Welsh Information Governance Toolkit for Gmps

Information Governance and Caldicott /

Welsh Information Governance Toolkit for GMPs

Meeting the Requirements: StaffResponsibilities – Confidentiality and Data Protection

1.Confidentiality and data protection is a key element of the Information Governance agenda. The confidentiality and data protection framework should be supported by adequate skills, knowledge and experience across the Practice. The levels of competency should be in line with the duties and responsibilities of particular posts or staff groups to provide an adequate level of assurance.

2.There must be adequate assurance arrangement in place to ensure the most senior level of management in the organisation complies with its current confidentiality and data protection obligations and is kept informed of changes and performance which need to be considered and addressed.

3.The Practice Management Team should allocate responsibility for compliance with the Data Protection Act (DPA) 1998 to one of the senior GPs. Within the Practice it is likely that this responsibility is combined with the role of Caldicott Guardian. This role should be appropriately supported, generally within a Practice, the support is provided by the IG Lead. They will take responsibility for directing and pulling together the work necessary ensure full compliance with the DPA and report directly to the above individual.

Attainment Level / Summary Requirement
1 / An appropriate Caldicott Guardian has been appointed who heads up the Caldicott function for the Practice. There are adequate confidentiality and data protection knowledge and skills within the Practice to implement the confidentiality and data protection work programme
2 / The Practice Management Team have agreed a Confidentiality Code of Conduct that provides staff with clear guidance on do’s and don’ts when sharing personal information
3 / The confidentiality and data protection work programme is incorporated into the broader Information Governance arrangements

4.The obligation to keep personal information secure and to respect confidentiality stems from common law, data protection and human rights legislation applies to all organisations. Staff must meet these legal requirements but may also be bound by professional obligations, employment contracts or other contractual measures. It is essential therefore, that staff understand what they need to do to keep information safe and secure.

5.Updates to the Caldicott Principles in 2013 should also be taken into account. The new Principle 7, states that the duty to share information can be as important as the duty to protect patient confidentiality. This means that staff should have the confidence to share information in the best interests of their patients within the framework set out by the 'Caldicott Principles'. In making these sharing decisions, staff should be supported by the policies of the Practice, the Caldicott Guardian, appropriate regulators and professional bodies.

6.The Practice should also be aware of the principles of indirect liability, which applies where a negligent act or omission by an employee is so closely connected with the performance of their employment that it would be fair to place the liability on the employer. A situation such as this could arise, for example where there has been a loss of patient information and investigation finds that the Practice has failed to inform a member of staff of the procedure or processes required to keep personal information secure and confidential.

How do we reach Attainment Level 1?

7.The appointed Caldicott Guardian within the Practice is usually a senior health professional, they will take overall responsibility for ensuring that the management of patient information within the Practice complies with legislation, Codes of Practice and Professional Standards. The IG Lead should have access to the Caldicott Guardian for support and advice when necessary.

See Table One for key responsibilities of the Caldicott Guardian.

Key responsibilities of the Caldicott Guardian Table One

• Work as part of the broader Caldicott Function with support staff, IG Leads etc. contributing to the work as required

• Oversee the Practice’s compliance with the 'Caldicott Principles'

• Play a key role in ensuring that the Practice satisfies the highest practical standards for handling patient information

• Advise on options for lawful and ethical processing of patient information

• Actively support work to facilitate and enable information sharing

• Ensure that current policies and procedures are in place which impact upon the accuracy, management, confidentiality, sharing and retention of the patients record
• Instigate regular management audits to inform future work

Note: The role of the Caldicott Guardian was mandated in NHS Wales in the “WHC (99) 92 Protecting Patient Identifiable Information:
Caldicott Guardians in the NHS”

8.The role of Caldicott Guardian is not one which is undertaken alone, generally there will be others who support the Guardian and indeed it is everyone’s responsibility to play their part. There must be an awareness among those in the Practice of the responsibilities of the Guardian. See further information on 'being a Caldicott Guardian'.

9.There is a Caldicott function with adequate confidentiality and data protection knowledge and skills to successfully co-ordinate and implement the confidentiality and data protection work programme

10.All staff, including the GPs, should be made aware of their individual and, if appropriate, managerial accountability for ensuring that confidential personal information (relating to patients or staff) is used in accordance with the relevant Practice policies and procedures.

11.All staff assigned responsibility for co-ordinating and implementing the confidentiality and data protection work programme should receive appropriate training. See the ‘Training Requirement’ for further details.

How do we reach Attainment Level 2?

12.To ensure staff members are effectively informed of their obligations to keep information confidential, a staff Confidentiality Code of Conduct should be developed that provides clear guidance on the disclosure of personal information. The code should be signed-off by the Practice Management Team. Where appropriate the guidance should be tailored to the needs of different staff groups.

13.The approved Confidentiality Code of Conduct should be made available across the Practice and all staff members must be effectively informed about the guidance on disclosure and the need to comply with it. For the code to be deemed accessible by staff it needs to be available at several locations,this may include:

• Providing staff with their own copy;
• Filed with the standard operating procedures (or equivalent);
• Electronicallyfiled, for example on an intranet if available.

14.Where there is already a general code of conduct, it may be possible to extend this rather than having a separate confidentiality code.

15.Table Two outlines the suggested content of a Confidentiality Code of Conduct. See the ‘example Confidentiality Codes of Conduct’ for further information.

How do we reach Attainment Level 3?

16.Confidentiality and Data Protection Assurance should be effectively incorporated into the broader IG work plan. Overtime the law and guidance may change and it is important that the individuals assigned with responsibility for confidentiality and data protection remain updated. See the ‘Training Requirement’ for further details.

17.Compliance with the Confidentiality Code of Conduct should be monitored, for example byrandom checks/audits or patient satisfaction surveys.

18.The Confidentiality Code of Conduct should be reviewed by the Practice Management Team at least annually and agreed to be comprehensive or amended accordingly.

Staff-Confidentiality and Data Protection -Final v1- October 2016 Page:1 Author: IG - NWIS