Data Protection Policy s1

Total Page:16

File Type:pdf, Size:1020Kb

Data Protection Policy s1

DATA PROTECTION POLICY

Version 7

Name of responsible (ratifying) committee Information Governance Steering Group

Date ratified 10th September 2014

Document Manager (job title) Information Governance Manager

Date issued 3rd October 2014

Review date 2nd October 2016

Electronic location Management Policies Trust Staff Code of Practice on Confidentiality, ICT Security Policy, Safe Haven Policy, E-mail Usage Related Procedural Documents Policy, Information Governance Policy, Information Risk Policy Confidentiality, Information Security, Data Protection, Key Words (to aid with searching) Information Sharing, Encryption

Version Tracking Version Date Ratified Brief Summary of Changes Author Update to training requirements and compliance 7.0 10 Sep. 2014 IG Manager monitoring

Data Protection Policy: Issue Number 7 Issue Date 03/10/2014 (Review date: 02/10/2016 (unless requirements change) Page 1 of 23 CONTENTS

QUICK REFERENCE GUIDE...... 3 1. INTRODUCTION...... 4 2. PURPOSE...... 4 3. SCOPE...... 4 4. DEFINITIONS...... 4 5. DUTIES AND RESPONSIBILITIES...... 5 6. PROCESS...... 5 7. TRAINING REQUIREMENTS...... 18 8. REFERENCES AND ASSOCIATED DOCUMENTATION...... 18 9. MONITORING COMPLIANCE WITH, AND THE EFFECTIVENESS OF, PROCEDURAL DOCUMENTS...... 19 10. APPENDICES...... 19

Data Protection Policy: Issue Number 7 Issue Date 03/10/2014 (Review date: 02/10/2016 (unless requirements change) QUICK REFERENCE GUIDE

This policy must be followed in full when developing or reviewing and amending Trust procedural documents.

For quick reference the guide below is a summary of actions required. This does not negate the need for the document author and others involved in the process to be aware of and follow the detail of this policy. The quick reference can take the form of a list or a flow chart, if the latter would more easily explain the key issues within the body of the document

1. The Trust has a legal duty to comply with the Data Protection Act 1998.

2. All staff members are responsible for maintaining compliance with the Data Protection Principles and for reporting non-compliance through the Trust’s incident reporting process.

3. Under a provision of the Data Protection Act an individual can request access to their personal information regardless of the media in which this information may be held / retained. The Trust has a Subject Access Procedure for dealing with such requests.

4. There is a requirement to make the general public, who use the services of the NHS, aware of why the NHS needs information about them, how this is used and to whom it may be disclosed.

5. Patients must be made aware of this requirement by the use of information leaflets, posters, statements in patient handbooks and verbally by those healthcare professionals providing care and treatment. The Trust is obliged to produce patient information leaflets and posters explaining the uses of patient information.

6. Staff contracts of employment are produced and monitored by the Trust Human Resources Department. All contracts of employment include Information Governance clauses, including information governance and data protection responsibilities.

7. A breach of the Data Protection requirements could result in a member of staff facing disciplinary action. All staff must adhere to Trust policies and procedures relating to the processing of personal information.

8. There are Acts of Parliament that govern the disclosure / sharing of person identifiable data (PID). Some make it a legal requirement to disclose whilst others state when information cannot be disclosed. The Confidentiality: NHS Code of Practice (2003) gives clear guidance on disclosure of patient information.

9. Whilst there is a public expectation of appropriate sharing of information between organisations providing health care services to them and with other organisations providing related services, the public rightly expects that their personal data will be properly protected. Information sharing protocols provide the basis for facilitating the exchange of information between organisations.

10. It is a Trust requirement that patients are told how their information is to be used before they are asked to provide it, or as soon as is possible (Confidentiality: NHS Code of Practice 2003). Specific information must be given to patients about the use of their personal information, particularly if for uses other than the provision of healthcare. The explicit consent of the patient must be obtained before information is processed for reasons other than the direct provision of healthcare e.g. used for research purposes. (Please refer to the Trust Patient Communication Strategy).

11. The use of Privacy Impact Assessments is required to help the Trust comply with Privacy by Design principles and should be considered for all new projects and proposals affecting the management of personal data

Data Protection Policy: Issue Number 7 Issue Date 03/10/2014 (Review date: 02/10/2016 (unless requirements change) 1. INTRODUCTION

The Trust has a legal obligation to comply with all appropriate legislation in respect of data, information and information security. It also has a duty to comply with guidance issued by the Department of Health (DoH), the Information Commissioner, other advisory groups to the NHS and guidance issued by professional bodies.

Data Protection Policy: Issue Number 7 Issue Date 03/10/2014 (Review date: 02/10/2016 (unless requirements change) All legislation relevant to an individual’s right of confidence and the ways in which that can be achieved and maintained, are paramount to the Trust. Penalties could be imposed upon the Trust, and/or Trust employees for non-compliance with relevant legislation and NHS guidance.

The Data Protection Act 1998 came into full force on 1st March 2000.

2. PURPOSE

This Data Protection Policy aims to detail how the Trust meets its legal obligations and NHS requirements concerning confidentiality and information security standards. The requirements are primarily based upon the key piece of legislation, the Data Protection Act 1998, however, other relevant legislation and appropriate guidance will be referenced.

3. SCOPE

This Policy applies to all staff within PHT and other personnel working for and on behalf of PHT, including agency staff and contractors, to ensure that the Trust meets its legal requirements under the Data Protection Act 1998.

‘In the event of an infection outbreak, flu pandemic or major incident, the Trust recognises that it may not be possible to adhere to all aspects of this document. In such circumstances, staff should take advice from their manager and all possible action must be taken to maintain ongoing patient and staff safety’

4. DEFINITIONS

Data Controller: The person or organisation (PHT) that collects personal data and decides on how to use, store or distribute that data

Data Processor: Any person or organisation (other than an employee of the data controller) that processes personal data on behalf of the data controller

Data Subject: An individual who is the subject of the personal data

Personal Data: Data that relates to a living individual that can identify the individual from this data or other information in the possession of the data controller

Sensitive Personal Data: Data that relates to a living individual that includes racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, physical or mental health condition, sex life, criminal proceedings or convictions

Right of Subject Access: ‘ Data Subjects’ have the right to access and be given details of any information held about them that: . consists of information relating to the physical or mental health or condition of an individual and . has been made by or on behalf of a health professional in connection with the care of that individual

Data Protection Policy: Issue Number 7 Issue Date 03/10/2014 (Review date: 02/10/2016 (unless requirements change) . for Trust staff, this includes the Personnel and Occupational Health record

5. DUTIES AND RESPONSIBILITIES

The Trust has a legal duty to comply with the Data Protection Act 1998.

The Chief Executive is responsible for ensuring that the responsibility for data protection is allocated appropriately within the Trust and that the role is supported. The Trust Data Protection Officer is currently the Information Governance Manager.

The Information Governance Manager is responsible for the implementation of this policy and for ensuring that: . All staff dealing with personal information are aware of the need for compliance with the Act and associated provisions . All staff are also aware of the requirements of the common law duty of confidence as set out in the NHS Code of Practice on Confidentiality 2003 . The Trust is aware of the detailed provisions of the Act and secondary legislation and of any subsequent guidance issued by the Department of Health and by the Information Commissioner . The processing of personal data within the Trust is in compliance with the Act . Notification to the Information Commissioner of processing of personal data by the Trust is up to date . There is scheduled review of this policy

Information Asset Owners are responsible for understanding and addressing information governance risks relevant to the “information assets” that they own.

Managers and Information Asset Owners within the Trust are responsible for ensuring that the policy and its supporting standards and guidelines are built into local processes and that there is on-going compliance.

All staff must adhere to Trust policies and procedures relating to the processing of personal information.

All staff members are responsible for maintaining compliance with the Data Protection Principles and for reporting non-compliance through the Trust incident reporting process.

6. PROCESS 6.1. Legislation The legislation listed below also refers to issues of security and confidentiality of personal data (more detailed description in Appendix 2): . Access to Health Records Act 1990 . Access to Medical Reports Act 1988 . Data Protection Act 1998 . Computer Misuse Act 1990 . Crime and Disorder Act 1998 . Freedom of Information Act 2000 . Health and Social Care Act 2008 . Human Rights Act 1998 . Regulation of Investigatory Powers Act 2000

1.1. NHS and related guidance The following are the main publications referring to security and confidentiality of personal identifiable information: . Confidentiality: NHS Code of Practice (DoH 2003)

Data Protection Policy: Issue Number 7 Issue Date 03/10/2014 (Review date: 02/10/2016 (unless requirements change) . Caldicott 2: The Information Governance Review (2013) . Employment Practices Code(Information Commissioner) . Records Management: NHS Code of Practice 2006 . ISO/IEC 27001:2013

1.2. Overview of the Data Protection Act 1998 This Act applies to all person identifiable information held in manual files, computer databases, videos and other automated media, about living individuals. The Act dictates that information should only be disclosed on a need to know basis. Printouts and paper records must be treated carefully and disposed of in a secure manner, and staff must not disclose information outside their line of duty. Any unauthorised disclosure of information by a member of staff may result in disciplinary action.

The Act also requires the Trust to register its information held manually and on computers and other automated equipment with the Office of the Information Commissioner, identifying the purposes for holding the data, how it is used and to whom it may be disclosed. The Trust also has to comply with the principles of good practice known as the Eight Data Protection Principles (Appendix 1). Failure to register, an incorrect registration or an outdated registration, are criminal offences, which may lead to prosecution of the Trust. Trust notification is maintained by the Information Governance Manager, who is the Trust Data Protection Lead.

All processing of personal data required under law to be registered for data protection purposes will be registered under the Trust’s registration with the Information Commissioner and this does not need to be done individually, unless used solely for private practice.

Under a provision of the Data Protection Act an individual can request access to their personal information regardless of the media in which this information may be held / retained. The Trust has a Subject Access Procedure for dealing with such requests (please refer to the Access to Personal Records Guidance on the Trust intranet).

Please see Appendix 3 for an overview of NHS and related guidance.

1.3. Data Protection Principles Principle 1 Personal data shall be processed fairly and lawfully, and according to certain conditions.

Fair Obtaining / Consent There is a requirement to make the general public, who use the services of the NHS, aware of why the NHS needs information about them, how this is used and to whom it may be disclosed.

Patients Patients must be made aware of this requirement by the use of information leaflets, posters, statements in patient handbooks and verbally by those healthcare professionals providing care and treatment. The Trust is obliged to produce patient information leaflets and posters explaining the uses of patient information. The Trust has produced a leaflet and this is available from the Information Centre. Information is obtained from patients, and used, only with their consent – which may be implied through the informing process or may need to be explicit if the information is to be used for any purpose other than direct patient care.

Staff There should be procedures to notify staff and temporary employees of the reasons why their information is required, how it will be used and to whom it may be disclosed. This may occur during induction or by the line manager. This will be in the contract of employment.

Data Protection Policy: Issue Number 7 Issue Date 03/10/2014 (Review date: 02/10/2016 (unless requirements change) Principle 2 Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

The key requirement of this Principle is, having declared the purpose(s) of collecting and using personal data, that personal data should not be used or disclosed for any other purpose.

Registration / Notification All of the Trust’s processing of personal information must be registered with the Information Commissioner, as part of the Trust’s Notification. If the Trust fails to complete this process and keep the information up to date, it has committed a criminal offence and could face criminal prosecution. The Information Governance Manager will ensure that the scope of Trust-wide processing personal information is registered.

Automated decision-making If any system makes automated decisions it should be noted with the Registration. An automated decision is where the decision is made by automated means rather than by human judgement. The reason for noting this is that individual’s have a right of access to their own personal information and if any decision is made by automated means, those individuals have the right to know the logic used in the decision making process. More information can be found at the Information Commissioners Office website and in the Trust’s data protection Subject Access Requests Procedures.

Disclosures outside the EEA It is also necessary to identify if any identifiable personal information is disclosed to any country outside of the EEA. The Information Governance Manager must be made aware of any processing of personal data outside of the EEA.

Principle 3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Information collected from individuals should be complete and should all be justified as being required for the purpose for which it is being requested and used.

Principle 4 Personal data shall be accurate and, where necessary, kept up to date.

Accuracy / data quality The Trust has to ensure that all information held on any media is accurate and up to date. The accuracy of the information held by electronic means can be achieved by implementing validation routines, some of which will be system specific and details must be provided of these validation processes to the system users.

Users of software will be responsible for the quality (i.e. accuracy, timeliness, completeness) of their data by carrying out their own quality assurance and participating as required in quality assurance processes.

Staff must check with patients that the information held by the Trust is kept up to date by asking patients at each appointment to validate the information held, in particular, demographic details (name, address, GP etc).

Staff information should also be checked for accuracy on a regular basis, either by the manager or by the HR department as appropriate.

Principle 5

Data Protection Policy: Issue Number 7 Issue Date 03/10/2014 (Review date: 02/10/2016 (unless requirements change) Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

Retention of Information All records are affected by this procedure regardless of the media they may be held, stored, retained on. The Records Management: NHS Code of Practice provides comprehensive guidance for all NHS organisations. Further guidance can be obtained through the Information Governance Manager or Records Management policies.

Principle 6 Personal data shall be processed in accordance with the rights of data subjects under this Act.

Individuals’ rights There are seven rights under the DPA 1998.

1. The right to subject access – this allows people to find out what information is held about them on computer and within some manual records 2. The right to prevent processing – anyone can ask a data controller not to process information relating to him or her that causes substantial unwarranted damage or distress to them or anyone else 3. The right to prevent processing for direct marketing – anyone can ask a data controller not to process information relating to him or her for direct marketing purposes 4. Rights in relation to automated decision-taking – individuals have a right to object to decisions made only by automatic means e.g. there is no human involvement 5. The right to compensation – an individual can claim compensation from a data controller (PHT) for damage and distress caused by any breach of the Act. Compensation for distress alone can only be claimed in limited circumstances 6. The right to rectification, blocking, erasure and destruction – individuals can apply to the court to order a data controller to rectify, block or destroy personal details if they are inaccurate or contain expressions of opinion, based on inaccurate information 7. The right to ask the Information Commissioner to assess whether the Act has been contravened – if someone believes their personal information has not been processed in accordance with the DPA, they can ask the Commissioner to make an assessment. If the Act is found to be breached and the matter cannot be settled informally, then an enforcement notice may be served on the data controller in question

The full effects of some of these rights will only be determined through case law example taken through the Courts.

Subject Access Individuals whose information is held within the Trust have rights of access to it (subject to certain exemptions) regardless of the media the information may be held. Individuals also have a right to complain if they believe that the Trust is not complying with the requirements of the Data Protection Act.

Subject Access Requests will be handled in accordance with the Trust’s Subject Access Request Procedures. The Trust must ensure an up to date procedure is in place to deal with requests for access to personal information.

The Access to Health Records Act 1990 provides access rights to the legal representatives of, or those who may have a claim from the estate of, deceased patients.

Data Protection Policy: Issue Number 7 Issue Date 03/10/2014 (Review date: 02/10/2016 (unless requirements change) Freedom of Information Act 2000 – personal data are exempt from access under this Act and requests will only be handled as above.

Compensation Individuals have a right to seek compensation for any breach of the Act by the Trust which may cause them damage and / or distress.

Complaints The Trust shall ensure the complaints procedures are reviewed to take account of complaints which may be received because of a breach or suspected breach of the Data Protection Act 1998. Can a living individual be identified from the data, or Principle 7 from the data and other Appropriate technical andinformation organisational in your measures shall be taken against Yes No unauthorised or unlawfulpossession, processing or likely of to comepersonal data and against accidental loss or destruction of, or damageinto to, your personal possession? data.

Security Do Allthe datainformation ‘relate to’ relatingthe to patients and staff must be kept secure at all times. The Trust identifiablehas ensured living individual, there are adequate proceduresNo in Theplace data to are protect not ‘personal against unauthorised whetherprocessing in personal of or informationfamily and against accidentaldata’ loss, for thedestruction purposes of and the damage to this life, business or profession? DPA. information. Yes Unsure Please refer to the Trust’s ICT Security Policy, Email Policy and Confidentiality Code Are theof data Conduct ‘obviously for about’further information. All Trust employees and personnel working for or on a particularbehalf ofindividual? the Trust, including agency staff and contractors have an individual responsibility to maintain security ofYes personal information. Breaches and/or risks of informationNo security must be highlighted using the Trust adverse event reporting system to enable appropriate actions to be taken. Are the data ‘linked to’ an individual so that it provides The data are ‘personal data’ particularPrinciple information 8 about for the purposes of the DPA. Yes Personalthat individual? data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rightsNo and freedoms of data subjects in relation to the processing of personal data. Is the data used, or are they to be used, to inform or influenceIf it actionsis necessary or decisions to send person identifiableYes information in a computer readable format affectingor manual an identifiable records to countries outside of the EEA, it must be discussed with the Informationindividual? Governance Manager and/or the Caldicott Guardian, as the levels of protectionNo for the information may not be as comprehensive as those in the U.K. If the consent of the individual has been gained, it is normally acceptable to proceed with the Dorequest, the data havehowever, any it is still good practice to seek advice before sending. biographical significance in relation to the individual? 1.4. Determining Personal Data Yes The following flow chart can be used by staff to helpThe dataassess are likelywhen to certain be kinds of data Unsure No may or may not constitutes Personal Data. ‘personal data’ for the purposes of the DPA. Do the data focus or concentrate on the individual as the central theme rather than on some other person, or Yes some object, transaction or event? No

Do the data impact or have the potential to impact on an The data are ‘personal data’ individual, whether in a for the purposes of the DPA? personal, family, business or Yes professional capacity?

No Data Protection Policy: Issue Number 7 Issue Date 03/10/2014 (ReviewThe date:data are02/10/2016 unlikely to (unless be requirements change) ‘personal data’ for the purposes of the DPA? Data Protection Policy: Issue Number 7 Issue Date 03/10/2014 (Review date: 02/10/2016 (unless requirements change) The following list (taken from the NHS Information Governance Review – April 2013) of direct identifiers was adapted from those published as part of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The HIPAA Privacy Rule is the first comprehensive federal protection for the privacy of personal health information.

1. Names 2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, Postcode, and their equivalent geographical codes, except for the initial four digits of a postcode if, according to the current publicly available data from the Office for National Statistics and/or the Information Commissioner’s Office: a. The geographic unit formed by combining all postcodes with the same four initial digits contains more than 20,000 people] b. The initial three digits of a postcode for all such geographic units containing 20,000 or fewer people are changed to 000 3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older 4. Telephone numbers 5. Facsimile numbers 6. Electronic mail addresses 7. National Insurance numbers 8. NHS number and medical record numbers 9. Health plan beneficiary numbers 10. Account numbers 11. Certificate/licence numbers 12. Vehicle identifiers and serial numbers, including licence plate numbers. 13. Device identifiers and serial numbers 14. Web universal resource locators (URLs) 15. Internet protocol (IP) address numbers 16. Biometric identifiers, including fingerprints and voiceprints 17. Full-face photographic images and any comparable images 18. Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Information Commissioner’s Office

1.5. Staff Issues Contracts of employment Staff contracts of employment are produced and monitored by the Trust Human Resources Department. All contracts of employment include Information Governance clauses, including information governance and data protection responsibilities. Data Protection Policy: Issue Number 7 Issue Date 03/10/2014 (Review date: 02/10/2016 (unless requirements change) Disciplinary A breach of the Data Protection requirements could result in a member of staff facing disciplinary action. All staff must adhere to Trust policies and procedures relating to the processing of personal information.

1.6. Disclosure of personal identifiable information There are Acts of Parliament that govern the disclosure/sharing of personal identifiable information. Some make it a legal requirement to disclose whilst others state when information cannot be disclosed. The Confidentiality: NHS Code of Practice (2003) gives clear guidance on disclosure of patient information.

Legislation to restrict disclosure . Human Fertilisation and Embryology (Disclosure of Information) Act (1992) . Venereal Diseases Act (1917) and Venereal Diseases Regulations of 1974 and 1992 . Abortion Act (1967) . The Adoption Act (1976)

Legislation obliging / permitting disclosure . Public Health (Control of Diseases) Act (1984) & Public Health (Infectious Diseases) Regulations (1985) . Education Act 1944 (for immunizations and vaccinations to NHS Trusts from schools) . Births and Deaths Act (1984) . Prevention of Terrorism Act (1989) and Terrorism Act (2000) . The Road Traffic Act (1988) . Police and Criminal Evidence Act (1984) . A Court Order . The Crime and Disorder Act (1998) . Multi-Agency Public Protection . Vulnerable Persons and Child Protection cases

Information sharing Whilst there is a public expectation of appropriate sharing of information between organisations providing health care services to them and with other organisations providing related services, the public rightly expect that their personal data will be properly protected. When sharing personal information, PHT staff must ensure that the Principles of the DPA 1998, the Human Rights Act 1998, the Caldicott Principles and the Common Law Duty of Confidentiality are upheld. Information sharing protocols provide the basis for facilitating the exchange of information between organisations.

Please contact the Information Governance Manager for further advice relating to any form of disclosure of personal information e.g. disclosure to the police, the media etc.

1.7. Keeping patients informed It is a Trust requirement that patients are told how their information is to be used before they are asked to provide it, or as soon as is possible (Confidentiality: NHS Code of Practice 2003). Specific information must be given to patients about the use of their personal information, particularly if for uses other than the provision of healthcare. The explicit consent of the patient must be obtained before information is processed for reasons other than the direct provision of healthcare e.g. used for research purposes. (Please refer to the Trust Patient Communication Strategy).

1.8. Data Protection contractual clauses The Trust is responsible for obtaining appropriate contractual assurance in respect of compliance with Information Governance (IG) requirements from all bodies that have

Data Protection Policy: Issue Number 7 Issue Date 03/10/2014 (Review date: 02/10/2016 (unless requirements change) access to the Trust's information or conduct any form of information processing on its behalf. This is particularly important where the information is about identifiable individuals as this is a legal requirement under the Data Protection Act.

All contractors or support organisations (including non-clinical staff) with access to personal data (that the Trust is data controller for) must be identified and appropriate clauses for inclusion in contracts must be developed.

The following guidance provides assistance in gaining data protection assurance from potential service providers, summarises the clauses that are expected in relevant contracts, and details the wording of the clauses: 1. Information Governance Due Diligence 2. Information Governance Contracts Checklist 3. Model Information Governance Contract Clauses

Advice should always be sought from the Trust’s Procurement Department when negotiating or renegotiating contracts.

1.9. Privacy Impact Assessments Privacy Impact Assessments (PIAs) are a tool recommended by the Information Commissioner’s Office to build Data Protection Act compliance into projects and initiatives. They are not a legal obligation, but an approach that helps to comply with legal obligations and the Trust’s use of PIAs is assessed through Standard 210 of the NHS Information Governance Toolkit.

PIAs are intended to build in “privacy by design” and are also intended to prevent privacy related problems from arising, by: . Considering the impact on privacy at the project start . Identifying ways of minimising any adverse impact . Building this into the project as it develops

The need for Privacy Impact Assessments will be captured through the formal Business Case process, ICT and corporate project methodology and should also be considered where any project or proposal will: . Introduce a new or additional piece of IT that will relate to the management of Person Identifiable Data (PID) . Introduce a new process that requires the use of PID where it had previously been conducted anonymously . Involve a change in how the Trust will handle either (a) large amounts of PID about an individual, or (b) PID about a large number of individual

Privacy Impact Assessments should be submitted to the Information Governance Steering Group for review and comment. Where timescales do not permit this, they may be submitted to the Trust’s Senior Information Risk Owner.

Data Protection Policy: Issue Number 7 Issue Date 03/10/2014 (Review date: 02/10/2016 (unless requirements change) 7. TRAINING REQUIREMENTS The Information Governance Manager has overall responsibility for maintaining training and awareness of confidentiality and information security issues for all staff. However, the Trust Caldicott Guardian is also able to provide advice on the sharing of, and access to, patient identifiable information.

Information Governance training is mandatory and all new starters must receive IG training as part of their corporate induction.

All staff members are required to undertake accredited Information Governance training as appropriate to their role. The preferred method is through the Trust’s Essential Skills Handbook (ESH) and associated e-assessment in the Electronic Staff Records (ESR).

Information Governance training must be completed on an annual basis.

8. REFERENCES AND ASSOCIATED DOCUMENTATION The Data Protection Act 1998 http://www.opsi.gov.uk/Acts/Acts1998/ukpga_19980029_en_1

Health Research Authority – Section 251 and the Confidentiality Advisory Group (CAG) http://www.hra.nhs.uk/about-the-hra/our-committees/section-251/

NHS Code of Practice on Confidentiality 2003 (DoH) http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/ DH_4069253

The Freedom of Information Act 2000 http://www.opsi.gov.uk/Acts/acts2000/ukpga_20000036_en_1

The Human Rights Act 1998 http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19980042_en_1

Access to Health Records Act 1990 http://www.opsi.gov.uk/acts/acts1990/ukpga_19900023_en_1

Caldicott review: information governance in the health and care system 2013 https://www.gov.uk/government/publications/the-information-governance-review

Trust Policies: Confidentiality Code of Conduct IT Security Policy Safe Haven Policy E-mail Policy http://pht/PoliciesGuidelines/ManagementPolicies/Lists/Links/AllItems.aspx

9. EQUALITY IMPACT STATEMENT Portsmouth Hospitals NHS Trust is committed to ensuring that, as far as is reasonably practicable, the way we provide services to the public and the way we treat our staff reflects their individual needs and does not discriminate against individuals or groups on any grounds.

This policy has been assessed accordingly.

Our values are the core of what Portsmouth Hospitals NHS Trust is and what we cherish. They are beliefs that manifest in the behaviours our employees display in the workplace.

Data Protection Policy: Issue Number 7 Issue Date 03/10/2014 (Review date: 02/10/2016 (unless requirements change) Our Values were developed after listening to our staff. They bring the Trust closer to its vision to be the best hospital, providing the best care by the best people and ensure that our patients are at the centre of all we do. We are committed to promoting a culture founded on these values which form the ‘heart’ of our Trust:

Respect and dignity Quality of care Working together No waste

This policy should be read and implemented with the Trust Values in mind at all times.

Data Protection Policy: Issue Number 7 Issue Date 03/10/2014 (Review date: 02/10/2016 (unless requirements change) 10. MONITORING COMPLIANCE WITH PROCEDURAL DOCUMENTS

Minimum requirement to be Lead Tool Frequency of Report Reporting arrangements Lead(s) for acting monitored of Compliance on Recommendations Various elements of the Information Governance Compliance Framework: . IG Compliance Monitoring Tool . Patient Satisfaction (Data Protection / Consent) Survey . Flow Mapping Registers . Information Asset Registers IG Manager IG Manager IG Compliance CSCs reports bi-annually to the IG Bi-annual . Information Sharing Protocol Information Asset Framework Steering Group Information Asset Registers Owners Owners . Information Governance Contractual Arrangements . Information Governance Incident Reports . Privacy Impact Assessment Registers

This document will be monitored to ensure it is effective and to assurance compliance.

The effectiveness in practice of all procedural documents should be routinely monitored (audited) to ensure the document objectives are being achieved. The process for how the monitoring will be performed should be included in the procedural document, using the template above.

The details of the monitoring to be considered include:

 The aspects of the procedural document to be monitored: identify standards or key performance indicators (KPIs);  The lead for ensuring the audit is undertaken  The tool to be used for monitoring e.g. spot checks, observation audit, data collection;  Frequency of the monitoring e.g. quarterly, annually;

Data Protection Policy: Issue Number 7 Issue Date 03/10/2014 (Review date: 02/10/2016 (unless requirements change)  The reporting arrangements i.e. the committee or group who will be responsible for receiving the results and taking action as required. In most circumstances this will be the committee which ratified the document. The template for the policy audit report can be found on the Trust Intranet Trust Intranet -> Policies -> Policy Documentation  The lead(s) for acting on any recommendations necessary.

Data Protection Policy: Issue Number 7 Issue Date 03/10/2014 (Review date: 02/10/2016 (unless requirements change) Appendix A: Overview of legislation The Access to Health Records 1990 This Act gives patient’s representatives right of access to their manually held health records, in respect of information recorded on or after 1 November 1991. This Act is only applicable for access to deceased persons’ records. All other requests for access to information to living individuals are provided under the access provisions of the Data Protection Act 1998.

Access to Medical Reports Act 1988 This Act allows those who have had a medical report produced for the purposes of employment and/or insurance to obtain a copy of the content of the report prior to it being disclosed to any potential employer and/or prospective insurance company.

Human Rights Act 1998 This Act became law on 2 October 2000. It binds public authorities including Health Authorities, Trusts, Primary Care Groups and individual doctors treating NHS patients to respect and protect an individual’s human rights. This will include an individual’s right to privacy (under Article 8) and a service user’s right to expect confidentiality of their information at all times.

Article 8 of the Act provides that ‘everyone has the right to respect for his private and family life, his home and his correspondence’. However, this article also states ‘there shall be no interference by a public authority with the exercise of this right except as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety, or the economic well-being of the country, for the prevention or detection of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others’.

Each organisation must act in a way consistent with these requirements. It must take an individual’s rights into account when sharing personal information about them.

Freedom of Information Act 2000 This Act came into force on 1 January 2005. This act gives individuals right of access to corporate information held by the Trust such as policies, reports, minutes of meetings. The Trust has a Freedom of Information Policy and a nominated officer to deal with requests and queries.

Regulation of Investigatory Powers Act 2000 This Act combines rules relating to access to protected electronic information as well as revising the ‘Interception of Communications Act 1985’. The Act aims to modernise the legal regulation of interception of communications in the light of the Human Rights laws and rapidly changing technology.

Crime and Disorder Act 1998 This Act introduces measures to reduce crime and disorder, including the introduction of local crime partnerships around local authority boundaries to formulate and implement strategies for reducing crime and disorder in that local area.

The Act allows disclosure of person identifiable information to the Police, Local Authorities, Probation Service or the Health Service but only if the purposes are defined within the Crime and Disorder Act. The Act does not impose a legal requirement to disclose/exchange person identifiable information and responsibility for disclosure rests with the organisation holding the information. There should be a Crime and Disorder Protocol governing the disclosure/exchange and use of personal

Data Protection Policy: Issue Number 7 Issue Date 03/10/2014 (Review date: 02/10/2016 (unless requirements change) information within a local authority boundary agreed and signed by all involved agencies and organisations.

The Computer Misuse Act 1990 This Act makes it a criminal offence to access any part of a computer system, programs and/or data that a user is not entitled to access. Each organisation will issue individual users an individual user ID and password which will only be known by the individual they relate to and must not be divulged / misused by other staff. This is to protect the employee from the likelihood of their inadvertently contravening this Act.

Each organisation will adhere to the requirements of the Computer Misuse Act 1990 by ensuring staff are made aware of their responsibilities regarding the misuse of computers for personal gain or other fraudulent activities. Any member of staff found to have contravened this Act will be considered to have committed a disciplinary offence and be dealt with accordingly.

The Justice and Coroners Act (2009) This Act has amended the Data Protection Act to strengthen the Information Commissioner's inspection powers.

Appendix B: Overview of NHS Guidance Confidentiality: NHS Code of Practice This code of practice provides detailed guidance for NHS bodies concerning confidentiality and patient’s consent to use their health information. It also details the required practice the NHS must follow concerning security, identifying the main legal responsibilities for an organisation and also details employee’s responsibilities

Employment Code of Practice Guidance produced by the Information Commissioner detailing the data protection requirements that relate to staff / employee and other individual’s information Caldicott 2: The Information Governance Review (2013) Provides guidelines relating to sharing of patient identifiable information and promotes the appointment of a senior health professional to oversee the implementation of the guidance. The Trust Caldicott Guardian is the Medical Director.

Records Management: NHS Code of Practice 2006 Provides guidance to improve the management of NHS records, explains the requirements to select records for permanent preservation, lists suggested minimum requirements for records retention and applies to all information, regardless of the media, applicable to all personnel within the NHS such as patients, employees, volunteers etc. Aids compliance with the Data Protection and Freedom of Information Acts

ISO/IEC 27001:2013 Information Security Standard These are the accepted industry standard for Information Management and are recommended in order to assure compliance with principle 7 of the Data Protection Act.

Appendix C: ICT Contractual Process Guidance The following is taken from ICT contractual processes best practice.

The elements that need to be included in contract provisions are set out below. It is important to recognise that the contract itself is only one aspect to contracting and

Data Protection Policy: Issue Number 7 Issue Date 03/10/2014 (Review date: 02/10/2016 (unless requirements change) that there are four stages to the contracting process. Documentation of each stage is required to demonstrate due diligence. The four stages are: . procurement requirements — pre-contract checks; . legal provisions of contract (and supplementary Service Level Agreement/DSA provisions where applicable); . contract performance management — this includes having a nominated manager and audit and will need to be resourced; and . contract exit management

Process: 1. Define the status and relationship of the parties as data controller or data processors. This includes clarity about sole, joint or in common data controllership, and where an organisation’s relationships with data may fall across these categories in different circumstances, to clarify the circumstances in which the different relationships with the data will apply. 2. Define scope and term of the contract. 3. Whether the contract will be supported by Service level/data sharing agreements (where applicable to define data set and disclosures for specific purposes. This should include any variation to the data controller relationships set out in the contract). 4. Define terminology used. 5. Legal, professional and contractual requirements. Definition of the governing law (i.e. England), requirement to adhere to legal and professional requirements, and the provisions of this contract in particular in relation to Data Protection, Human Rights and common law obligations such as the duties of care and confidentiality. This includes but is not limited to: a. when personal confidential data may lawfully be disclosed; b. for de-identified data for limited disclosure or access the requirement for this data to be held separately from personal confidential data within a safe haven (to ensure it does not become identifiable, and therefore personal data requiring a legal basis to process); c. having mechanisms to prevent re-identification where de- identified data may be linked together in a safe haven; d. a requirement not to disclose data to other parties other than in anonymised form, or as authorised by the data controller, or where required by law; and e. for data processors the requirement only to process data as instructed by the data controller 6. Duty to co-operate with other parties. 7. In relation to personal confidential data, a definition of the purposes and the legal basis for processing for each specified purpose, with a restriction to confine processing to these purposes, where there is a need to re-identify individuals, this must be in the purposes and authorised. It is helpful to include this within the contract so all parties are assured of the legal basis for processing and the boundaries of that legal basis. (Privacy impact assessments are helpful in clarifying whether there is a secure basis in law and the nature of that basis as part of the pre-contract checks and ongoing management of the contract.) In relation to de-identified data for limited disclosure or access, clarity of the purposes and assurance that the purposes of processing are in the public interest.

Data Protection Policy: Issue Number 7 Issue Date 03/10/2014 (Review date: 02/10/2016 (unless requirements change) 8. Confidentiality and protection of commercially sensitive information and intellectual property. 9. Fair processing information responsibilities — service user involvement in its development. 10. Policies and procedures on: consent both for treatment and for the use of data; conflicts of interest management; and agreement more broadly about whose policies are used. This may be specific to the policy in question. 11. Timely communication of transfer or discharge information to other care professionals. 12. Online access to records and communication of care plans to the service user. 13. Conformance with requisite Information and Data Standards. 14. Staff recruitment checks, education and training, and terms and conditions of employment — this also needs to address honorary and seconded staffing arrangements to ensure the failure to adhere to policies and procedures are addressed through disciplinary action via the substantive contract of employment. 15. Maintenance of Information Asset Registers, data flow mapping and data sets for extraction and reporting requirements. 16. Data extraction processes. 17. Responsibility for FOI, EIR and subject access requests — in particular attention needs to be given to who will undertake the clinical review of records for Subject Access Requests to ensure that seriously harmful information, or information provided by third parties is not disclosed. 18. Housekeeping measures: a. business continuity; b. disaster recovery; c. monitoring and auditing of access controls and reporting; and d. transfer, retention, archiving, and disposal of records at end of data lifecycle in line with DH record retention schedules or termination of contract 19. Security requirements (ISO 27001 and 2) ISMS to include: a. network security; b. device security (including encryption); c. software security including protection against malware; d. data and system back-up; e. secure transfer of data; f. physical security; g. access control functionality, logging, alerts, auditing and reporting; h. software control of printing and USB devices; i. use of security and privacy enhancing technologies; j. risk assessment, audit and reporting (including penetration testing); k. review and updating; and l. incident reporting 20. Registration Authority (RA) — Legitimate Relationship (LR) and Role Based Access Control (RBAC) authorisation and implementation. 21. Change control, authorised officers and approvals processes. 22. Sub-contracting notification to data controller of intent to sub-contract, identity of sub-contractor(s), contracting and oversight arrangements of sub-contractor and authorisation by data controller requirements.

Data Protection Policy: Issue Number 7 Issue Date 03/10/2014 (Review date: 02/10/2016 (unless requirements change) 23. Location of data storage and arrangements i.e. within EEA, outside EEA, or cloud. Need for binding corporate rules or other means of satisfying DP principle 8. 24. Serious incidents/data breaches (duty of candour): monitoring, reporting, investigating, publishing with outcomes. 25. DC contract performance management including right of access to visit site(s) and audit procedures/use of data including any sub-contractors. Additionally, mandatory independent audit of the IG Toolkit submission or equivalent statements of compliance should also be considered, with the scope set annually by the data controller. 26. Process for agreeing variations to the contract including novation to new bodies. 27. Dispute resolution process. 28. Exit from contract: a. natural end of contract considerations such as record management; b. premature end of contract from failures of any party e.g. bankruptcy, serious data breach; and c. continuing obligations, e.g. not using data subsequently for own purposes and maintaining confidentiality of personal data indefinitely 29. Charges, liability and indemnity, remedies and penalties for breach of contract — care needs to be taken to ensure that this clause includes unlimited recovery of costs arising from a breach by data processor and data processors need to maintain insurance supporting liability in the contract. 30. Definition of roles and responsibilities — senior responsible officers for implementation and oversight of different elements of the contract for each party to the contract. 31. Signatures of senior responsible officers of all parties. 32. An appendix to the contract, with the day to day contact details for the senior responsible officers and other key staff.

Data Protection Policy: Issue Number 7 Issue Date 03/10/2014 (Review date: 02/10/2016 (unless requirements change)

Recommended publications