Data Protection and Information Governance

Opt-out form

NSS does not have a template form specifically designed for the purpose of ‘opting out’ of our processing of patient data. Should a patient wish to opt out of our processing of their personal data, we would simply ask that we receive a written request supported by adequate proof of identity to enable us to verify it and locate their personal data on our systems/databases. Our subject access request form available here http://www.nhsnss.scot.nhs.uk/supplementary_pages/publication_detail.php? pid=110 explains the type of information we require to identify an individual uniquely and verify their identity.

Opt-in form

NSS does not have a standard opt-in/consent form for its uses of personal data. Where patients do not wish their personal data to be included within our processing we would ask that they opt out as described above.

A full A-Z list of ISD’s national datasets is published in our on-line National Data Catalogue at http://www.ndc.scot.nhs.uk/National-Datasets/Full-A-Z/index.asp Data are collected at NHS Boards and related health and care bodies, using different data collection mechanisms. Any requests to ‘opt out’ of these datasets would be handled as described in our response above. The patient could also raise their objection with the collecting health and care organisation.

National Screening Programmes and National Managed Clinical Networks

We currently commission and co-ordinate important elements of national screening programmes. Patients do not have to participate in the national screening programmes and ‘opt out’ information for the following national programmes was given: Abdominal Aortic Aneurysm (AAA), Scottish Bowel Screening, Breast Screening, Cervical Screening, Diabetic Retinopathy Screening (DRS), Pregnancy and Newborn Screening.

We commission a number of National Managed Clinical Networks on behalf of NHS Scotland. Managed Clinical Networks are virtual entities designed to drive upwards the standards of patient care through integration of services and collaboration. There are a number of NMCNs in Scotland. Inclusion of a patient and their data within an NMCN is a matter led by the clinician leading the patient’s care. Patients must therefore discuss their choice in relation to their inclusion within an NMCN with the relevant health professional leading their care. One responsibility we have in relation to NMCNs is for an IT tool – the Clinical Audit System (‘CAS’). We developed CAS in order to support networks in improving and monitoring the quality of patient care. NHS Inform has published a patient factsheet on-line at entitled ‘Confidentiality: how the NHS protects your personal health information’. It is for anyone who uses the NHS in Scotland and explains the key uses of patient data in Scotland, including at ISD and PSD, and patient rights in relation to confidentiality.

ISD has published general information about how it ensures the confidentiality and data protection of information on a dedicated web page at http://www.isdscotland.org/About-ISD/confidentiality/index.asp?Co=Y. The ISD fair processing notice which is called ‘Safe and secure use of personal health information’ is available on the web page. ISD also provides more detailed fair processing information to patients with specific conditions, including those listed below:

 Cancer Registration

 Musculoskeletal Audit

 Scottish Drugs Misuse Database

 Scottish Stroke Care Audit

PSD has published fair processing information on-line in its leaflet ‘How we use your personal information A guide for patients’. Information on how patient data is used is also included in a number of patient forms, which you can read when receiving certain NHS primary care services, in particular:

 Dental services: GP17 and GP17PR forms

 Ophthalmic services: GOS3 and GOS4 forms

 Ophthalmic hospital services: HES3 and HES4 forms

 Pharmacy services: Changes were made to the patient declaration of all Scottish NHS prescription forms in October 2014 with a privacy notice advising patients on how data is shared, with further changes to the declaration in November 2015. This is described in the latest NHS Circular ‘NHS Prescription Stationery’ which is published on-line at http://www.sehd.scot.nhs.uk/pca/PCA2015(P)29.pdf .

 Medical/ GP services: the GPR form, a Scottish Government form, explains how patient data are used. The relevant NHS circular ‘Updated application form (GPR) to register permanently with a general medical practice’ which contains a copy of the form is published on-line at http://www.sehd.scot.nhs.uk/pca/PCA2013(M)04.pdf.

Privacy Impact Assessment Privacy impact assessment is a process, and not a one-off exercise. The document created to capture the assessment will usually go through a number of iterations, with recommendations and changes made in response being captured and updated on an on-going basis. We have a number of Privacy Impact Assessments (PIAs) across ISD and PSD, in different, including very early, stages of development. Copies of PIAs, many in draft form, generated by the work programmes in ISD and PSD listed below were provided.

 AHP Operational Measures Proof of Concept Pilot

 AHP Waiting Times census

 Children and Young People with Cancer

 Community Data

 DAISy

 Enhanced RAPID

 GP Out of Hours

 Health and Social Care Data Integration and Intelligence Project (HSCDIIP)

 Injecting equipment provision

 IVF Screening Waiting Times HEAT Target

 NASA

 National Primary Care Workforce Survey 2015 – Out of Hours Strand

 NHS Scotland Infection Intelligence Platform

 NHS Scotland Staff Survey

 NSS Discovery

 Scottish Adult Oral Health Survey

 Scottish Cancer Registration

 Scottish Care Home census

 ScotSID – Scottish Suicides Information Database

 Scottish Health Information Service (SHIS)

 SPIRE  Stage 1 of the PACS National Safe Haven

 User Access System

 Community Health Index (CHI) and Child Health Transformation Programme – Procurement Project

 eDental Payment and Approval Modernisation

 eOphthalmic Payments

 ePrior

 Tooth Specific

Service Level Agreements used with partners (processor/ controllers) as they relate to NHS patient data

When we use third party companies to handle NHS patient data, we are required to meet the requirements of the Act and Scottish Government guidance set out in a Chief Executive Letter (CEL 25 (2011)) ‘Safeguarding The Confidentiality Of Personal Data Processed By Third Party Contractors’.

When we provide IT services, including the use of NHS patient data, to other NHS boards we are similarly mindful of the need to handle patient information safely, and follow the ‘Data Processing Provisions For The Processing Of Person-Identifiable Data By NHS National Services Scotland (NSS) Via Its Division National Systems Information Group (NISG) Under The Terms Of Service Level Agreements With NHS Boards’.

The Health Board Partnership Agreement April 2013 - March 2016 between NSS and NHS Boards sets out how NSS discharges its responsibilities to register patients and pay Primary Care Practitioners.

In support of health and social care integration, there are 32 service level agreements in place between the relevant Council, NHS Board, Integration Joint Board and our organisation. A template version of the agreement ‘Service Level Agreement in relation to Health and Social Care Integration amongst XX Council, XX NHS Board, XX Integration Joint Board and The Common Services Agency for the Scottish Health Service April 2015-March 2016’ was provided.

Data Processing agreements in relation to ‘CHI Seeding’ are in place between NSS and the following local authorities:

 Dundee City Council  East Ayrshire Council

 The Fife Council

 Inverclyde Council

 North Lanarkshire Council

 Renfrewshire Council

 West Lothian Council

Other specific partners with whom we have service level agreements/ contracts in place which may relate to the use of NHS patient data include:

 Atos

 AxSys

 Carestream Health

 Debt Managers (Services) Limited

 Dolby Vivisol

 GE Healthcare

 Healthcare Improvement Scotland (HIS)

 Medical Data Solutions and Services

 Norwel

 RSS

 ServicePoint

 Shred It

 University of Edinburgh

Information Sharing Protocols that are being used by both ISD and PSD

Scottish Government guidance (Scottish Government, Intra NHS Information Sharing, V1, December 2011, paragraph 14) is that there is no requirement to develop information sharing protocols between NHS organisations.

ISD ISD has data sharing agreements in place with the National Records of Scotland in relation to the sharing of NHS Number.

PSD may share details of prescriptions (which may include patient details) claimed by Community Pharmacy contractors with Community Pharmacy Scotland under Regulation 10(4) of Schedule 1 to The National Health Service (Pharmaceutical Services) (Scotland) Regulations 2009: (4) The Board or Agency shall, if so required by an organisation which is recognised by the Scottish Ministers as representative of the general body of pharmacy contractors, afford the said organisation similar facilities for examining such forms and particulars relating to all or any of the pharmacy contractors and shall take into consideration any objection made thereto by the said organisation.

Senior Information Risk Owners for ISD, PSD and Lothian Health Board

The Senior Information Risk Owner (SIRO) for NSS is Mr John Fox-Davies, Director of Strategy and Governance. ISD and PSD as business areas of NSS do not have additional/ separate SIROs.

We do not know the name of the SIRO for Lothian Health Board. To find this out we recommend you contact the headquarters of NHS Lothian: Lothian NHS Board, Waverley Gate, 2-4 Waterloo Place, Edinburgh, EH1 3EG, Telephone: 0131 536 9000.

Detail mandatory training and governance NOW in place – to ensure all those with access to NHS patient data are aware of NHS patients (their) rights, their role responsibilities, and accountability for their actions/inactions.’

Training and policy: NSS has mandatory training in place for all staff in the ‘Safe Handling of Information’ and for Freedom of Information. Both are on-line learning modules; the Safe handling of Information module was developed by NHS Education for Scotland and the Freedom of Information module was developed in house.

All staff joining NSS must sign the NSS Confidentiality Policy prior to taking up their post and information governance awareness is part of the mandatory NSS induction programme. The Confidentiality Policy sets out the standards and practices relating to confidentiality and all staff are required to meet these standards. The policy covers all personal identifiable information whether it relates to patients, blood donors or members of staff, it also covers confidential business information. Responsibilities of staff and managers are set out and there is a clear statement relating to persistent failure to follow policy.

Governance: Overarching responsibility for information governance in NSS resides with the Board and this duty is discharged by the Information Governance Board sub-committee which scrutinises NSS's compliance with relevant legislation, legal duties and performance against national standards. An NSS Information Governance Group, comprising senior managers and IG professionals, provides assurance to the Information Governance sub-committee that NSS is meeting it legal and regulatory commitments with respect to the information that it holds. In addition the NSS Caldicott Guardian (NSS Medical Director) is responsible for making sure that patient information in NSS is looked after safely and securing and only accessed by those who have a legitimate right to do so. Business units within NSS also have Caldicott Guardians with responsibility for patient information within their own areas.