Information Governance Staff Handbook

January 2014

Contents

Introduction

Legislation and Regulations

Information Governance Structure

Guide to Confidentiality

Reporting Possible Breaches of Security or Confidentiality

Monitoring Access to Personal Identifiable and Sensitive Information

IT Security

Information Governance Mandatory Training6

Records Management6

Freedom of Information9

New or Existing Programmes and Projects...... 20

Business Continuity Plans

Information Sharing1

Smartcards2

Information Governance Staff Handbook Confirmation Slip4

Introduction

Information Governance (IG) is the practice used by all organisations to ensure that information is efficiently managed and that appropriate policies, system processes and effective management accountability provides a robust governance framework for safeguarding information.

Information Governance enables organisations to embed policies and processes to ensure that personal and sensitive information is:

  • Held securely and confidentially;
  • Obtained fairly and efficiently;
  • Recorded accurately and reliably;
  • Used effectively and ethically;
  • Shared appropriately and lawfully.

NHS organisations hold numerous amounts of personal and sensitive information, and all staff should be able to provide assurance that the Information Governance standards are incorporated within their working practices.

Personal and sensitive information can be contained within a variety of documents. For example:

  • Health Records;
  • Staff Information;
  • Corporate Information;
  • Commissioning Information;

It is important for staff to be aware of what constitutes personal and sensitive information. Further details on types of information are available within the Confidentiality module on the Connecting for Health – Information Governance Training Tool.

Legislation and Regulations

Members of staff should also be aware of the legislation surrounding Information Governance that stipulate how organisations should safeguard information, what processes are in place to use, secure and transfer information and also how patients and members of public have access to personal/business information. The organisation must comply with the following:

  • Data Protection Act 1998
  • Caldicott Principles
  • Freedom of Information Act 2000
  • Privacy and Electronic Communications
  • Environmental Information Regulations
  • INSPIRE Regulations.

The NHS South Commissioning Support Unit (CSU)Information Governance Team has produced a suite of policies, processes and procedures, which are available from the Information Governance Team.

Adherence to Information Governance principles ensures compliance with the law, best practice and embeds processes that help staff manage personal identifiable and sensitive information appropriately. It must also be noted that embedding information governance processes enables patients and service users to have greater trust in the Clinical Commissioning Group (CCG)and enables effective working across partner organisations.

Information Governance Structure

Clinical Commissioning Group Accountable Officer

The CCG Accountable Officer has overall responsibility for Information Governance within the organisation. As Accountable Officer, they are responsible for the management of the organisation and for ensuring appropriate mechanisms are in place to support service delivery and continuity. The management of information risk and information governance practice is now required within the Statement of Internal Control which the Accountable Officer is required to sign annually.

Clinical Commissioning Group Senior Information Risk Owner (SIRO)

The Senior Information Risk Owner for the CCG is an executive Board member with allocated lead responsibility for the organisation’s information risks and provides the focus for management of information risk at Board level. The SIRO must provide the Accountable Officer with assurance that information risk is being managed appropriately and effectively across the organisation and for any services contracted by the organisation. The CSU Information Governance Team will support the SIRO in fulfilling their role.

Caldicott Guardian

The Caldicott Guardian is the person within the CCG with overall responsibility for protecting the confidentiality of person identifiable data (PID) and for ensuring it is shared appropriately and in a secure manner. This role has the responsibility to feedback any information Governance issues to the CCG Board. The CSU Information Governance Team will support the Caldicott Guardian in fulfilling this role.

NHS South Commissioning Support Unit Information Governance Team

The CSU Information Governance Team are responsible for ensuring that the information governance programme is implemented throughout the CCG. The team is also responsible for the completion and annual submission of the Information Governance Toolkit requirements for the CCG. The CSU Information Governance Team will support the CCG in investigating Serious Incidents Requiring Investigation (SIRIs), offer advice and ensure the organisation complies with legislation, policies and protocols.

Information Asset Owners (IAO)

The SIRO is supported by IAOs. The role of IAO is to understand what information is held, what is added and what is removed, who has access and why in their own area. As a result they are able to understand and address risks to the information assets they ‘own’ and to provide assurance to the SIRO on the security and use of the assets. The CSU Information Governance Team will support the IAOs in fulfilling their role.

Data Custodians

Data Custodians are required to also support the CCG SIRO and will work with the CSU Information Governance Team to ensure staff apply the Data Protection Act and Caldicott Principles within working practices. The CSU Information Governance Team will also provide local IG training either face to face or by monitoring staff use of the IG Training Tool.

Caldicott Principles and Data Protection Act Principles

The Caldicott Principles

The Caldicott committee made recommendations aimed at improving the way the NHS uses and protects confidential information. All NHS employees must be aware of the six Caldicott Principles which apply to both patient and personnel data.

Data Protection Act 1998 and the Data Protection Act Principles

All organisations in the country must comply with the Data Protection Act 1998. Data protection law is enforced in the UK by the Information Commissioner’s Office (ICO) and has the power to fine organisations up to £500,000 for data protection breaches.

The following is the eight Data Protection Act principles that must be followed when handling personal and sensitive information. These principles should be considered when handling both corporate and clinical records.

Guide to Confidentiality

Everyone working in or for the NHS has the responsibility to use personal data in a secure and confidential way. Staff who have access to information about individuals (whether patients, staff or others) need to use it effectively, whilst maintaining appropriate levels of confidentiality. This guide sets out the key principles and main ‘do’s and don’ts’ that everyone should follow to achieve this for both electronic and paper records.

The common law of duty of confidentiality requires that information that has been provided in confidence may be disclosed only for the purposes that the subject has been informed about and has consented to, unless there is a statutory or court order requirement to do otherwise.

Personal Data is any information about any living individual who can be identified, such as, patient’s health care professionals, other staff, and suppliers, contractors etc. Such person-identifiable information may be manually-held or automated and includes for example, the contents of filing cabinets, all patient information, including medical records, photographs, x-rays, and other images, computer disks, tapes, CD ROMs etc. Personnel records include those held by line managers, as well as, those held centrally by personnel departments. The use of all such personal data is controlled by the eight Caldicott principles. The Access to Health Records Act 1990 was largely superseded by the Data Protection Act 1998, but still applies to the records of deceased persons.

These Data Protection and Caldicott principles translate into key maxims for all staff to follow:

  • Patients and staff should be fully informed about how their information may be used.
  • There are strict conditions under which personal data may be disclosed.
  • In particular, certain disclosures are not allowed without the express consent of the individual.
  • Individuals have the right to see what information is held about them, and to have any errors corrected. They also have the right to request copies.
  • Personal information should be anonymised wherever and whenever possible.
  • The legitimate use, disclosure or sharing of personal data does not constitute a breach of confidentiality.
  • Sharing of personal data between organisations can take place with appropriate safeguards.
  • Sometimes a judgement has to be made about the balance between the duty of confidence and disclosure in the public interest. Any such disclosure must be justified.
  • Personal data should be kept secure and confidential at all times – as detailed below.

Some of the ways to keep information secure and confidential are:

Organisational arrangements

Make sure you know the name of the following:

SIRO CSU IG Service Lead

Caldicott GuardianData Custodian

IAO

Limiting unnecessary access to personal information

  • Do not discuss confidential matters outside of work, or even with anyone at work who does not need to know it; be aware that other people may overhear.
  • Do not leave working papers lying around the office, or put confidential items exposed in in-trays; remove documents from photocopiers and fax machines as soon as possible after use.
  • Hold keys and other access means, such as combination of locks, securely away from the point of storage when not in use. Ensure that there is an appropriately secure system in place to allow access in event of emergency or an individual’s absence.
  • Keep offices locked when unoccupied, and maintain overall building security.
  • Keep workstations and other computer equipment secure, being particularly careful with laptops when not in use, especially not leaving them unattended in cars.
  • Lock away portables, disks, or tapes containing personal data or other confidential information when not in use.
  • Do not write down your computer passwords or share them with anyone.
  • Ensure that your PC monitor screen cannot be seen by other people, being careful in public reception areas.
  • Do not leave your PC unattended whilst it is logged-in to the network or any system. (note that if a ‘screen saver’ is used, it must be password protected and set to function effectively, and it must not be used as a substitute for logging off when leaving your workstation).

Ensuring authorised access only

  • Access to records will be on a ‘named person’ basis only.
  • There is no automatic right of access to records and access must be agreed in advance with the Data Custodian or data ‘owner’. This can be either verbal or written permission.

Accuracy, retention and disposal

  • If adding information to records, do satisfy yourself of its current accuracy and relevance; any queries should be raised with the Information Asset Owner
  • If you are an ‘Information Asset Owner’ do ensure that records are held with informed consent, are relevant for the purpose held, and are kept accurate and up – to – date; do ensure that records are culled yearly and held no longer than necessary for their purpose and in accordance with the NHS mandatory Retention and Disposal Schedule.
  • Ensure any personal or sensitive information is confidential destroyed in accordance with the CCG Information Security policy. (Note that ordinary waste bins and ‘recycling’ bins are not to be used for papers showing personal or otherwise confidential details).
  • Dispose of redundant equipment, especially disk or tape copies of confidential or sensitive information, in the proper manner through the CCG’s ICT provider.

Off-site working.

  • Do not take records or other confidential information out of the office and especially off-site unless on approved business.
  • Always make sure that a list of the records that you take off site is retained at your base.
  • Safeguard the security and confidentiality of the information at all times. If records are taken off-site by agreement, do not leave them in your car but take them with you, and especially do not leave in your car overnight.

Requests for information

If you receive a request for information about a patient, staff member, etc. and it is not usually part of your job to respond:

  • Refer requests for personal information immediately to your line manager or to the person who is designated to deal with such a request (see below).
  • Refer any enquiries from the police or from the media to the person(s) designated to deal with such a request (see below).
  • Handle enquiries from relatives and friends in accordance with the wishes (consent) of the patient, taking care to identify the enquirer.
  • Guard against people seeking information by deception, in particular, by validating the identity of people requesting confidential information and by following the specific guidelines for dealing with such requests.

Abuse of privilege

  • Do not pass any information to your own relatives or friends, and do not attempt to find out details about them.
  • Do not pass on any information for personal or commercial gain.

Disclosures

You may, as part of your job, need to disclose patient information to others:

  • Keep the amount of information disclosed (even within the NHS) to the minimum necessary.
  • Do not duplicate records, (on paper, or in a computer) unless absolutely essential for the purpose.
  • Ensure that those to whom you may legitimately disclose personal details do not then pass them on inappropriately.
  • Ensure that confidential information is only disclosed to a non – NHS organisation, such as social services, in accordance with an agreed information sharing protocol (ISP); if in doubt, refer to the CSU Information Governance Team.

Patient contacts and patient details

  • Do not leave messages that contain personal or sensitive information on home answering machines as it may not be the person for whom the message is intended for.
  • White boards or other displays that contain personal or confidential information should not be visible to the public.
  • Any notes containing personal data written whilst taking a phone call or other message should be confidentially destroyed.

Transferring Personal Identifiable or Sensitive Information.

The ICO has reported that there has been a number of insecure transfers of information via fax, post and emails and has imposed monetary penalties on organisations who have failed to comply with the Data Protection Act. In order to prevent this occurring within the CCG, it is the responsibility of each individual member of staff to ensure that the following processes are followed when transferring personal identifiable and sensitive information.

NHSmail Process:

It is policy that emails containing any personal identifiable or sensitive information should be sent using an NHS.net account.

Any PID sent by this method is secure as long as it is sent to one of the following type of email accounts:

another NHS.net account x.gsi.gov.uk gsi.gov.uk

gse.gov.uk gsx.gov.uk pnn.police.uk

cjsm.net scn.gov.uk gcsx.gov.uk

mod.uk

If you intend to send personal sensitive information to any other type of email account not listed above, the information should be sent as an encrypted attachment. Please seek advice from the CSU Information Governance Team.

Safe Haven Fax Process:

Fax machines must only be used to transfer personal information where it is absolutely necessary to do so. The following rules must apply:

  • Ensure it is sited in an area that is restricted to those who need to access the information.
  • The fax is sent to a safe location where only staff that have a legitimate right to view the information can access it.
  • The sender is certain that the correct person will receive it and that the fax number is correct.
  • Notify the recipient when you are sending the fax and ask them to acknowledge receipt.
  • The confirmation of receipt should be checked to ensure the fax has been transmitted to the intended recipient, where possible the receipt should be attached to the original document.
  • Where possible the NHS number should be used for identification in preference to the patient’s name and address.
  • Care is taken in dialling the correct number.
  • Confidential faxes are not left lying around for unauthorised staff to see.
  • Only the minimum amount of personal information should be sent.
  • All confidential faxes sent should be clearly marked ‘Private and Confidential’ on the front sheet.
  • Frequently used numbers should be programmed into the fax machine ‘memory dial’ facility. This will minimise the risk of dialling incorrect numbers.
  • If you receive a call requesting that confidential information be sent via fax always call the requestor back to confirm the caller’s identity using an independent number source.
  • Always seek advice if you are unsure whether or not to send any information via fax.
  • If it is highly sensitive ensure someone is at the receiving end waiting for it.
  • Ensure only authorised staff handle confidential information.
  • If you receive faxes that contain personal information store them in a secure environment.
  • Fax machines should be turned off out of hours.

Safe Haven Post Process:

  • All incoming mail should be opened away from public areas. Outgoing mail (both internal and external) should be sealed securely and marked ‘private and confidential’ if it contains person-identifiable or sensitive information.
  • Where possible ensure post is sent to a named person.
  • Staff sending documents by external post or courier, use a ‘signed for’ delivery service. Use appropriate stationery, such as reinforced envelopes or document wallets when necessary. Check that the address is typed or written clearly in indelible ink.
  • When staff are sending mail outside of the NHS, send documents only to known, named, authorised personnel marked ‘Confidential’.
  • Consider carrying out a risk assessment if appropriate.

Subject Access Requests