DATA PROTECTION AND CONFIDENTIALITY POLICY
Page 1 of 45Printed Copies may become out of date. Check online to ensure you have the latest version. Printed on 21/10/2018 09:24
Contents and Page
DATA PROTECTION AND CONFIDENTIALITY POLICY
CONTENTS AND PAGE
EEXECUTIVE SUMMARY AND INTRODUCTION
PURPOSE AND SCOPE
DUTIES AND RESPONSIBILITIES
SENSITIVE PERSONAL DATA
PROCESSING DATA
TRANSFERRING DATA ABROAD
COMMUNICATING PATIENT INFORMATION
DISCLOSURE OF INFORMATION/INFORMATION IN TRANSIT
SAFEHAVENS
REPORTING BREACHES OF CONFIDENTIALITY
DATA LOSS INCIDENTS/EXTERNAL ACCOUNTABILITY
SECURITY/CONFIDENTIALITY
STORAGE/DISPOSAL OF INFORMATION
STAFF ISSUES
INFORMATION RISK
TRAINING
AUDIT
MONITORING OF THE DOCUMENTED PROCESS OF THE POLICY
SOURCES/ REFERENCES
GLOSSARY OF TERMS
ASSOCIATED DOCUMENTS
APPENDIX 1 THE DATA PROTECTION PRINCIPLES
APPENDIX 2 ACCESS TO HEALTH RECORDS POLICY
WHERE PATIENT CONSENT IS NOT NEEDED
WHERE PATIENT CONSENT IS NEEDED
ACCESS TO PERSONAL DATA (Under Access to Health Records 1990 and Data Protection Act 1998)
DATA PROTECTION ACT 1998 APPLICATION FOR ACCESS TO HEALTH RECORDS
SUBJECT ACCESS FORM NON-HEALTH RECORDS
APPENDIX 3 FAX COVER SHEET
APPENDIX 4 INFORMATION SHARING PROTOCOL BETWEEN WARRINGTON AND HALTON HOSPITALS NHS FOUNDATION TRUST
APPENDIX 5 IAO SYSTEM RISK ASSESSMENT FORM
APPENDIX 6 NON-DISCLOSURE AGREEMENT...... 43
EQUALITY IMPACT ASSESSMENT
DOCUMENT INFORMATION BOX FOR THE DATA PROTECTION AND CONFIDENTIALITY POLICY
Page 1 of 45Printed Copies may become out of date. Check online to ensure you have the latest version. Printed on 21/10/2018 09:24
Executive Summary/Introduction
The Data Protection and Confidentiality policy sets out a framework for the use of the information which the Trust records, holds, processes and transfers.The information collected by the Trust will include personal details pertaining to current, past and prospective patients, current, past and prospective employees, suppliers, clients/customers, and others with whom it communicates.
The Data Protection Act (1998) defines a legal basis for the handling in the UK of
information relating to living people.This document includes guidance for staff on processing information in accordance with the principles and legal obligations outlined in the Data Protection Act (1998) and how to comply with best practice for information handling as described in the NHS Code of Confidentiality and the Caldicott Report of 1997.
Karen Dawber
Director of Governance and Workforce
PURpose and Scope
The Trust has a legal obligation to comply with legislation relating to data, information and IT security. Guidance and policy issued by the DOH must also be adhered to.
The requirements within the Policy are primarily based upon the Data Protection Act 1998 which is the key piece of legislation covering the security and confidentiality of the personal information of living individuals.
The purpose of the Trust’s Data Protection Policy is to provide staff with guidance on the use of information in accordance with the principles and legal obligations outlined in the Data Protection Act 1998 and how to comply with the NHS Code of Confidentiality.
The conditions contained within this policy apply to all Warrington and Halton Hospitals NHS Foundation Trust staff including:
- Part Time and Full Time Staff
- Non-Executive Directors
- Contracted third parties (inc Bank, Agency and NHS Professionals)
- Trainee Staff
- Volunteer Staff
- Contractors
- Company Representatives who have access to patient information
The Data Protection Act 1998 covers all information relating to living individuals and which satisfies the following criteria.
- ‘Is being processed by means of equipment operating automatically in response to instruction given for that purpose’. This will include computers, laptops, email, Smartphones, USB memory sticks, microfiche, FAX, CCTV and any other automated equipment.
- ‘Is recorded with the intention that it should be processed by means of such equipment’. This will include information recorded in hardcopy form which will be inputted into computers or other automated systems.
- ‘Is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system’. This includes paper/manual files which are kept in a structured order and from which information relating to living individuals can be extracted without excessive effort.
- ‘Does not fall within paragraph a), b) or c) above but forms part of an accessible record as defined by section 68’ of the Data Protection Act 1998. Section 68 includes health records consisting of information relating to the physical or mental health of an individual, which has been made by, or on behalf of, a health professional in connection with the care of that individual.
The Data Protection Act contains 8 principles of Data Protection which describe legal requirements in relation to the collection, storage, accuracy, retention and disclosure of personal information. A glossary of terms relating to data protection and confidentiality and a list of the 8 data protection principles is contained within appendices 1 & 2 respectively.
The Data Protection Act 1998 does not apply to deceased persons but where possible deceased persons should be afforded the same level of confidentiality as living individuals.
Duties and Responsibilities
Board of Directors
It is the role of the Board of Directors to define the Trust’s policy in respect of Data Protection taking into account legal and NHS requirements. The Board is also responsible for ensuring that sufficient resources are provided to support the requirements of the policy.
Chief Executive
The Chief Executive has overall responsibility for compliance with the Data Protection Act 1998 within the Trust.
Delegated Executive Lead
The Director of Governance and Workforcehas been delegated by the Chief Executive to take the Executive ownership for for the management of Governance of which Information Governance is a major element within the Governance Assurance framework.
The Senior Information Risk Owner
The Director of Strategy and Business Development is the Trust’s executive lead for information risk. The SIRO is responsible for acting as an advocate for information risk on the Trust board and, along with the Information Governance Manager, is responsible for the provision of the information governance statement within the Statement of Internal Control
The Caldicott Guardian
The Caldicott Guardian is responsible for ensuring that national and local guidelines on the handling of confidential personal information are applied consistently across the Trust. The NHS and all persons working within it have a common law duty of confidence to patients and a duty to maintain professional ethical standards of confidentiality.
The Associate Director of Governance
The Information Governance Manager reports directly to the Associate Director of Governance.
The Information Governance and Corporate Records Manager
The Information Governance and Corporate Records Manager is the operational lead for Data Protection. The Information Governance and Corporate Records Manager is responsible for the production and maintenance of all Information Governance related policies, standards and action plans.
Senior Managers, Clinicians and Divisional Heads of Nursing and Heads of Department
Are responsible for ensuring that their staff are aware of the Trust policy in relation to Data Protection and to ensure completion of Information Governance training and adherence to Information Governance policies.
All Staff
All staff are expected to comply with the Data Protection and Confidentiality policy.
SENSITIVE PERSONAL DATA
The DPA 1998 makes a distinction between personal data and “sensitive” personal data which refers to the following:-
- Racial or ethnic origin
- Political opinion
- Religious or other beliefs
- Trade Union membership
- Physical or mental health or condition
- Sexual life
- Criminal proceedings or convictions
Sensitive personal data can be processed provided that at least one of the following conditions have been met:-
• The Data Subject has given their explicit consent
• It is necessary for monitoring equal opportunities
• It is a legal requirement of the subject’s employment
• It is necessary to protect the vital interests of the subject
• It is necessary for legal proceedings
• It is necessary for medical purposes
• The Secretary of State has given consent
• It is necessary for the prevention or detection of any unlawful act
• It is necessary for the provision of services such as confidential counselling or advice
• It is necessary for insurance or occupational pension scheme contracts
This list is not exhaustive and may be addedto by the Secretary of State.
PROCESSING DATA
An essential requirement of the DPA is that all data must be processed “fairly”. The Trust will therefore ensure that:-
- The Data Subject will not be deceived or misled.
- The Data Subject will be informed of the purpose for which the personal data is intended to be used by the Trust.
- The Data Subject will be informed whether the data is likely to be passed to a third party.
TRANSFERRING DATA ABROAD
Personal Data will not be transferred outside of the United Kingdom unless that country or territory “ensures adequate level of protection” for the rights and freedoms of Data Subjects. Transfers of Data may take place:
• Where the data subject has given explicit consent
• In cases where the transfer is in the vital interests of the data subject
• It is necessary to perform or make a contract
• By reason of substantial public interest
• Is part of Personal Data on a Public Register
• Is on terms approved by the Information Commissioner
COMMUNICATING PATIENT INFORMATION
- All data flows which involve sending patient-identifiable information outside of the Trust should be logged with Information Governance.
- The Trust’s email system can be used to transfer PID (person identifiable data) between users on the internal Trust network. PID which is sent external to the Trust should be sent to and from the secure, encrypted NHS mail service. The NHS mail service can be accessed via the national email icon on the desktop of Trust computers.
- It is recommended that Trust employees contact Information Governance (ext 5673) before considering the transmission of any significant amounts of person identifiable data to ensure that the most secure method of communication is being used.
- Person identifiable data should only be transferred outside of the UK for processing if it is securely encrypted during transit and if the recipient country guarantees the same levels of protection that apply in the UK.
- In the event that Person identifiable data is transmitted via FAX such transmissions should only be performed from Safehaven FAX machines. The term ‘safe haven’ applies to FAX machines which satisfy the requisite criteria to ensure secure transmission and receipt of person identifiable data.
- A limited amount of person identifiable data (name and Meditech number) may be sent to the approved groups on the Trust network, by the Communications Team, in order to recover missing patient information. Such action may be taken if it is the vital interests of the data subject.
DISCLOSURE OF INFORMATION/INFORMATION IN TRANSIT
- Care must be taken to ensure that disclosure of personal or sensitive information is for an authorised purpose. Any staff in doubt as to whether a disclosure of information is authorised should check with their manager or Information Governance (ext 5673).
- A request to access/view a patient health record must be made in writing to the Trust in accordance with the current Access to Health Records Policy contained within Appendix 3.
- Information relating to patients, including communication of test results should not begiven over the telephone unless the person communicating the information can ensure they are speaking to someone entitled to receive the information e.g. GP Practice
- When disclosing confidential or sensitive information over the phone consideration must be given to authenticating the caller. Callers should be called back at the switchboard of the organisation they are calling from in order to verify their identity.
- It is recommended that a password system is used when relatives enquire about inpatients by phone. A password can be agreed with relatives which will assist staff in authenticating callers.
- Always ask for the service user by name. Only leave messages with
another person if the service user has agreed this with you beforehand
- Do not leave messages on answer machines, as they may be accessed by
other members of the family or be overheard by visitors. If you have to
contact a patient urgently leave a message asking the service user to
telephone a named person and the number, rather than revealing the
identity of the organisation.
- Always check with the service user if it is convenient to talk. If it is not
convenient, agree to telephone again at an agreed time when they are
able to talk
- Any requests for patient/staff information from the police should be directed to the Medico-Legal team within Medical Records.
- On occasions when the Police ask for the release of personal informationbecause it is required to prevent or detect a crime, or catch and prosecute a suspect a section 29 (crime exemption) form should be provided by the Police to the Information Governance and Corporate Records Manager.
- Some disclosures of information will occur fulfil a statutory obligation on the Trust to disclose information. For example, in cases where a court order must be complied with or because other legislation requires disclosure (tax office or pension agency for staff or notifiable diseases in the case of patients)
- Information relating to patients and staff which is transported on removable electronic media should be encrypted in order to comply with NHS policy.
- Approved transport couriers should always be used to transport person identifiable data between both Trust sites and external organisations. Packaging should be robust enough to protect the contents from physical damage.
- Contracts between the Trust and third parties should contain an appropriate confidentiality clause which should be disseminated to third party employees.
safehavens
Definition of the Term ‘Safe-Haven’
A location (or in some cases a piece of equipment) situated on Trust premises where arrangements and procedures are in place to ensure person-identifiable information can be held, received and communicated securely.
Requirements for Safehavens
It should be a room that is locked or accessible via a coded keypad known only to
authorised staff.The office or workspace should be sited in such a way that only authorised staff can enter that location i.e. it is not an area which is readily accessible to any member of staff who work in the same building or office, or any visitors.
Fax Machines
Fax machines must only be used to transfer personal information where it is absolutely necessary to do so, and no secure alternative is available. The following rules must be adhered to:
- The fax is sent to a safe location where only staff that have a legitimate right to view the information can access it.
- The sender is certain that the correct person will receive it and that the fax number is correct.
- The recipient is notified when the fax is transmitted and they are asked to confirm receipt
- Care is taken in dialling the correct number.
- Confidential faxes are not left lying around for unauthorised staff to see.
- Only the minimum amount of personal information should be sent, where possible the data should be anonymised or a unique identifier used.
- Faxes sent should include the corporate cover sheet which is available in Appendix 8 and contains a suitable confidentiality clause.
- Information received by FAX should be collected as soon as possible and checked to make sure only relevant information is removed from the FAX machine tray.
Communications by Post
The following rules must be adhered to:
- All sensitive records must be stored face down in public areas and not left unsupervised at any time
- Incoming mail should be opened away from public areas
- Outgoing mail (both internal and external) should be sealed securely and marked private and confidential. The contents of mail sent should be thoroughly checked before sending to ensure only the required information is contained within.
- Outgoing mail containing sensitive and person identifiable data must be sent using secure mail (Royal Mail tracked services), or via an authorised courier.
Computers
The following rules must be adhered to:
- Access to any PC must be username and password protected, usernames and passwords must not be shared.
- Computer screens must not be left on view so members of the general public or staff who do not a justified need to view the information can see personal data.
- PCs or laptops not in use should be locked (using Ctrl, Alt, Delete function), switched off or have a secure screen saver device in use.
- Mobile devices must be encrypted to an approved standard.
- Information must be held on the Trust’s servers, not stored on local hard drives.
- Departments should be aware of the high risk of storing information locally and
take appropriate security measures.
- Personal information of a more sensitive nature should be sent from point to point using NHSmail or a similarly encrypted service with appropriate safeguards.
- Information sent by email will be safely stored and archived as well as being incorporated into patient records where necessary
- There are adequate back-up arrangements
- Person identifiable or sensitive corporate information should not be saved or copied onto any PC or removable media that is outside the control of the Trust or partner organisations with a legitimate business need for access.
REPORTING BREACHES OF CONFIDENTIALITY
All potential or actual confidentiality breaches must be recorded within 24 hours on the Datix incident reporting system and reported to the Information Governance and Corporate Records Manager for investigation and resolution. Once reported the details of the breach will be investigated and, if necessary, escalated to NHS Northwest and the Information Commissioner.
The severity of data loss incidents will be calculated using the table below.
Matrix for Calculating the Severity of Data Loss Incidents
0 / 1 / 2 / 3 / 4 / 5No significant Reflection on any individual or body. Media interest very unlikely. / Damage to an individual’s reputation. Possible media interest e.g. celebrity involved. Potentially serious breach. Less than 5 people affected or risk assessed as low, e.g. files were encrypted. / Damage to a team’s reputation. Some local media interest that may not go public. Serious potential breach & risk assessed high e.g. unencrypted clinical records lost. Up to 20 people affected. / Damage to a services reputation. Low key local media coverage. / Damage to an organisation’s reputation/Local media coverage. / Damage to NHS reputation/National media coverage.
All incidents rated 1-5 should be reported to NHS Northwest via the STEIS system after the SIRO has been informed. Incidents rated 3-5 should also be reported to the Information Commissioner. Incidents rated between3-5 should be captured as SUI’s. The Information Governance and Corporate Records Manager will be responsible for the reporting of such incidents.