Information Sharing Protocol Title: Date of Protocol

NHS - Policy

APPENDIX I

Information Sharing Protocol

This protocol must be completed by section / department that collect the data (data owner) and the section / department that will receive the data for every data sharing arrangement.

Information Sharing Protocol Title: Date of Protocol:

Review Date:

DATA OWNER: / DATA SHARED WITH: / DATA ALSO SHARED WITH:
Service Area / Department
Named Contact
ADDRESS
Postcode
PURPOSE/REASON for DATA
SHARING / TRANSFER
Will the data be transferred outside the UK? Any transfer of personal data outside the UK must be authorised by the Trust’s Caldicott Guardian or IG Manager / Yes  (if yes complete the details below)
No 
Name of person authorising the transfer:
Job Title: Date:
Security Assurance Details:
THE LEGAL FRAMEWORK relating to the purpose(s) for sharing information.
Legislation containing express powers or which imply powers to share:

• Contract or Service Level Agreement
• National Health Service Act 1977
• The Health and Social care Act 2003
• Immigration and Asylum Act 1999
• Crime and Disorder Act 1998
• Statutory Guidance
• Road Traffic Act
• Protection of Children Act 1999
• The Children Act 2004 and 1989
• Local Government Act 2000
• Education Act 2002 and 1996
• Learning and Skills Act 2000
• Education (SEN) regulations 2001
• Leaving Care Act 2000

/ Legislation -
Statutory Guidance –
DATA DESCRIPTION
What data is required
Where will this data be sourced
E.g.: Patient information from health care records and patient information systems to include personal data, NHS number, diagnosis, and health care needs. / Patient information from a health care record detailing mothers delivery date and breast feeding ???
DATA TYPE
e.g. service user
Refer to the level of identity used in the sharing of data and where necessary assessing the level of identity from combined sets of data.
E.g.: Children or Young Person’s:
First Name & any alias
Family Name & any alias
Date of Birth
Gender
Last registered School
Last Registered GP
Parent / Carers Name
Parent / Carers Contact details / Mothers name:
Baby’s delivery date:
Protective Marking
Salisbury NHS Foundation Trust agreed criteria information / data protective marks are:
NHS Confidential and Patient Information:
Patient demographic details that might identify people who have had a GP contact/hospital appointment within a particular timeframe or who may have a particular condition.
NHS Confidential use for other purposes:
Adversely affect the reputation of the organisation, it’s staff or cause substantial distress to individuals;
Make it more difficult to maintain the operational effectiveness of the organisation;
Cause financial loss or loss of earning potential, or facilitate improper gain or disadvantage for individuals or the Trust;
Prejudice an investigation or facilitate the commissioning of a crime or other illegal activity;
Breach proper undertakings to maintain the confidence of information provided by third parties or impede the effective development or operation of policies;
NHS Restricted
The documents which fall into this category include:
Documents of internal management meetings;
Documents of groups involving the preparation of the work programme;
Documents that have not been finalised or adopted;
Documents containing sensitive details supplied by third parties in confidence;
Management reports prepared by external consultants
NHS Protect
In Government a new marking of “PROTECT” was recently introduced. This discretional marking may be used in order to avoid unauthorised access to information. It establishes basic principles to handle with care, take relevant precautions and dispose of properly.
Unclassified
Documents do not require a formal classification marking. However, making them as Unclassified indicates a decision has been made. / All documents released must contain the protective marking NHS Confidential in the header of a document.
Staff sending emails containing patient identifiable data must mark the email ass confidential and request a read receipt from the recipient.
All staff must take appropriate the precautions set out in the Trust’s Acceptable use of Email Policy.
Name of DATABASE(S) / data system to be used e.g.
Health - IPM, Pathology, Radiology
Staff: ESR(Electronic Staff Record) / Data to be gathered from:
Data to be added to:
And to:
CONSENT
The legal basis for sharing information, in relation to the initiative, based on consent or other legal justifications for sharing.
How will individuals be informed of the sharing of data where required – e.g. signing a final version of an assessment / Privacy Notice how / where is this published / made available to the patient / service user?
Is this a Statutory or Voluntary Requirement?
Statutory
E.g. The Children Act 2004 s10 & 11
Children Act 2004 Section 12
Section29(3) of the Data Protection Act 1998
Voluntary
E.g. – a child or young person and/or their parent/carer must give their consent at the start of the process in the full knowledge of what will happen to the information (e.g. how it will be stored, who will have access to it, how it will be used), preferably through signing a form in the appropriate place on the final.
How will you ensure that information of data of subjects who have refused consent is not shared / included?
Copies of refused consent to must be recorded within the appropriate department and patient’s record.
PHYSICALTRANSFER METHOD
e.g. Email, Memory Stick, Tape, Secure electronic Network, NHS.net, Laptop PC, Paper.
Agreement to the process of exchange, taking account of threats and vulnerabilities in the proposed communication methods and ensuring adequate safeguards to protect the information during transit and storage are in place.

• Electronically - CSV files or XML files via an agreed secure website / network. E.g. GCSx to N3. Using this system the data must be encrypted during transfer and password protected.

• Hard Copy of Data in a paper format or Portable media – refer to agency procedures and send by Royal Mail Special Delivery.

• Data shared verbally by phone call (1 or 2 records):
• confirm identity of receiving agent
• keep an agency record of the:
• call,
• data shared,
• person spoken to and
• actions agreed.

SOFTWARE FORMAT USED
e.g. Word, Excel, CSV, etc.
ENCRYPTED or UNENCRYPTED
QUALITY
Any data provided will be in line with the Data Protection Act 1998.
The data owner makes a commitment providing data that is accurate and complete.
Data Errors –
If following the exchange of data inaccuracies are identifiedthese will be notified to the data owner. Under the data protection act it is expected that where a data error is verified it will be corrected before the next data exchange.
Agencies regularly exchanging data must adopt a data Strategy and Data Plan to campaign for good quality data and agree how data issues will be addressed.
DATE and TIME OF TRANSFER
or commencement if ongoing
FREQUENCY or ONGOING
CHANGES
How will these be notified to the data owner / receiver?
To include:
the purpose data is being shared
the method data is being shared
changes in categories of data to be shared
changes in personnel
changes in security status
RETENTION
Agreement to the period of retention of data – with reference to organisational retention schedules and the longest applicable period, unless there is reason for destruction of copies of data.
Data / information in general should be held securely only for as long as is needed to complete the job it was requested for.
Copies of data / information must not under any circumstance be made nor held / stored by the receiving agency / organisation.
At the end of the contract Service Level agreement or Partnership the receiving organisation must supply Salisbury NHS Foundation Trust with a certificate of destruction
SECURITY
A process for managing breaches of security, inappropriate disclosure of data and loss of data.
The agency with which data sharing occurs must have a process for managing breaches of security, inappropriate disclosure of data and loss of data
Agencies providing data must comply with National Information Sharing Guidance and local agency / organisations protocols and policies with respect to the safe and secure sharing of information. Reference
Agreement that in the event of the media becoming aware of a data incident a joint statement will be prepared and the communications teams of both the data owner and the data receiver organisations will jointly manage the release of press statements.
Salisbury NHS Foundation Trust
Public Relations Manager on:
01722 425170 / A copy of the data owner and the data receiver’spolicies and protocol for managing data breaches or data lossesare available at?

http:
In the event of a data breach or data loss this will be reported to:
Data Owner by within
Data Receiver by within
Arecord of the data incident and actions taken will be made available to all involved parties by: (Name).
INCIDENT MANAGEMENT
How will any breaches of principles be reported and managed?
Where remedial action is taken who will report this to the data owner / receiver / 3rd Party?
In the event of a data breach what steps will be taken to advise the data subject?
What will be the procedure to update this protocol in the light of any findings?
Advice and guidance re any data incident can be gained from the Information Commissioners Office
The ICO also provide a Frequently asked questions section and a Helpline on 0303 123 1113 open from 9am to 5pm, Monday to Friday.
If appropriate legal advise should be sought
MONITORING
Who will monitor that the processes above are taking place and are effective?
What checks will be made?
What will be the frequency of checks?
How will this data process be included in organisation Audit processes?
Where areas of concern / weakness are identified how will these be addressed?
If an organisation identifies a risk this must be recorded in line with the Trust Risk ManagementPolicy and shared with the data owner / provider as appropriate:
I the undersigned certify that the personal data being received will not be disclosed to unauthorised persons. The Data and their Purposes of Use are Notified under the Data Protection Act 1998 and my organisation/company is committed to compliance with the Data Protection Principles.
I understand that any proposed changes to this protocol must be agreed by all parties prior to any changes being made.
I understand that this document provides assurance to Salisbury NHS Foundation Trust that:
Data Subjects who suffer damage as a result of a breach of this protocol shall be entitled to receive compensation from my organisation/company for such damages.
That any fines levied by the ICO on Salisbury NHS Foundation Trust attributed to any loss, wilful damage and inappropriate disclosure or loss of data by my organisation/companywill be held liable for any costs incurred.
DATE
SIGNATUREof Data Provider
JOB TITLE
For and on behalf of: ORGANISATION
Service Area / Department
Data Protection Registration Number:
IG Toolkit Registration No:
Scores and details:
ISO27001 Registration Details:
DATE
SIGNATUREof data receiver
JOB TITLE
For and on behalf of: ORGANISATION
Service Area / Department
DATE
SIGNATURE of data receiver (2)
JOB TITLE
For and on behalf of: ORGANISATION
Service Area / Department

Copy to: Information Governance Manager

Heidi Doubtfire-Lynn
Information Governance Manger
Salisbury NHS Foundation Trust
Email:
Phone:Direct Line: 01722 425119 or 336262 Extension 2119

APPENDIX I: DATA PROTECTION, CONFIDENTIALITY & DISCLOSURE POLICY VERSION 2.0

AUTHOR: INFORMATION GOVERNANCE OFFICER DATE: SEPTEMBER 2014

Page 1 of 8 DATE OF NEXT REVIEW: SEPTEMBER 2017