible and relevant children and young people and to assist former relevant children, in particular in respect of their employment, education and training. Sharing information with other agencies will enable the local authority to fulfil the statutory duty to provide after care services to young people leaving public care.

19 SH IG 18 Data Protection & Confidentiality Policy Version 9 July 2021

Children and Section 23 - places a duty on health bodies to bring certain All Families Act 2014 children to local authority’s attention, where the health body has formed the opinion that the child has (or probably has) special educational needs or a disability Children and Section 25 - places a duty on a local authority to exercise its Local Families Act 2014 functions with a view to ensuring the integration of educational authorities provision, training provision with health care and social care provision where it thinks that this would – (a) promote the well-being of children or young people in its area who have special education needs or a disability, or (b) improve the quality of special educational provision in its area or outside its area for children it is responsible for who have special educational needs National Health Section 22 - Co-operation between health authorities and local All Service Act 1977 authorities. (1)In exercising their respective functions NHS bodies (on the one hand) and local authorities (on the other) shall co-operate with one another in order to secure and advance the health and welfare of the people of England and Wales. National Health Section 82 – Places a duty on NHS bodies and local authorities All Service Act 2006 to co-operate with one another in order to secure and advance the health and welfare of the people of England and Wales. Education Act The duty laid out in section 11 of the Children Act 2004 mirrors All 2002 the duty imposed by section 175 of the Education Act 2002 on LEAs and the governing bodies of both maintained schools and further education institutions. This duty is to make arrangements to carry out their functions with a view to safeguarding and promoting the welfare of children and follow the guidance in Safeguarding Children in Education (DfES 2004). The guidance applies to proprietors of independent schools by virtue of section 157 of the Education Act 2002 and the Education (Independent Schools Standards) Regulations 2003. Section 21 of the Act, as amended by section 38 of the Education and Inspections Act 2006, places a duty on the governing body of a maintained school to promote the well-being of pupils at the school. Well-being in this section is defined with reference to section 10 of the Children Act 2004 (see paragraph 5.5 above). The Act adds that this duty has to be considered with regard to any relevant children and young person’s plan. This duty extends the responsibility of the governing body and maintained schools beyond that of educational achievement and highlights the role of a school in all aspects of the child’s life. Involvement of other services may be required in order to fulfil this duty so there may be an implied power to work collaboratively and share information for this purpose. Special Section 6 states, where the local authority secures an EHC All Education Needs needs assessment for a child or young person, it must seek the and Disability advice and information in relation to educational, medical needs, Regulations 2014 psychological needs and advice and information relating to Social Care from the named authorities. The Regulations also requires the local authority to seek advice and information from any other person the local authority thinks is appropriate. Section 7 states: “When securing an EHC needs assessment a local authority must consult (a) the child and the child’s parent, or the young person and take into account their views, wishes and feelings” and (d) “engage the child and the child’s parent, or

20 SH IG 18 Data Protection & Confidentiality Policy Version 9 July 2021

the young person and ensure they are able to participate in decisions. Localism Act Section 1 - This has repealed the wellbeing powers of the Local Local 2011 Government Act 2000 (but not for Welsh Authorities). The authorities general power of competence is a new power available to local authorities in England that will allow them to do “anything that individuals generally may do”. Immigration and Section 20 - provides for a range of information sharing for the All Asylum Act 1999 purposes of the Secretary of State: To undertake the administration of immigration controls to detect or prevent criminal offences under the Immigration Act; To undertake the provision of support for asylum seekers and their dependents Crime and Section 17 - Duty to consider crime and disorder implications. Local Disorder Act (1) Without prejudice to any other obligation imposed on it, it authorities 1998 shall be the duty of each authority to which this section applies to exercise its various functions with due regard to the likely effect of the exercise of those functions on, and the need to do all that it reasonably can to prevent, crime and disorder in its area. (2) This section applies to a local authority, a joint authority, [F1the London Fire and Emergency Planning Authority,] a police authority, a National Park authority and the Broads Authority.

UK Data Protection Act 2018 - processing Schedule 1: Special Categories of personal data and criminal convictions etc. Part 1: Conditions relating to employment, health and research etc Schedule1; Part 1; 1 1(a): Employment - the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection

Schedule 1; Part 1; 2 (1) Health or social care purposes 2 (1) This purpose is met if the processing is necessary for health or social care purposes: 2(2) In this paragraph "health or social care purposes" means the purposes of: (a) preventive or occupational medicine (b) the assessment of the working capacity of an employee (c) medical diagnosis (d) the provision of health care or treatment (e) the provision of social care, or (f) the management of health care systems or services or social care systems or services

21 SH IG 18 Data Protection & Confidentiality Policy Version 9 July 2021