Health and Social Care Information Sharing Protocol
for
Wiltshire and Swindon
August 2002 DISTRIBUTION LIST Name: Title and Organisation
Simon Birch* Acting Chief Executive Officer, Swindon Borough Council
Ann Shelley Caldicott Guardian, Kennet & North Wiltshire NHS Primary Care Trust
John Waldron Caldicott Guardian, Medical Director, Royal United Hospital
Dr Steve Hicks Caldicott Guardian, Swindon Primary Care Trust
Frances Jones Caldicott Guardian, West Wiltshire Primary Care Trust
Barbara Smith* Chief Executive Officer, Kennet and North Wiltshire NHS Primary Care Trust
Jan Filochowski* Chief Executive Officer, Royal United Hospital NHS Trust
Frank Harsent* Chief Executive Officer, Salisbury Health Care NHS Trust
John Nicholas* Chief Executive Officer, South Wiltshire NHS Primary Care Trust
Sonia Mills* Chief Executive Officer, Swindon & Marlborough NHS Trust
Jan Stubbings* Chief Executive Officer, Swindon NHS Primary Care Trust
Donna Stiles* Chief Executive Officer, West Wiltshire NHS Primary Care Trust
Roger Pedley* Chief Executive Officer, Wiltshire and Avon Mental Health Partnership NHS Trust
Dr Keith Robinson* Chief Executive Officer, Wiltshire County Council
Sue Geary Corporate Development Manager, Wiltshire Social Services , Caldicott Guardian
Linda Walmsley Provider Information Services Manager Delegated Authority Caldicott Guardian
Gerry Oliver Caldicott Guardian, Acting Director of Housing and Social Services, Swindon Social Services
Mr Eric Waters Caldicott Guardian, Salisbury HealthCare Trust
*signatories on behalf of participating organisations TABLE OF CONTENTS
1 INTRODUCTION...... 1
2 Organisations Covered by this Protocol...... 1
3 Scope...... 1
4 Objectives...... 2
5 Organisation Specific Documentation...... 2
6 General Principles...... 3 6.1 Legal Requirements...... 3 6.2 Caldicott Guardians and Designated Officers...... 3 6.3 Sharing of Routine Information...... 4 6.4 Sharing of Non-Routine Information...... 4 6.5 Onward Transmission of Personal Data...... 5 6.6 Organisational Responsibility...... 5 6.6.1 Staff Awareness...... 5 6.6.2 Caldicott Guardian/Designated Officer...... 5 6.6.3 Response to Requests...... 5 7 Disclosure of Personal Information Procedures...... 5 7.1 Obtaining consent...... 5 7.2 Recording Consent...... 6 7.3 Disclosing Information without Consent...... 7 7.4 Maintaining Contact Details...... 7 8 Access and Security Procedures...... 7 8.1 Transfer of Personal Information...... 7 8.2 Use of Personal Information for Purposes other than that Agreed...... 8 8.3 Restrictions on the use of Statistical and Anonymous Data...... 8 9 Review of this Protocol...... 9
10 Signatories...... 9
Appendix A – Data Protection Principles...... 10
Appendix B – Details of Other Relevant Acts of Parliament...... 13
Appendix C – Quick Reference Guide for Staff...... 17
Appendix D - Definitions...... 23
Appendix E - Glossary...... 25
Appendix F – Source Documents...... 26 1 Introduction
A protocol is the agreement between participants in an information-sharing partnership, to govern the sharing of information, satisfy statutory and mandatory the requirements of the law and guidance, regulate working practices, and provide operational guidelines guidance in for both the disclosing and receiving organisations.
This protocol sets out the obligations on staff who need to:
1. Share or disclose information about service users to streamline care processes
2. Maintain appropriate confidentiality
This protocol does not impose any new obligations, however it does provide operational guidelines for both the disclosing and the receiving organisation’s staff.
The protocol has been designed to meet the information requirements for the Wiltshire and Swindon Pathfinder Partnership.
2 Organisations Covered by this Protocol
Organisations covered by this protocol include:
Avon and Wiltshire Partnership Kennet and North Wiltshire NHS Primary Care Trust Royal United Hospital NHS Trust Salisbury Health Care NHS Trust South Wiltshire NHS Primary Care Trust Swindon and Marlborough Trust Swindon Borough Council, Adult Social Services Swindon NHS Primary Care Trust West Wiltshire NHS Primary Care Trust Wiltshire & Swindon Health Care NHS Trust Wiltshire County Council, Adult Social Services Swindon and Marlborough Trust Wiltshire & Swindon Health Care NHS Trust West Wilts Primary Care Trust South Wilts Primary Care Trust Kennet and North Wilts Primary Care Trust Swindon Primary Care Trust Swindon Borough Council Adult Social Services Wiltshire County Council Adult Social Services Wiltshire Health Authority Royal United Hospital Trust Salisbury Health Care NHS Trust Avon and Wiltshire Partnership
It is recognised that organisational boundaries are changing and this protocol is transferable to any organisation required to become a signatory.
Page : 1 3 Scope
To provide a policy framework for the secure and confidential sharing of information between organisations working within the Wiltshire and Swindon Pathfinder Partnership. Pathfinder Partnership. This is to enable them to meet the needs of the public for care, and support and and information protection.
To inform patient/service users1 of the organisations who are party to this protocol,of the reasons why information about them may need to be shared and how this sharing will be managed.
This protocol details the legal and government requirements for safe and secure information handling. Each organisation will need to address these requirements internally and give specific details to staff in meeting them who while provideing care and treatment to patients/service users.
Each organisation will remain legally responsible for control and ownership of the information within their organisation, as required within the the data protection legislation.
Each organisation will ensure a current version of this protocol is maintained and available to staff within their organisations.
4 Objectives
This document sets out the principles which underpin the exchange of information between the parties detailed in Section 2, by:
Defining the specific purposes for which these organisations have agreed to share information to meet their responsibilities to protect, support and care for adults and children.
Describing the roles and structures which will support the exchange of information between parties to the protocol.
Describing the arrangements which have been agreed for exchanging information.
5 Organisation Specific Documentation
Each organisation/agency wishing to share personal identifiable information will need to ensure that they have mechanisms in place to enable them to address the issues of physical security, security awareness and training, patient/service user access to information, security management, confidentiality management, systems development, site-specific information systems policies and system specific policies (see list below).
It is assumed that each of the organisations signing up to the protocol will have in place the following types of documentation. The table allows for each organisation to demonstrate whether these documents exist locally.
1 ‘Patient’ is the generic term given for patients, clients, parents or guardians
Page : 2 Required policies and procedures In place Dated Yes/No Current Data Protection registration
Up to date Information Security Policy
Up to date System Security Policy for system/s involved with information sharing
Information leaflets for patient/service users regarding the use/s of their information
As part of induction for staff training in the requirement for information security and confidentiality
Disposal of confidential waste (e.g. printouts, computer media)
Retention of records policy/procedure
6 General Principles
6.1 Legal Requirements
There are legal requirements that organisations involved must considered and complied comply with to ensure individual’s rights are respected and the organisations involved do not breach these legal requirements.
The main pieces of legislation, (but this list is not exhaustive) governing individual’s rights are:
Access to Health Records Act 1990 (only for manual records of deceased patients) Carers (Recognition & Service) Act 1995 Children’s Act 1989 Civil evidence Act 1995 Common law Duty of Confidence Computer Misuse Act 1990 Copyright Designs and Patents Act 1988 Crime & Disorder Act 1998 Data Protection Act 1998 Freedom of Information Act 2000 Human Rights Act 1998 Mental Health Act 1983 NHS & Community Care Act 1990 Regulation of Investigatory Powers Act 2000 Service users Access to Records Act 1987 & Regulations 1989 The Adoption Act 1976 The Health Act 1999 (section 31) The Health and Social Care Act 2001
Page : 3 Further information and details of the most relevant of these Acts are in Appendix A Data Protection Principles and Appendix B Details of other relevant Acts of Parliament and Other Guidance.
6.2 Caldicott Guardians2 and Designated Officers
All statutory Health and Social Care organisations will each have a Caldicott Guardian, who for the purposes of Information sharing will be the designated authorising officer. Non-statutory organisations will need to nominate a Designated Officer for this purpose also.
The Designated Officer may identify a deputya deputy to process, or initiate requests for personal information.
6.3 Sharing of Routine Information
A routine disclosure of information is one that happens as a matter of course during the intervention process, which is relevant to the direct care or treatment of an individual.
Health and Social care professionals are regularly asked to provide information about their patient/service users.
Before they do so they should:
Inform the patient/service user that basicthat basic information will be shared;
Anonymise the data wherever possible;
Keep disclosures to a minimum;
Ensure there is a justifiable need for the recipient of the information to know it;
Seek and document the patient/service users’ consent to disclosure wherever possible. This should be in accordance with local protocols (subject to forthcoming National Guidance, expected by end Feb 2002)
Express consent will not be needed where the information is being shared for the purposes of care and treatment, and administration and planning of health and social care services. However, patient/service users should be told in general terms, of the kind of NHS and Social care purposes to which the information about them may be applied.
Routine information sharing does not need to be approved by the Caldicott Guardian or Designated Officer once this protocol has been signed by all stakeholders.
2 A Caldicott Guardian is a member of the senior management team who is responsible for the establishment of procedures governing access to, and the use of, personally-identifiable information within the organisation, and where local flexibilities exist, the transferof such information from the organisation to other bodies.
In agreeing local procedures and protocols the Guardian should ensure consistency with any relevant central requirements and guidance.
Page : 4 6.4 Sharing of Non-Routine Information
A non-routine disclosure would be to the police, probation service, non-NHS organisations, auditors, researchers and requests for information under the Crime and Disorder Act 1998 etc.
For example:
Police requesting information from A&E, MIU, WIC about the injuries sustained by a patient/service user suspected of being involved in an affray. (unless under a statutory exemption)
Mental health professionals seeking information from the probation service to inform their risk assessment.
A request for information from a solicitor in a personal injury claim
The person requiring information from another organisation should submit the request in writing through the Designated Officer.
Before releasing the information the Designated Officer must ensure that:
The request is from a Designated Officer, or nominated deputy, appointed by the organisation requesting the information
The information is required to support action under the objectives of this protocol or falls within exceptions within the Data protection act 1998
A record setting out the request and grounds for disclosure is kept
Decisions made by Designated Officers must be periodically reviewed in order to monitor their decision making as part of Clinical Governance procedures.
6.5 Onward Transmission of Personal Data
The disclosing organisation retains control and ownership of the data and any recipient must undertake not to disclose them without the consent of the original data controller. Organisations will comply with the relevant policies and procedures for the safe and secure transportation of documents.
6.6 Organisational Responsibility
6.6.1 Staff Awareness
Each organisation will ensure that all staff are aware of the need for data security and confidentiality and the need to follow this protocol.
Appendix C – Quick Reference Guide is designed for staff and is based on a document designed by the East Surrey LIS for the Local Health Community. An adaptation of this could be made available to staff within each of the partner organisations.
6.6.2 Caldicott Guardian/Designated Officer
Each organisation will need to ensure that the Caldicott Guardian/Designated Officer or their nominated deputy is widely known within the organisation.
Page : 5 6.6.3 Response to Requests
That requests for information are responded to within a published time scale.
7 Disclosure of Personal Information Procedures
7.1 Obtaining consent
1. Consent will be sought from the patient/service user at the first contact, in any of the participating organisations as listed in Section 2. Their record will then be flagged with their wish. The patient/service user will be made aware at this time that if he/she gives their consent all healthcare healthcare professionals involved in their treatment could see their information or a subset of it (partial consent) during the life of the care process.
2. Should the patient/service user wish to withdraw consent this can be done at any time by contacting a designated central contact point, that is, either the Caldicott Guardian or Data Protection Officer of each of the partner organisations, the patient/service user consent flag will be removed, and all Partner Organisations notified.
3. The patient/service user will be given a patient/service user information leaflet explaining the uses of their Health and Social Care Information that will also include a section on information sharing and the implications of this which pertain to them.
4. If the patient/service user does not consent to having personal information shared then it should be explained that their treatment will be dealt with in a normal manner.
7.2 Recording Consent
Organisations must have a means by which an individual or their guardian can record whether they give consent to the disclosure of personal information and what limits, if any, they wish placed on that disclosure.
These limitations should be overridden only if there are statutory grounds for doing so and one of the conditions of Schedule 2 of the Data Protection Act 1998 can be demonstrated. For sensitive information, one of the conditions of Schedule 3 of the Data Protection Act 1998 must also exist.
Individuals should be able to prescribe, in respect of all information held by the contact organisation
Which organisations information can and cannot be shared with
What information known to the contact organisation can be shared and what information should remain confidential.
In addition, in respect of sensitive information (as defined by the Data Protection Act 1998) which is held by the contact organisation, individuals must be able to prescribe the explicit purposes for which they agree to this information being disclosed to another organisation.
Page : 6 This means that an individual must have access to their files in order to comprehend what information an organisation holds about them and must be given an opportunity to amend and correct where any information which is incorrect.
It is recognised that, in an urgent or emergency situation and in many routine referrals, it is impractical for existing patient/service user records to be studied in detail and amended at that point in time. All organisations should therefore have procedures in place to ensure that patient/service users are fully informed at all times of the content of their records (both manual and computerised) and have opportunities to amend the contents if they are wrong.
Under no circumstances will consent be sought, or taken to have been given, unless the individual or their representative has been fully informed of the consequences of giving consent.
If a person, limits the disclosure of information in any way, then this must be flagged on their records in such a manner that any member of staff subsequently involved with that person, is alerted to this limitation of consent. Information which is held with this limitation should be stored in such a manner that access can be controlled. This limitation of consent should be recorded whether or not a decision is taken to disclose without consent.
Consent to disclosure of personal information for a particular purpose, will be limited to a period to be specified within individual protocols, unless the individual concerned withdraws consent in the interim period. A record must be kept of the date on which consent was given, the date on which it is due to expire and the date on which it was withdrawn, if applicable. If at any time following the withdrawal or expiry of consent, an organisation wishes to disclose that information for the same or another purpose, then consent will need to sought again.
7.3 Disclosing Information without Consent
Passing information without consent places both individual staff members and organisations at risk of prosecution. If there is no lawful basis for disclosing information without consent, there is also the risk of a compensation order under the Data Protection Act, or damages for breach of confidence/breach of the Human Rights Act - Article 8 rights.
The disclosure of personal information without consent must be justifiable on statutory grounds and meet one of the conditions of Schedule 2 of the Data Protection Act 1998.
In addition, the disclosure of “sensitive” information without consent must meet one of the conditions of Schedule 3 of the Data Protection Act 1998.
If information is disclosed without consent, then full details will be recorded about the information disclosed, the reasons why the decision to disclose was taken, the person who authorised the disclosure and the person(s) to whom it was disclosed. Individual protocols will specify the person(s) responsible for ensuring this happens.
A record of the disclosure will be made in the patient/service user's case file and the patient/service user must be informed if they have the capacity to understand.
Page : 7 7.4 Maintaining Contact Details
Partner organisations will provide the names and contact details of their Caldicott Guardians and Designated Officers to the Wiltshire & Swindon Health and Social Care Information Protocol Pathfinder Partnership Project Board. & Swindon Health and Social Care Information Protocol Project Board.
These staff will be those:
to whom requests for information for particular purposes should be directed.
who can authorise disclosure in respect of individual protocols.
who will provide legal advice in respect of the disclosure of information concerning a particular patient group.
who are authorised to receive confidential information in respect of a particular purpose.
8 Access and Security Procedures
8.1 Transfer of Personal Information
Inform patient/service users about the reasons:
why you are collecting their information,
what you are going to do with it, and
those which you intend to share it with.
For example:
1. when formulating a research project remember to be open and transparent about what you will be doing with the information.
2. When working in a team, ensure that the patient/service user is aware of who the members of the team are, and that all those involved with their care may see their notes.
8.2 Use of Personal Information for Purposes other than that Agreed
It is recognised that members of organisations fulfill a number of roles within that organisation. In fulfilling one particular role, they may be given privileged access to information about a patient/service user which they believe would assist them in one of their other roles, or be of wider interest to their organisation.
However, confidential information is disclosed only for the purpose specified at the time of disclosure and it is a condition of access that it should not be used for any other purpose without the consent both of the data owner and the data subject.
Individual protocols must specify the sanctions which will be applied to organisations and their members who use or disclose information in a manner which has not been agreed with the data owner.
Page : 8 Individual protocols must also include agreements which indemnify data owners for any action taken against them or their organisation as a result of the unauthorised use of confidential information by one of the other parties to a protocol.
8.3 Restrictions on the use of Statistical and Anonymous Data
Organisations in receipt of statistical data derived from the patient/service user records of partner organisations must request permission from the originating organisations (the data owner) if they wish to use that information for any purpose other than that for which the information was originally provided.
Organisations submitting or circulating reports or articles beyond the community covered by this protocol which incorporate statistics or other data supplied by a partner, will ensure that the data owner has the opportunity to view and comment on the report prior to its release. Individual protocols covering the sharing of information for specific purposes will set out any specific arrangement made for such reports to be viewed/discussed or approved prior to wider dissemination or publication.
Individual protocols should also specify arrangements for the approval of the wider use or publication of case studies based on material collated for the specific purposes covered by the protocol.
9 Review of this Protocol
The period following the introduction of the protocol until the completion of the first formal review of the protocol will be regarded as the introductory pilot phase. This should be a twelve month period.
During the pilot introductory phase, all breaches of the protocol are to be logged, investigated and the outcome of negotiations noted.
The continued need to do so after the pilot introductory phase will be examined as part of the review process.
The following types of incidents will be logged:
Ability/Inability to record consent;
Refusal to disclose information;
Conditions being placed on disclosure;
Delays in responding to requests;
Disclosure of information to members of staff who do not have a legitimate reason for access;
The use of data/information for purposes other than those agreed in the protocol
Inadequate security arrangements
Page : 9 The assessment will be undertaken by the Caldicott Guardians of each of the partner organisations. Each organisation will be required to develop and implement procedures for monitoring and handling breaches of the protocol. Wiltshire Shared Services Consortium will provide each organisation with support and guidance as and when required. , managed by the Caldicott Guardian of the Strategic Health Authority.
10 Signatories
A covering letter will be distributed with this protocol to be signed off by a senior executive of each partner agency on behalf of their organisations.
Each organisation will be required to submit a signed copy of the covering letter to to the Information Services Manager, within Wiltshire Shared Services Consortium, who will collate a list of the signatories and distribute a collated version to all signatories. A list of signatories will be kept by the Caldicott Guardian at the Strategic Health Authority.
Page : 10 Appendix A – Data Protection Principles
The Data Protection Principles and their interpretation
A.1 The first principle of the Act is the most important when considering information sharing. The principle states that ‘fair processing' of information must occur.
Personal data is defined as ‘data which relate to a living individual who can be identified:
from those data; or from those data and other information which is in the possession of, or likely to come into the possession of, the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual’.
Processing is defined as ‘obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including: organisation, adaptation or alteration of the information or data retrieval, consultation or use of the information or data disclosure of the information or data by transmission, dissemination or otherwise making available, or alignment, combination, blocking, erasure or destruction of the information or data
All information must be processed by at least one condition set out in Schedule 2 of the Data Protection Act. For patient/service user information the condition which applies is schedule 2(6)1 ‘The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing in unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject’. This has been agreed by the Information Commissioner and the Department of Health.
In addition for sensitive information as defined within the data protection legislation at least one condition in Schedule 3 of the Data Protection Act must also apply.
Sensitive personal data is defined as: the racial or ethnic origin of the data subject their political opinions their religious beliefs or other beliefs of a similar nature whether they are a member of a trade union their physical or mental health or condition their sexual life the commission or alleged commission by them of an offence, or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings
For patient/service user information schedule 3(8)1 and (8)2 apply ‘The processing is necessary for medical purposes and is undertaken by a) a health professional, or b) a person who in the circumstances owes a duty of confidentiality which is equivalent to
Page : 11 that which would arise if that person were a health professional. In this paragraph ‘medical purposes’ includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services’.
The key components of ‘fair processing’ are as follows: how was the data obtained was the data subject provided with the following information: the identity of the data controller the purpose for which the data are to be processed any further information - e.g. who will have access to the data and for what purpose/s was the data subject aware of all the purpose/s their information are to be processed, the likely consequences of such processing and whether particular disclosures can be reasonably envisaged
Required action: Each organisation must ensure they have adequate tested procedures to ensure consent for use of information is obtained.
A.2 The second principle concerns the notification of information held on electronic equipment that can be processed (refer to definition) by automatic means. The organisation (data controller) holding the information is legally bound to notify the Information Commissioner’s Office of the purpose for holding the information, details of the type of information held and to whom (organisation/agency) the information may be disclosed.
It should be noted that although it is no longer a legal requirement to notify the Information Commissioner of information sources an individual has a right to know from whom an organisation receives information about them.
Required action: Each organisation must ensure the data protection registrations are current and updated to take account of information use/s. The organisation commits a criminal offence if it is not kept up to date and accurate.
A.3 The third principle states that information must be adequate, relevant and not excessive. This requires that information collected must be for a justified purpose and this may need to occur on a data item by data item case.
Required action: Each organisation must be satisfied that they can justify each data item held as part of a patient/service user record (for patient, family and staff). This will be vital if challenged by the patient/staff or as a complaint investigated by the Information Commissioner.
A.4 The fourth principle requires that the information must be kept accurate and up to date.
Patient/service users should be reminded of their responsibility to provide accurate information and provide information about changes to their personal circumstances e.g. name, address
Action:
Page : 12 Each organisation to have tested procedures for recording information accurately and keeping information up to date (patient/service user and staff)
A.5 The fifth principle requires that the information must only be kept for as long as is necessary.
Each individual organisation will take responsibility to meet its legal and policy requirements to archive information but ensure it is available to those who need it when it is needed.
The NHS must abide by the legal requirements under the Public Records Act 1958 which are defined within HSC1999/053 For the Record. This applies to all records regardless of the media they may be held/retained.
Social Services have similar requirements detailed within the Social Services guidelines ‘Retention of Service user Records’ procedure P3.
Each organisation to ensure information is kept for as long as required and if needs to be kept for longer the need MUST be justified.
A.6 The sixth principle gives rights to individual’s whose information is held by an organisation in respect of their own person information. These are:
right of subject access right to prevent processing likely to cause harm or distress right to prevent processing for the purposes of direct marketing right in relation to automated decision taking right to take action for compensation if the individual suffers damage right to take action to rectify, block, erase or destroy inaccurate data right to make a request to the Information Commissioner for an assessment to be made as to whether any provision of the Act has been contravened
Each organisation must ensure they have up to date procedures to deal with patient/service user and staff requests for access to information held about them and for dealing with complaints for breach of above.
A.7 The seventh principle governs security & confidentiality of information. Compliance with BS7799 Standard for Information Management and Security
A.8 The eighth principle puts constraints and controls on any electronic person identifiable information that may be or planned to be disclosed to a country outside of the EEA (where the Data Protection Act requirements may not be enforced).
If personal information is required to be disclosed in electronic format, to countries outside of the EEA advice MUST be sought from the Office of the Information Commissioner.
Page : 13 Appendix B – Details of Other Relevant Acts of Parliament
Details of other relevant Acts of Parliament
Human Rights Act 2000
This Act became law on 2 October 2000. It binds public authorities including Health Authorities, Trusts, Primary Care Groups and individual doctors treating NHS patients to respect and protect an individual’s human rights. This will include an individuals right to privacy (under Article 8) and a patient/service user’s right to expect confidentiality of their information at all times.
Article 8 of the Act provides that ‘everyone has the right to respect for his private and family life, his home and his correspondence’. However, this article also states ‘ there shall be no interference by a public authority with the exercise of this right except as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety, or the economic well-being of the country, for the prevention or disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others’.
Each organisation must act in a way consistent with these requirements. It must take an individual’s rights into account when sharing personal information about them.
Freedom of Information Act 2000
This Act came into force in November 2000 and will be fully in force during the coming years. The Information Commissioner (previously the Data Protection Commissioner) will oversee the implementation of this Act. This Act gives individuals rights of access to information held by public authorities. Further information will be available as implementation progresses.
Regulation of Investigatory Powers Act 2000
This Act combines rules relating to access to protected electronic information as well as revising the ‘Interception of Communications Act 1985’. The Act aims to modernise the legal regulation of interception of communications in the light of the Human Rights laws and rapidly changing technology.
Crime and Disorder Act 1998
This Act allows disclosures of information (including that which identifies a person) to the Police, Local Authorities, Probation Service or Health Service where disclosure is necessary or expedient for the purposes of any provision of the Act.
The provisions of the Act include Orders (e.g. Anti-Social Behaviour and Sex Offender Orders) and the formulation and implementation of local Crime and Disorder Strategies. Furthermore the Act imposes a duty on Health Authorities (and other authorities) to exercise it’s various functions with due regard to the likely effect of the exercise of those functions on, and the need to do all that it reasonably can to prevent, crime and disorder in it’s area.
Page : 14 The Act does not impose a legal requirement to disclose/exchange person identifiable information and responsibility for disclosure rests with the organisation holding the information. To allow information sharing under the Crime and Disorder Act each participating organisation must sign up to a Crime and Disorder Protocol.
The Computer Misuse Act 1990
This Act makes it a criminal offence to access any part of a computer system, programs and/or data that a user is not entitled to access. Each organisation will issue each EHSCR user an individual user id and password, which will only be known by the individual they relate to, and must not be divulged/misused by other staff. This is to protect the employee from the likelihood of their inadvertently contravening this Act.
Each organisation will adhere to the requirements of the Computer Misuse Act 1990 by ensuring staff are made aware of their responsibilities regarding the misuse of computers for personal gain or other fraudulent activities. Any member of staff found to have contravened this Act will be considered to have committed a disciplinary offence and be dealt with accordingly.
The Access to Health Records 1990
This Act gives patient/service user’s representatives right of access to their manually held health records, in respect of information recorded on or after 1 November 1991. This Act is only applicable for access to deceased persons records. All other requests for access to information by living individuals are provided under the access provisions of the Data Protection Act 1998.
HSC1999/012Caldicott requirements
1 Information must be provided to patient/service users and/or their representatives concerning the proposed use/s of information about them 2 The organisation must have a staff code of conduct in respect of confidentiality
3 Staff induction programme must include security and confidentiality of information
4 Confidentiality and security training needs of staff should be assessed 5 Training must be provided which includes confidentiality and security standards of the organisation and employees individual responsibilities 6 Contracts of employment should have an up-to-date confidentiality clause 7 Contracts, guidance and SLAs with other organisations should contain a confidentiality clause 8 Review information flows containing patient/service users (patients) identifiable information 9 Internal information/data ownership established 10 Safe Haven procedures should be in place to safeguard information flowing to and from the organisation 11 Guidance governing the sharing of patient/service users (patients)-identifiable information with other organisations locally agreed 12 Information Security Policy Document in existence 13 Security responsibilities Does the organisation have an Information Security officer role in place who has this person been trained? 14 Risk Assessment and Management Programme should be in place and include information (IT and manual records) 15 Security Incidents should be logged, investigated and monitored 16 Security Monitoring reported to the Board or management team
Page : 15 17 Users need to be made aware of their responsibilities 18 Controlling access to confidential patient/service user information – Is access agreed by Caldicott Guardian?
Further information about Caldicott issues: NHS www.doh.gov.uk/ipu/confiden/index.htm Social Services www.doh.gov.uk/jointunit/info.htm. www.doh.gov.uk/ipu/confiden/index.htm
Health and Social Services Circulars
HSC2000/009 Data Protection Act 1998: protection and use of information
HSC1998/203 Health records requests for access by patient/service users and their representatives
HSG(96)18 The protection and use of patient/service user information
LASSL(2000)2 Data Protection Act 1998: guidance
LASSL(96)5 The protection and use of patient/service user information
MISC(97)52 Faxing of safe haven amendments go live
HSC1999/053 For the Record (Preservation, retention & destruction of records under the Public Records Act 1958) and records management strategy
HSC1998/217 Preservation, retention and destruction of GP general medical services records relating to patient/service users
HSG(91)6 Access to Health Records Act - A guide for the NHS
IMGE 5498 A guide to implementing an awareness programme (The Information Security Resource pack)
HSG(96)15 The NHS IM&T Security Manual
HSG(96)18 The Protection & Use of Patient Information
HSC1998/168 Information for Health - An Information Strategy for the Modern NHS 1998 - 2005
Further information about circulars: www.doh.gov.uk/coin
C.3 Useful reference material
Free publications from: General Medical Council, 178 Great Portland Street, London W1N 6JE. Tel:020 7580 7642
Duties of a doctor - guidance from the General Medical Council. Confidentiality: Protecting and Providing Information Seeking patient/service users’ consent: the ethical considerations
Page : 16 Good medical practice Serious communicable diseases Advertising HIV & AIDS the ethical considerations Further information www.gmc-uk.org
PIU project on privacy and datasharing
A project to establish a government-wide framework (or frameworks) for the future of datasharing to take account of privacy requirements of the Data Protection Act 1998 and the Human Rights Act 1998. Project includes: survey of data-sharing within Government; Public attitudes; Legal framework; Technological change and trends and International experience. Key players include both NHS and Social Services. Project due for completion during 2001. Further information: www.cabinet-office.gov.uk/innivation
BMA Confidentiality and disclosure of health information - 14 October 1999 Further information: www.bma.org.uk
Information Commissioner (previously Data Protection Commissioner) For any guidance concerning the: Data Protection Act 1998; Freedom of Information Act 2000; Access to Health Records Act 1990 Further information: www.dataprotection.gov.uk
Page : 17 Appendix C – Quick Reference Guide for Staff
The following could be made into a booklet or PowerPoint presentation and is designed as a Quick Reference Guide for staff in understanding the legal requirements they must work within.
Slide 1
What is Caldicott?
• A review commissioned by the Chief Medical Officer to investigate the ways in which patient information is used in the NHS • The Caldicott committee made a number of recommendations aimed at improving the way the NHS handles and protects patient information. • These are summarised by 6 Information Management Principles
Slide 2
The Six Caldicott Principles
1. Justify the purpose(s) of using confidential information 2. Only use it when it is absolutely necessary 3. Use the minimum that is required 4. Access should be on a strict need-to-know basis 5. Everyone must understand his/her responsibility 6. Understand and comply with the law
Page : 18 Slide 3
What is the Data Protection Act 1998? • The DPA 1988 became law in March 2000. It sets standards which must be satisfied when obtaining, recording, holding, using or disposing of personal data. • These are summarised as 8 Data Protection Principles
Slide 4
What does the DPA Cover?
• As well as computer records the Act covers most manual records, eg. – Health - Finance – Personnel - Suppliers – Occupational Health - Contractors – Volunteers - Card Indices
Slide 5
The Principles
• Personal data must be: 1. Processed fairly and lawfully 2. Processed for specified purposes 3. Adequate, relevant and not excessive 4. Accurate and kept p to date 5. Not kept for longer than necessary 6. Processed in accordance with the rights of data subjects 7. Protected by appropriate security (practical and organisational) 8. Not transferred outside the EEA without adequate protection
Page : 19 Slide 6
1. Processed Fairly and Lawfully
• There should be no surprises, so… inform data subjects why you are collecting their information, what you are going to do with it and who you may share it with. • For example, when formulating a research project remember to be open and transparent about what you will be doing with the information. • When working in a team, ensure that the patient/client is aware of who the members of the team are, and that all those involved with their care mayneed to see their notes. • Be open, honest, clear
Slide 7
2. Processed Only for Specified Purposes • Only use the information for the purpose(s) for which it was obtained. – For example, personal information on a Patient Administration system must only be used for healthcare purposes – not for looking up friends’ addresses or birthdays. • Only share information outside your practice, team, home, ward, department or service if you are certain it is appropriate and necessary to so. • If in doubt, check first
Slide 8
3. Adequate, Relevant and Not Excessive • Only collect and keep the information you require • It is not acceptable to hold information unless you have a view as to how it will be used • Do not collect information “just in case it might be useful one day!” – Taking both daytime and evening telephone if you know you will only call in the day. • Explain all abbreviations • Use clear legible writing • Stick to the facts – avoid opinions and comments
Page : 20 Slide 9
4. Accurate and Kept Up-to-Date
• Take care inputting information to ensure accuracy. • How do you know the information is up-to-date? • What mechanisms do you have for checking the information is accurate and up-to-date? – For example, each time a patient attends a clinic they should be asked to confirm that their details are correct – address, telephone number, etc • Check existing records thoroughly before adding new records • Avoid creating duplicate records
Slide 10
5. Not Kept Longer than Necessary
• Follow retention guidelines – For the Record (HSC 1999/053) – GP Records (HSC 1998/217) • Check your organisation’s retention policy • Ensure regular housekeeping/spring cleaning of your information • Do not keep “just in case it might be useful one day!” • Check your organisation’s disposal policy • Dispose of your information correctly
Slide 11
6. Processed in Accordance with the Rights of Data Subjects • Subject access • Prevention of processing • Prevent processing for direct marketing purposes • Automated decision taking • Compensation • Rectification/blocking/erasure • Request and assessment
Page : 21 Slide 12
7.Protected by Appropriate Security - Practical • Ensure security of confidential faxes by using Safe Haven/Secure faxes • ALWAYS keep confidential papers locked away • Do you have a clear desk policy? • Ensure confidential conversations cannot be overheard • Ensure information is transported securely
Slide 13
7. Protected by Appropriate Security - Organisational • Your organisation should have: – Good information management policies – Guidelines on IT security – Staff Training – Confidentiality clauses in employment contracts – Procedure for access to personal data – A disposal policy/procedure for confidential information – Confidentiality contracts with third parties • Archiving companies, cleaners, temporary staff, external contractors
Slide 14
8. Not Transferred Outside the EEA Without Adequate Protection • If sending personal information outside the EEA ensure consent is obtained and it is adequately protected • Be careful about putting personal information on websites – gain consent first • Check where your information is going – Where are your suppliers based? EEA comprises: United Kingdom, France, Belgium, Germany, Denmark, Ireland, Netherlands, Sweden, Portugal, Spain, Finland, Luxembourg, Italy, Austria, Greece, Norway, Iceland, Leichtenstein
Page : 22 Slide 15
To Sum Up…
• Remember that information must be: – HELD - Securely and confidentially – OBTAINED - Fairly and efficiently – RECORDED - Accurately and reliably – USED - Effectively and ethically – SHARED - Appropriately and lawfully
Page : 23 Appendix D - Definitions
Anonymised information/data Data from which the patient/service user cannot be identified by the recipient of the information. The name, address and full postcode must be removed together with any other information (e.g. NHS number) that, in conjunction with other data held by or disclosed to the recipient, could identify the patient/service users. (GMC)
BS7799 British Standard for Information Management Security
Carer (to include informal carer and paid care A recognised person (carer/relative) who assistant) provides substantial and regular care for the patient/service user.
Caldicott Initially an NHS initiative to improve the security and confidentiality of patient/service user identifiable information. This has now been adopted by Social Services and parts of the voluntary and independent sector
Caldicott Guardian The Caldicott Guardian is a member of the senior management team who is responsible for the establishment of procedures governing access to, and the use of, personally-identifiable information within the organisation, and where local flexibilities exist, the transfer of such information from the organisation to other bodies.
In agreeing local procedures and protocols the Guardian should ensure consistency with any relevant central requirements and guidance Consent Guidance to an action based on knowledge of what the action involves and its likely consequences (GMC)
Consent (Express consent) Consent which is expressed orally or in writing (except where patient/service users cannot write or speak, when other forms of communication may be sufficient) (GMC)
If consent is gained orally a written record should be made
Health & Social Care Professional (to include A doctor, nurse and other care staff who are registration and/or professional bodies) bound by a professional body e.g. GMC, UKCC Patient Competent patients and parents of, or those
Page : 24 with parental responsibility for, children who lack maturity to make decisions for themselves. Adult patient/service users who lack the capacity to consent have the right to have their confidentiality respected. (GMC)
This will refer to an NHS patient, a Social Services end user/service user whose care is funded by the NHS and/or Social Services
Person identifiable information Any information which can identify an individual by name and/or number e.g. date of birth and full postcode or if the recipient has access to the look up tables - the NHS number will make the information identifiable
Personal information Information about people which doctors learn in a professional capacity and from which individuals can be identified (GMC)
Staff/Employee This will include health professionals, managers, administrative and clerical workers who support the role of the health professional providing care and treatment to the patient/service user and their relatives/carers
Page : 25 Appendix E - Glossary
EEA European Economic Authority (EU countries + other who have adequate protection to use personal information)
GMC General Medical Council
GP General Practitioner
HA Health Authority
ISP Information Security Policy
LASSL Local Authority Social Services Letter
NHS National Health Service
PCG Primary Care Group
PCT Primary Care Trust
SLA Service Level Guidance
SS Social Services
SSP System Security Policy
Trust NHS Hospital, Community, Ambulance or Primary Care Trust
Page : 26 Appendix F – Source Documents
Name Author Date Information Sharing between the South Thames IM&T Unit Feb 1997 NHS and Social Services Report on the Review of Patient Department of Health 1997 Identifiable Information General Protocol for Information Commissioned by the 1999 Sharing Between Agencies in Leeds Information Policy Unit Central Hampshire Electronic Health- North and Mid Hants Health Au- Jan 2001 care Record – Information Sharing thority Protocol Protocol for the Secure and Confid- West Surrey Health Community Apr 2001 ential Sharing of Personal Identifiable Information Protocol for Organisations to Ensure East Sussex Brighton & Hove Aug 2001 the Secure and Confidential Sharing LIS Confidentiality and of Personal Identifiable Information Security Sub-Group Draft Sharing Information Bath & Jan 2002 North East Somerset Primary Care Trust and Social Services Draft Data Sharing Protocol Wiltshire Jens Christensen, Data Protec- Jan 2002 County Council Social Services and tion Officer, Security Manager Primary Care Trusts IT Quick Reference Guide – Information East Surrey Local Health Com- Feb 2002 Security and Confidentiality munity
Page : 27