Local Caldicott And/Or Information Governance Application Form

Local Caldicott and/or Information Governance Application Form

You must address the Caldicott Principles and Information Governance and Security requirements when submitting this application for the use of patient identifiable information

SECTION A: GENERAL INFORMATION

1. Project/Proposal Title:

R&D No: / IRAS No: / Sponsor No:

1. Name of Organisation accessing or receiving patient identifiable data:

1. Person Responsible for the released data and Declaration:

(Principal Investigator or person responsible for local activity)

Name:
Position:
Organisation:
Email:
Telephone: / Address:
Declaration: I agree to abide by the Caldicott Principles, NHS Lothian eHealth Security Policy. I confirm that the study will comply with the legal requirements and the responsibilities and obligations to respect patient confidentiality.
Dated signature:

1. Please provide a briefly description of aims, objectives and methods for the proposal forwhich identifiable data is required:

1. Consent – what will the patient/participantconsent to?

Please describe the consent sought in relation to collection, handling, storage and transfer of data i.e. what information is in the consent form? Is this consent explicit?

1. What patient identifiable information are you looking to use?

Unless patient identifiers are required to meet the purpose of the request only anonymised or pseudonimosed data should be requested

As patients can be identified from a combination of variables in anonymised data, such as date of birth, data of admission, treating hospital, area of residence, please request only the minimum details required to meet the purpose of the study.

The CHI (Community Health Index) is a unique personal identifier made up of data of birth, gender, and other information. It should wherever possible remain within the NHS. If required, consideration should be given to replacing the CHI with a study identifier and retaining the CHI within the NHS.

If CHI is used for data linkage please ensures you describe, in section C of this form, by whom and where this is undertaken.

If accessing image data, please consider whether these contain identifiable information.

Please indicate all potentially identifying items that you are requesting.

Why is each data item required (Caldicott Principle 3)?

Data Item / Required (Y/N) / Reason Required
CHI Number
Forename
Surname
Initials
Age
Date of Birth
Gender
Address
Postcode
Other, please specify

Are there any other data items requested?

(Items thatin combination with other information may increase the risk of disclosure)

Data items / Reason Required

SECTION B: CALDICOTT PRINCIPLES

You must address the Caldicott Principles (see Appendix 1)

1. Outline Purpose(s) for which confidential information is to be used (Principle 1) andwhy patient identifiable Information is required? (Principle 2):

The need for patients to be identified should be considered at each stage of satisfying the purpose(s).

Patient identifiable data should not be used unless there is no alternative.

Contacting Patients

If you intend to make contact with patients identified through the processing of this data, indicate how this will be done and how you will ensure that it is appropriate to contact them. It is recommended that contact is through correspondence signed by the patient’s GP/Clinical or Health of Clinical Services.

Data Linkage

If you intend to undertake data linkage to other health datasets what data is to be linked and where will this linkage be undertaken?

1. Outline access to information? (Principle 4):

Only those individuals who need access to patient-identifiable information should have access to it, and they should only have access to the information items that they need to see.

Please describe how, where and by whom this information will be accessed.

1. Outline action taken to ensure that everyone with access to the data is aware of their data protection and confidentiality responsibilities? (Principle 5):

Actions should be taken to ensure that those handling patient-identifiable information – both clinical and non-clinical staff – are aware of their responsibilities and obligations to respect patient confidentiality.

1. Outline how your organisation’s legal requirements for the use of the data will be met? (Principle 6):

Every use of patients-identifiable information must be lawful. Someone in each organisation should be responsible for ensuring that the organisation complies with legal requirements.

SECTION C: DATA SECURITY

You must address the Information Governance and Security requirements

1. Data Transfer

Give details of How, What and to Where the requested information will be transferred from the Data sources e.g. encrypted USB drive, password protected file, secure file transfer, NHS email attachment, paper sent by recorded delivery etc.

If data is to be transferred outside of the UK or outside of the European Economic Area (e.g. US), please specifiy?

1. Safe guards

Describe the measures in place to protect and use the data securely and confidentially

For paper records:

Physical Location(Institution, NHS Lothian, University, Room )
Access controls (How will the data be stored and protected from unauthorised access?):
Anonymisation (How will the identify of individuals be protected)

For electronic data:

Physical Location (Institution, NHS Lothian, University, Room )
Access controls (Will a Safe Haven be used, if so, which one?):
If not using a Safe Haven:
How will the data be protected from unauthorised access?
Device to be held on (desktop, laptop, network storage, etc.):
Encryption (what encryption method will be used to protect the data?)
Formatof the data (spreadsheet, database, etc.):
Anonymisation (how will the identity of individuals be protected):

1. Data Retention and destruction

How long do you intend to retain the information that you will rely on for your study and how will you dispose of the information at that time?

For clinical trials, data cannot be destroyed without sponsor approval and retention will be in accordance with the protocol.

Once the application has been competed please email or send it to:

ACCORD

Queen’s Medical Research Institute

47 Little France Cresent

Edinburgh, EH16 4TJ

0131 242 3332

APPENDIX 1: CALDICOTT PRINCIPLES

Principle 1. Justify the purpose(s) for using confidential information

Every proposed use or transfer of patient-identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed, by an appropriate guardian.

Principle 2. Don’t use personal identifiable information unless it is absolutely necessary

Patient-identifiable information items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).

Principle 3 Use the minimum necessary personal identifiable information

Where use of patient-identifiable information is considered to be essential, the inclusion of each individual item of information should be considered and justified so that the minimum amount of identifiable information is transferred or accessible as is necessary for a given function to be carried out.

Principle 4. Access to personal data should beon a strict need-to-know basis

Only those individuals who need access to patient-identifiable information should have access to it, and they should only have access to the information items that they need to see. This may mean introducing access controls or splitting information flows where one information flow is used for several purposes.

Principle 5. Everyone with access to personal confidential data should be aware of their responsibilities

Action should be taken to ensure that those handling patient-identifiable information - both clinical and non-clinical staff - are made fully aware of their responsibilities and obligations to respect patient confidentiality.

Principle 6. Understand and Comply with the Law

Every use of patient-identifiable information must be lawful. Someone in each organisation handling patient information should be responsible for ensuring that the organisation complies with legal requirements.

Principle 7. The duty to share information can be as important as the duty to protect the persons confidentiality.

Health and Social Care professionals should have the confidence to share information in the best interest of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies

For office use only:

Application checklist – is there access to:
Ethics Committee correspondence
Proposed study protocol
Information provided to patients, where appropriate
Information on relevant IG procedures e.g. Safe Haven arrangements
Other correspondence
For the use/release of patient identifiable information as specified in this application:
Caldicott Approval granted: Not required:
Information governance and security requirements have been checked?:
Name:
Position:
Data signature:

GS008-F01 v2.0

Page 1 of 5