Embed Size (px)
Citation preview
Page 1 of 33
Confidentiality and Data Protection Policy
The 5 key messages the reader should note about this document are:
1. It is your personal duty to keep personal information confidential
2. All workers need to be aware of their responsibilities under the requirements of the Data Protection Act 2018 (General Data Protection Regulation) and the importance of ensuring the confidentiality of personal and sensitive data
3. Penalties could be imposed upon you and/ or the Trust for non-compliance with this legislation
4. Personal information will be disclosed on a need to know basis only and employees will not disclose information outside their line of duty
5. It makes the required provisions for individuals to request access to their information
Issue Date 22/10/2019 Review Date 23/10/2019
Page 2 of 33
This document has been approved and ratified. Circumstances may arise where staff become aware that changes in national policy or statutory or other guidance (e.g. National Institute for Health and Care Excellence (NICE) guidance and Employment Law) may affect the contents of this document. It is the duty of the staff member concerned to ensure that the document author is made aware of such changes so that the matter can be dealt with through the document review process.
NOTE: All approved and ratified policies and procedures remain extant until notification of an amended policy or procedure via Trust-wide notification, e.g. through the weekly e-Update publication or global e-mail and posting on the Intranet (Connect).
Procedural Document Title: Confidentiality & Data Protection Policy.
Version: 8
Name and Title of Responsible Director/Senior Manager:
Dr David Sims, Medical Director
Name and Title of Author Gaynor Toczek, Information Governance and Records Manager/Data Protection Officer
Title of Responsible Committee / Group (or Trust Board):
Information Governance Group
Persons/Groups/Committees consulted:
Information Governance Group
Service User, Patient and Carer consultation:
Not Applicable
Procedural Document Compliance Checklist adhered to:
Yes
Target Audience: All staff
Approved by: Information Governance Group
Date Approved: August 2019
Ratified by: SLG
Date Ratified: September 2019
Date Issued: October 2019
Review Date: November 2020
Frequency of Review: Annually
Page 3 of 33
Responsible for Dissemination: Gaynor Toczek, Information Governance a and Records Manager/DPO
Copies available from: Via the Trust’s Intranet (Connect).
Where is previous copy archived
(if applicable)
Connect
Amendment Summary: Complete rewrite of policy following the Data Protection Act 2018 (DPA 2018) and General Data Protection Regulation (GDPR).
Page 4 of 33
Contents
1 INTRODUCTION .......................................................................................................... 6
2 SCOPE ......................................................................................................................... 6
3 COMPLYING WITH CONFIDENTIALTY AND THE DATA PROTECTION ACT (General Data Protection Regulation 2018) ........................................................................................ 6
3.1 Lawful/legal basis for processing ............................................................................ 8
3.2 In order to comply with the Data Protection Act 1998 (GDPR) the Trust is committed to ensuring: ...................................................................................................................... 9
4 COMPLYING WITH THE PRINCIPLES OF THE CALDICOTT REPORT .................. 11
5 Complying with NHS Code of Confidentiality .............................................................. 13
6 Complying with The common law duty of confidentiality ............................................. 13
7 Complying with Data Protection by Design and Default .............................................. 13
7.1 The underlying concepts of data protection by design and by default .................. 14
7.1.1 ‘Proactive not reactive; preventative not remedial’ ......................................... 14
7.1.2 ‘Privacy as the default setting’ ........................................................................ 14
7.1.3 ‘Privacy embedded into design’ ...................................................................... 14
7.1.4 ‘Full functionality – positive sum, not zero sum’ ............................................. 14
7.1.5 ‘End-to-end security – full lifecycle protection’................................................ 14
7.1.6 ‘Visibility and transparency – keep it open’ .................................................... 14
7.1.7 ‘Respect for user privacy – keep it user-centric’ ............................................. 15
8 Compliance with this policy and potential Breaches ................................................... 15
8.1 Access to IT systems ............................................................................................ 16
8.2 Access to records ................................................................................................. 16
8.3 Communicating personal information ................................................................... 17
8.4 Disclosure and sharing of personal information .................................................... 17
8.5 Disposal of personal information ........................................................................... 18
9 DEFINITIONS ............................................................................................................. 18
9.1 Approval ............................................................................................................... 18
9.2 Assurance ............................................................................................................. 18
9.3 DPA ...................................................................................................................... 19
Page 5 of 33
9.4 GDPR ................................................................................................................... 19
9.5 Data Subject ......................................................................................................... 19
9.6 Equality Impact Assessment ................................................................................. 19
9.7 ICO ....................................................................................................................... 19
9.8 Information Governance ....................................................................................... 19
9.9 Personal Data ....................................................................................................... 19
9.10 Policy ................................................................................................................. 19
9.11 Procedural Document ........................................................................................ 19
9.12 Ratification ......................................................................................................... 19
9.13 Strategic Aim ..................................................................................................... 20
9.14 Training Needs Analysis .................................................................................... 20
10 EQUALITY IMPACT ASSESSMENT .......................................................................... 20
11 TRAINING NEEDS ANALYSIS ................................................................................... 20
12 MONITORING COMPLIANCE AND EFFECTIVENESS ............................................. 21
13 REFERENCES TO EXTERNAL DOCUMENTS ......................................................... 23
14 ASSOCIATED INTERNAL DOCUMENTATION ......................................................... 24
15 APPENDIX A: EQUALITY IMPACT ASSESSMENT (EQIA) ....................................... 26
16 APPENDIX B: Key Changes for GDPR ...................................................................... 28
17 APPENDIX c: obtaining personal data ........................................................................ 30
18 Appendix D: Lawful Basis for Processing Personal Information ................................ 31
18.1 Lawful Purpose for Health and Adult Social Care .............................................. 31
18.2 Lawful basis for employment purposes ............................................................. 32
18.3 Processing of special categories of personal data ............................................ 32
Page 6 of 33
1 INTRODUCTION
Bradford District Care Foundation Trust (BDCFT) is committed to compliance with the laws of information privacy, the Data Protection Act 2018 (General Data Protection Regulation 2018), NHS Code of Confidentiality, Caldicott requirements, the Human Rights Act (1998) and employees’ responsibilities for the safeguarding of confidential information held both manually and electronically (Common law duty of confidentiality).
The Data Protection Act (2018) and the General Data Protection Regulation set the legal framework, by which we can process personal information. It applies to information that might identify any living person. The common law duty of confidentiality governs information given in confidence to a health professional (about a person alive or deceased) with the expectation it will be kept confidential. The Human Rights Act (1998) article 8 provides a person with the right to respect for private and family life. The key rights provided by this legal Framework are also set out in the NHS Constitution (section 3A). The Caldicott Report (3) was published in 2016 and focused on the protection and processing of patient identifiable information within the NHS. The reports provided the NHS with a series of principals to adhere to.
This policy outlines how the Trust will meet its legal obligations and NHS requirements in respect of confidentiality and information security.
2 SCOPE
The policy relates to all identifiable information created, processed and stored on living individuals. This includes both electronic and manual information held by the Trust relating to patients, staff and others: service users, employees: present; past; and prospective, suppliers, contractors, agents, elected members, Governors, volunteers, charitable groups, partners and other business contacts.
The policy applies to all employees of the Trust, contractors, agents, elected members, charitable groups, partners and other business contacts.
Penalties could be imposed upon the Trust and/or individual employees for non-compliance with this legislation.
This policy forms part of the information governance policy framework and is supplemented by an Information Governance Strategy which details the implementation of confidentiality and data protection measures within the Trust.
3 COMPLYING WITH CONFIDENTIALTY AND THE DATA PROTECTION ACT (GENERAL DATA PROTECTION REGULATION 2018)
The Data Protection Act (2018) (DPA) and the General Data Protection Regulation (GDPR) set out the legal requirements and duties placed on data controllers (the Trust), and data
Page 7 of 33
processors (anyone the Trust uses to process data on its behalf) and explains the ‘information rights’ held by data subjects (people we hold information about). The Trust is required to register annually with the Information Commissioner as a Data Controller. The Trust’s unique registration number is Z6261301. The DPA 2018 sets out 6 data protection principles which describe the legal requirements in relation to data processing (Processing includes the recording, viewing, amending, sharing and deletion of personal data). These principles are the key ‘rules’ for data handling. Any processing of data which breaches one or more of the 6 data protection principles is unlawful:1
Processing shall be lawful, fair and transparent The purpose of processing shall be specified, explicit and legitimate Personal data processed shall be adequate, relevant and not excessive Personal data shall be accurate and kept up to date. Personal data processed for any purpose or purposes shall not be kept for longer
than is necessary Personal data shall be processed in a secure manner
a. Processing shall be lawful, fair and transparent Ensuring the Trust’s Privacy Notices (available on the Trust website) are kept up to date,
and comply with the Information Commissioner’s Office (ICO) Code of Practice. Ensuring the Trust has a Data Protection Officer, whose contact details are available to
the public. Complying with the common law duty of confidentiality; that any personal information
given or received in confidence for one purpose may not be used for a different purpose or passed on to anyone else without the consent of the individual.
Ensuring that the legal basis for the processing of information is identified, via the completion of the Data Protection Impact Assessments (DPIA)
In general, as a public authority, the legal basis for processing information is identified as Article 6 (1) (c) and/or 6(1) (e) – and as a health provider Article 9 2(h). See section 3.1 and Appendix D for further detail.
Under the DPA/GDPR, data subjects have certain rights, which the Trust will uphold: o Be informed - through privacy notices and Data Protection Impact Assessments o Access - Subject Access Requests o Rectification - to have inaccuracies corrected o Erasure - to have information erased (right to be forgotten).2 o Object to processing (e.g. direct marketing) o Prevent automated decision-making and profiling o Data portability – have information provided in electronic format and not hinder
the data subject's transmission of personal data to a new data controller o Consent to process - silence, pre-ticked boxes or inactivity does not constitute
consentto process
1 Although the Data Protection Act (2018) does not apply to deceased persons, the NHS has issued guidance which states that, where possible, the same level of confidentiality should be provided to the records and information relating to a deceased person as one who is alive 2 Should an individual make a request to prevent processing then depending on the individual circumstances, the Trust would have to make a judgement based on the risk to the individual or others whether it was right to provide a service. This decision can only be made by the Caldicott Guardian.
Page 8 of 33
Completion of Data Protection Impact Assessments (DPIAs) which are regularly reviewed.
Conducting routine audits as part of good data management practice. Ensuring that relevant records policies and professional guidelines are adhered to
b. collected for specified, explicit and legitimate purposes and not further processed
in a manner that is incompatible with those purposes;
Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes ('purpose limitation');
c. adequate, relevant and limited to what is necessary
Data users recording information accurately and taking reasonable steps to check the accuracy of information they receive from data subjects or anyone else
Data users regularly checking all systems to destroy out-of-date information and correcting inaccurate information.
Compliance with the Department of Health’s Records Management: NHS Code of Practice.
Compliance with the Information Security Policy and associated procedures and Data Quality Policy
Completion of a Data Protection Impact Assessment (DPIA)
d. accurate and, where necessary, kept up to date;
every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
e. kept in a form which permits identification of data subjects for no longer than is necessary
for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject
f. processed in a manner that ensures appropriate security of personal data
Including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
3.1 Lawful/legal basis for processing Under GDPR each controller of personal information must decide under what basis it is processing personal information. If there is no relevant basis, then the processing is likely to be illegal.
Page 9 of 33
For the Trust as a public body processing of the data is lawful under GDPR Article 6, the following generally applies:
Article 6 1(c) Processing is necessary for compliance with a legal obligation to which the controller is subject; Article 6 1(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; “the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law”.
For the processing of special categories of personal data (Health) GDPR Article 9 will apply.
Article 9 2(h) - Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
For the processing of research data GDPR Article 9 will apply.
Article 9 (2)(j) - processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1).
For the processing of safeguarding information GDPR Article 9 will apply.
Article 9 (2)(b) - processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment, social security and social protection law.
For further information and other relevant Articles, please see Appendix D.
3.2 In order to comply with the Data Protection Act 1998 (GDPR) the Trust is committed to ensuring:
All personal data, no matter how it is obtained, held, recorded, used, stored and disposed of will be handled by the Trust within the safeguarding principles of the Data Protection Act 1998 (GDPR), in a secure and confidential manner
Access to personal data is confined to those with specified authority to view and/or
change the data by ensuring that procedures are in place for allocating and controlling access, and passwords
Personal information will be disclosed on a need to know basis only and employees will not disclose information outside their line of duty
It makes the required provision of Fair Processing Notices (privacy notices) to all people on whom it holds personal data. These notices will tell them what is held, why it is held, how it is used, and to whom it may be disclosed by the use of leaflets and the website
It registers all its applications and databases used to handle personal information with the Information Commissioner, identifying the purposes for holding the data, how it is used and to whom it may be disclosed, as required by the Act
Page 10 of 33
It makes the required provisions for individuals to request access to their information It maintains and develops an information systems infrastructure, which has an
appropriate level of security: all systems will have a minimum security framework
For Trust wide systems, that all system assets are operating according to specification and the accuracy of data is maintained
Systems and data are available when required and the output from it delivered to the user who needs it, when it is needed
There is a Caldicott Guardian appointed as the conscience of the organisation
There is a Senior Information Risk Owner (SIRO) appointed for the organisation
There is a Data Protection Officer (DPO) appointed for the organisation There is a formal procedure for reporting, investigating and recording breaches in
Information security
A risk assessment is carried out for each of the Trust’s information systems and measures put in place to ensure each system is secured to an appropriate level
All information assets have a nominated owner who is responsible for security measures (including databases, laptops, memory sticks, digital cameras)
Responsibilities and procedures for the management and operation of all computers and networks are established, documented and supported by appropriate operating instructions
All applications, databases and other information assets are regularly assessed for risk
and a business continuity plan is in place
All operational software is quality assured and that system test and live data should be separated and adequately protected. All changes to the system should be passed through a formal change control procedure
PC's will be specified and purchased via ICT Services, in accordance with current recommendations on software and hardware
Precautions are taken to prevent and detect computer viruses. ICT Technical Services will provide advice and support on virus control
Additional security procedures and software (encryption) and guidance is provided for the use of mobile devices
There is adequate guidance on sharing personal information
Adherence to any Information Sharing Agreements and Protocols
Page 11 of 33
All staff are aware of the need to continue to improve and maintain security of information
systems, and to advise managers of the approach being adopted to achieve the appropriate level of security
All managers and staff are aware of their responsibilities under the requirements of the
Data Protection Act and the importance of ensuring the confidentiality of personal and sensitive data
The Trust complies with current legislation and EU Directives, meets its statutory obligations and observes standards of good practice
It minimises the risk of breaching information security and prosecution
It meets the requirements for connection to the NHS network
Records are archived or disposed of in accordance with both the law and the Records Management Policy
The Information Governance and Records Manager is consulted before disclosing or transferring personal information outside the EEA
Raise the Awareness of other Legislation relating to Confidentiality
4 COMPLYING WITH THE PRINCIPLES OF THE CALDICOTT REPORT
The Caldicott Report (3) was published in 2016 and focused on the protection and processing of patient identifiable information within the NHS. The reports provided the NHS with a series of principals to adhere to: Justify the purpose for collecting or holding patient-identifiable information Do not use patient-identifiable information unless it is absolutely necessary Use the minimum necessary patient-identifiable information Access to patient-identifiable information should be on a strict need to know basis Everyone should be aware of their responsibilities Understand and comply with the law The duty to share information can be as important as the duty to protect patient confidentiality The Trust appointed Caldicott Guardian (Medical Director) advises the Trust Board on matters of patient confidentiality and promotes the safe and secure handling of patient data. The Trust Caldicott Guardian will consider and approve, as appropriate, applications for the disclosure or processing of patient data which fall outside routine procedures.
1. Justify the purpose(s)
Every proposed use or transfer of personal confidential data within or from an organisation
Page 12 of 33
should be clearly defined and scrutinised, with continuing uses regularly reviewed
2. Don't use personal confidential data unless it is absolutely necessary
Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).
3. Use the minimum necessary personal confidential data
Where the use of personal confidential data is considered to be essential, the inclusion of each individual item of information should be considered and justified so that the minimum amount of identifiable information is transferred or accessible as is necessary for a given function to be carried out.
4. Access to personal confidential data should be on a strict need-to-know basis
Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see.
5. Everyone with access to personal confidential data should be aware of their responsibilities
The organisation must ensure that those handling personal confidential data, both clinicaland non-clinical staff, are made fully aware of their responsibilities and obligations to respect patient confidentiality.
6. Understand and comply with the law
Every use of personal confidential data must be lawful. The Caldicott Guardian, Medical Director, is responsible for ensuring that the organisation complies with legal requirements.
7. The duty to share information can be as important as the duty to protect patient confidentiality
Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles.
The Health and Social Care (Safety and Quality) Act 2015 includes a legal duty requiringhealth and adult social care bodies to share information where this will facilitate care for an individual.
Following the publication of the Caldicott Review in March 2013, the Health & Social Care Information Centre published “A guide to confidentiality in health and social care” which identified five rules for treating confidential information with respect:
Rule 1: Confidential information about service users or patients should be treated confidentially and respectfully
Rule 2: Member of a care team should share confidential information when it is needed for the safe and effective care of an individual
Rule 3: Information that is shared for the benefit of the community should be anonymised
Rule 4: An individual’s right to object to the sharing of confidential information about them should be respected
Page 13 of 33
Rule 5: Organisations should put policies, procedures and systems in place to ensure the confidentiality rules are followed
5 COMPLYING WITH NHS CODE OF CONFIDENTIALITY
The 'Confidentiality: NHS Code of Practice' was published by the Department of Health following major consultation in 2002/2003. The consultation included patients, carers and citizens; the NHS; other health care providers; professional bodies and regulators. The guidance was drafted and delivered by a working group made up of key representatives from these areas.
The Code of Practice is a guide to required practice for those who work within or under contract to NHS organisations concerning confidentiality and patients’ consent to the use of their health records. This document uses the term ‘staff’ a convenience to refer to all those to whom this code of practice should apply. Whilst directed at NHS staff, the Code is also relevant to any one working in and around health services. This includes local authority staff working in integrated teams and private and voluntary sector staff.
This document:
a. introduces the concept of confidentiality;
b. describes what a confidential service should look like;
c. provides a high level description of the main legal requirements;
d. recommends a generic decision support tool for sharing/disclosing information;
e. lists examples of particular information disclosure scenarios.
6 COMPLYING WITH THE COMMON LAW DUTY OF CONFIDENTIALITY
This common law prohibits use and disclosure of information, provided in confidence unless there is a statutory requirement or court order to do so.
Such information may be disclosed only for purposes that the data subject has been informed about and has consented to, provided also that there are no statutory restrictions on disclosure.
This duty is not absolute, but should only be overridden if the holder of the information can justify disclosure as being in the public interest, for example, to protect the vital interests of the data subjects or another person, or for the prevention or detection of a serious crime.
7 COMPLYING WITH DATA PROTECTION BY DESIGN AND DEFAULT
The DPA 2018 (GDPR) requires the Trust to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. This is ‘data protection by design and by default’.
In essence, this means the Trust has to integrate data protection into its processing activities and business practices, from the design stage right through the lifecycle. his concept is not
Page 14 of 33
new. Previously known as ‘privacy by design’, it has have always been part of data protection law. The key change with the GDPR is that it is now a legal requirement.
Data protection by design is about considering data protection and privacy issues upfront in everything the Trust does. It will help to ensure that the Trust complies with the GDPR’s fundamental principles and requirements, and forms part of the focus on accountability.
7.1 The underlying concepts of data protection by design and by default
The underlying concepts are essentially expressed in the seven ‘foundational principles’ of privacy by design. Although privacy by design is not necessarily equivalent to data protection by design, these foundational principles can nevertheless underpin any approach you take.
7.1.1 ‘Proactive not reactive; preventative not remedial’
Take a proactive approach to data protection and anticipate privacy issues and risks before they happen, instead of waiting until after the fact. This doesn’t just apply in the context of systems design – it involves developing a culture of ‘privacy awareness’ across the Trust.
7.1.2 ‘Privacy as the default setting’
Design any system, service, product, and/or business practice to protect personal data automatically. With privacy built into the system, the individual does not have to take any steps to protect their data – their privacy remains intact without them having to do anything.
7.1.3 ‘Privacy embedded into design’
Embed data protection into the design of any systems, services, products and business practices. Ensure data protection forms part of the core functions of any system or service – essentially, it becomes integral to these systems and services.
7.1.4 ‘Full functionality – positive sum, not zero sum’
Also referred to as ‘win-win’, this principle is essentially about avoiding trade-offs, such the belief that in any system or service it is only possible to have privacy or security, not privacy and security. Instead, look to incorporate all legitimate objectives whilst ensuring the Trust complies with your obligations.
7.1.5 ‘End-to-end security – full lifecycle protection’
Put in place strong security measures from the beginning, and extend this security throughout the ‘data lifecycle’ – ie process the data securely and then destroy it securely when you no longer need it.
7.1.6 ‘Visibility and transparency – keep it open’
Ensure that whatever business practice or technology used operates according to its premises and objectives, and is independently verifiable. It is also about ensuring visibility and transparency to individuals, such as making sure they know what data is processed and for what purpose(s) it is processed.
Page 15 of 33
7.1.7 ‘Respect for user privacy – keep it user-centric’
Keep the interest of individuals paramount in the design and implementation of any system or service, eg by offering strong privacy defaults, providing individuals with controls, and ensuring appropriate notice is given.
it considers data protection issues as part of the design and implementation of systems, services, products and business practices.
it makes data protection an essential component of the core functionality of its processing systems and services.
it anticipates risks and privacy-invasive events before they occur, and take steps to prevent harm to individuals.
it only processes the personal data that it needs and that it only uses data for the purposes it was collected.
It ensures that personal data is automatically protected in any IT system, service, product, and/or business practice, so that individuals should not have to take any specific action to protect their privacy.
it provides the identity and contact information of those responsible for data protection both within the Trust and to individuals.
it adopts a ‘plain language’ policy for any public documents so that individuals easily understand what it is doing with their personal data.
it provides individuals with tools so they can determine how we are using their personal data, and whether the Trust’s policies are being properly enforced.
it offers strong privacy defaults, user-friendly options and controls, and respects user preferences.
it only uses data processors that provide sufficient guarantees of their technical and organisational measures for data protection by design.
it uses other systems, services or products in its processing activities, and make sure that it only uses those whose designers and manufacturers take data protection issues into account.
it uses privacy-enhancing technologies (PETs) to assist us in complying with our data protection by design obligations.
8 COMPLIANCE WITH THIS POLICY AND POTENTIAL BREACHES
Any breach of data protection or confidentiality can have severe implications for the Trust, our patients and staff and, where significant numbers of patients are involved, can impact on the reputation of the NHS as a whole. Breaches of confidentiality or unauthorised disclosure of any information subject to the Data Protection Act 2018 constitutes a serious disciplinary offence under the Trust Disciplinary Policy. Staff found in breach of this policy may be subject to disciplinary action. The office of the Information Commissioner’s Office (ICO) regulates data protection and is charged with upholding individual’s information rights. The ICO has a wide range of powers to enforce compliance which includes the imposition of a financial penalty of up to 20 million euros (or equivalent in sterling) or 4% of the total annual worldwide tounrover in the proceeding financial year, which ever is higher. This applies to both both the Trust and individuals.
Page 16 of 33
Staff will report incidents relating to data protection and confidentiality using the Trust’s Incident Management System. All Information Governance related Serious Incidents will be reported to the ICO via the Data Protection and Secuity Toolkit (DSP).
8.1 Access to IT systems It is essential that IT systems holding personal data have adequate controls in place to prevent loss, unlawful processing or inappropriate access. The Information Security Policy provides detailed guidance on the security of Trust IT systems including minimum standards of access controls. 1. Staff should not attempt to access or use electronic record systems they have not been
trained to use or authorised to access. Existing system users should not allow others to access systems using their login credentials. Sharing system passwords is a disciplinary offence and viewed as a serious breach of Trust procedure.
8.2 Access to records The Trust holds thousands of individual patient records in a variety of formats. In addition it holds personal records for present and former members of staff and others it does business with. While it is clearly necessary for many members of staff to routinely access and use these records to carry out their work. 2. it is important staff know that any access to records which is not legitimate or authorised
is prohibited and may be unlawful. Many of our digital systems will allow a user to access any individual record held in that system. 3. Users should only access individual personal records for those data subjects (patients,
staff etc) that they have authorisation to access for specific purposes or in the case of patient records where they have a ‘legitimate relationship’ with the patient.
4. Staff have no right to access personal information held in records about their relatives, friends or colleagues.
While some Trust staff are in a position to potentially access personal data held about them in Trust records (e.g. their personal medical records) this is not a facility available to members of the public. NHS policy is that NHS staff should follow the same procedure as members of the public to access their data. 5. Trust staff should not access their own data held in any Trust records without specific
authorisation. Procedures for obtaining access to or copies of personal information held by the Trust about individuals are explained in the Subject Access procedure available on Connect.
Page 17 of 33
The Trust carries out audits of access to personal data and any member of staff who is found to be in breach of this guidance by inappropriately accessing their own or other peoples’ record data may face disciplinary action.
8.3 Communicating personal information In order to provide effective care services there is a need to transfer information between organisations and individuals. In order to comply with the DPA principles it is important that any transfer or communication of personal data is carried out securely and safely and the risk of accidental disclosure or loss in transit is minimised. 6. Any data containing identifiable information transferred by the Trust outside the Trust for
processing must be securely encrypted during transit. Any transfer outside the European Economic Area must only be carried out if appropriate security controls are in place.
The IG Staff Handbook provides guidance to staff on the transfer or communication of personal data by post, fax, by hand and e-mail and the use of portable media.
8.4 Disclosure and sharing of personal information
8.4.1.1 Sharing personal information for care purposes
In order to provide safe and effective care, personal information about patients will need to be shared with all those caring for an individual. In addition to the clinical team providing care, the direct care team may include laboratory staff, social care staff, specialist care teams and administrative staff supporting the care process. In accordance with both DPA 2018, GDPR and Caldicott principles information shared for care purposes should be relevant, necessary and proportionate. In applying this principle care should be exercised to avoid compromising care. Confidentiality should not become a barrier to safe and effective care. Caldicott principle 7 (Duty to share) emphasises the need to share information in certain circumstances where the duty to share information clearly outweighs the normal duty of confidentiality owed. This would be the case when there is a threat to the safety of others and the sharing of personal information about individuals (e.g. vulnerable adults or children) with the police or other agencies may prevent that threat materialising.
8.4.1.2 Sharing personal information for non-care purposes
Non care purposes (also known as secondary purposes) will include research, service development and improvement, billing and invoicing, service management and contracting.
7. Where possible these activities should be carried out using anonymised or de identified
data. This removes the need to consider consent issues.
Page 18 of 33
In certain circumstances the law requires that confidential information should be disclosed when consent may not be provided. Examples of this include a direction within a court order to disclose confidential information or the requirement to notify Public Health officials when a patient is suspected of suffering from a notifiable disease. Where a legal obligation to disclose does not exist there are some limited circumstances where the sharing of personal information without consent may be justified in the ‘Public Interest’. Disclosures made without consent to support the detection investigation and punishment of serious crime and to prevent abuse or serious harm to others are examples of such circumstances. Such disclosures are considered on a case by case basis and can be complex. 8. All requests for access to personal information by an individual, police, court order,
solicitor etc must be forwarded immediately to [email protected]. The public good that would be met by sharing the information has to be weighed against the obligation of confidentiality owed to an individual and the public good in maintaining trust in a confidential service.
8.5 Disposal of personal information It is a principle of the DPA 2018 that data should ‘not be kept for longer than necessary’. To assist staff in meeting this requirement the Records Management NHS Code of Practice for Health and Social Care provides detailed guidance to staff about the minimum retention periods applicable to Trust records and record disposal procedures. 9. All printouts, reports and printed copies of records containing personal data should be
kept secure at all times. This particularly applies to handover sheets and documents used by staff working in ward areas.
10. Any documents containing personal data should be disposed of securely in the
confidential waste sacks provided and not discarded in domestic waste or recycling bins.
Please refer to the Records Management policy for further information.
9 DEFINITIONS
9.1 Approval
Formally approving the content of the Procedural Document
9.2 Assurance
Providing evidence needed to establish confidence among all concerned, that activities are being performed effectively. This includes planned or systematic actions necessary to provide adequate confidence that a product or service will satisfy given requirements for quality.
Page 19 of 33
9.3 DPA
The Data Protection Act 2018
9.4 GDPR
General Data Protection Regulations
9.5 Data Subject
An individual who is the subject of the personal data being kept
9.6 Equality Impact Assessment
An assessment of whether the document treats all groups / individuals equally and fairly.
9.7 ICO
Information Commissioner’s Office, Wycliffe House, Water Lane Wilmslow, Cheshire, SK9 5AF. This is the UK’s independent authority set up to promote access to official information and to protect personal information.
9.8 Information Governance
Is a framework for handling personal information in a confidential and secure manner to appropriate ethical and quality standards in a modern health service.
9.9 Personal Data
Information relating to a living individual who can be identified from that data, and other information in the possession of the Data Controller and includes any expression of opinion about that individual
9.10 Policy
Policies are Trust-wide and tell the organisation what is to be done. They are philosophically based and reflect the values and strategic intents of the Trust, hence allowing adjustment for changing conditions without making any basic changes in policy. Policies explain why certain things are required and provide a basis for the development of procedures
9.11 Procedural Document
Any BDCFT policy or procedure or high level strategy
9.12 Ratification
Officially sanctioning the use of the policy for Procedural Documents within the Organisation
Page 20 of 33
9.13 Strategic Aim
The high level objectives of BDCFT
9.14 Training Needs Analysis
An assessment of the training needed to ensure that staff are able to implement the requirements of the policy for Procedural Documents.
10 EQUALITY IMPACT ASSESSMENT
The Trust has no intent to discriminate and endeavours to develop and implement policies that meet the diverse needs of our workforce and the people we serve, ensuring that none are placed at a disadvantage over others. Our philosophy and commitment to care goes above and beyond our legal duty to enable us to provide high-quality services. Our Equality Analysis and equality monitoring is a core service improvement tool which enables the organisation to address the needs of disadvantaged groups. The aim of Equality analysis is to remove or minimise disadvantages suffered by people because of their protected characteristics.
An impact assessment has been undertaken to consider the need and assess the impact of this Procedural Document and is evidenced at Appendix A.
11 TRAINING NEEDS ANALYSIS
The Trust is committed to high quality targeted training and effective communication to support this procedural document. The Trust recognises that training capacity can fluctuate and will depend on resources available. As such, based on an assessment of capacity and risk, the training needs analysis will identify the high priority groups for training. The objective is to implement this procedural document and meet the training needs of these groups over the time frequency stated. The focus of Trust monitoring will be on this group over the agreed period or lifetime of the procedural document.
Please refer to the Information Governance policy for the overarching Training Needs Analysis.
Page 21 of 33
12 MONITORING COMPLIANCE AND EFFECTIVENESS Criteria Evidence identified to
indicate compliance with policy
Method of monitoring, i.e. how/where will this be
gathered?
Frequency of monitoring
Lead responsible for monitoring
Duties Information Governance Group, Audit Committee Completed IRE forms/SI forms, Investigation reports Internal/External Audit reports, Annual reports, Quarterly incident management reports, Annual IG Surveys, Audit Action Plans IG and Security Audits Records Audits Penetration Testing Reports Information Risk Registers Information Asset registers Training numbers
Minutes/discussions at Meetings Incident Management System From investigator Internal audit reports IG Group and papers Survey Monkey website Audit forms and reports to service managers Reports from external companies
Annually
Information Governance and Records Manager/DPO
Process for assessing compliance with legislation, national requirements and standards
Data Security and Protection Toolkit compliance.
Online submission and formal response. Regular external audit.
Two times per year and audited once Annually
Information Governance and Records Manager/DPO
Page 22 of 33
Criteria Evidence identified to indicate compliance
with policy
Method of monitoring, i.e. how/where will this be
gathered?
Frequency of monitoring
Lead responsible for monitoring
Process for reporting all incidents/near misses, involving person identifiable information – staff and patients/service users
Competed IRE forms (Cross section involving person identifiable information – staff and patients/service users ) Quarterly incident reports Annual reports Completed SI forms Monthly incident reports to IG&RM SI database Emails and faxes
Incident Management System Incident Reports from Incident Management System Internal Audit reports Annual report
Quarterly Information Governance and Records Manager/DPO
Process for testing understanding of policy
Annual Staff IG Survey. Locality based IG Audits Locality based Records Audits Completed declaration forms from Information Governance Staff Handbook Certificated Data Security and Protection training
Survey Monkey website and reports to IG Group and Informatics Board Audit tools, reports and action plans Training database
At induction and then yearly Annually
Information Governance and Records Manager/DPO
Process for reporting to external agencies
Completed IRE forms SI Alert forms Emails and letters Serious Incidents via the Data Security and Protection Toolkit.
Annual report Report to SIRO
Annually Information Governance and Records Manager/DPO
Page 23 of 33
13 REFERENCES TO EXTERNAL DOCUMENTS
Information Commissioners Website
The NHS Data Security and Protection Toolkit
HCC Standards for Better Health
Information Sharing and Mental Health Guidance to Support Information Sharing by Mental Health Services
The Data Protection Act 2018 (GDPR)
The Criminal justice Act 2008
The Freedom of Information Act 2000
The Human Rights Act 1998
Information Security Management: NHS Code of Practice
Confidentiality: NHS Code of Practice
NHS Information Governance Guidance on Legal and Professional Obligations
Records Management Code of Practice for Health and Social Care 2016
Information Security Management: NHS Code of Practice
The Access to Health Records Act 1990
The Computer Misuse Act 1990
The Health and Safety at Work etc Act 1974
The Privacy and Electronic Communications (EC Directive) Regulations 2003
The Public Records Act 1958
Caldicott 3 Report 2017
CQC National study: The right information, in the right place, at the right time. A study of how healthcare organisations manage personal data
Multi-Agency Public Protection Arrangements (MAPPA) and the duty to cooperate
Mental Capacity Act 2005
Children Act 2004
Crime and Disorder Act 1998
Information Security Management: NHS Code of Practice
Confidentiality: NHS Code of Practice
Page 24 of 33
14 ASSOCIATED INTERNAL DOCUMENTATION
In respect of this policy, specific related Procedural Documents / Trust documents are:
Information Governance Policy and procedures
Information Security Policy
Consent Policy
Social Media Policy
CCTV Policy
DPIA procedure
IG Staff Handbook
Information Sharing Guidance
Risk Registers
Information Risk procedures
Informatics Operating Framework
Digital Strategy
Incident Reporting and Management Policy
Serious Incidents Policy
Service Users & Carers Strategy
Communications Strategy
Complaints Policy
Data Protection procedures
Clinical Information Systems Data Quality Policy
Fraud & Corruption Policy
Risk Management Strategy
Records Management Policy and procedures
Complaints Policy and Complaints Procedure
Being Open Policy
Employemt Policy (Includes RA Policy)
Development of Information for Service Users, Patients and Carers Policy
Emergency Preparedness and Business Continuity Plan
Disciplinary Policy
Page 25 of 33
Freedom of Information Policy and procedures
Safeguarding Adults and Children Policies and Procedures
Safeguarding Children Policy and procedures
Email Security procedure
Please see the Information Governance policy for further information on these policies and codes and how they relate to Information Governance
Page 26 of 33
15 APPENDIX A: EQUALITY IMPACT ASSESSMENT (EQIA) Area Response
Policy/Procedure Confidentiality and Data Protection policy Manager Gaynor Toczek, Information Governance and Records
Manager/DPO Directorate Informatics Date 30/07/2019 Review date 3 years Purpose of Policy Statutory guidance Associated frameworks e.g. national targets NSF’s
Data Protection Act 2018 (GDPR)
Who does it affect All staff Consultation process carried out
Yes
QA Approved by IGG
Equality protected characteristic
Impact Positive
Impact Negative
Rationale for response
Age Positive impact expected outcome. There is currently no information identified through the Equality Impact Assessment that would suggest that this policy has the potential to disadvantage any individual or function if implemented and operated in a manner that is laid out within the policy statement
Disability Gender Reassignment
Race Religion or Belief
Pregnancy & Maternity
Sex
Sexual Orientation
Equality Analysis SIGN – OFF Have any adverse impacts been identified on any equality groups which are both highly significant and illegal?
No
Are you satisfied that the conclusions of the EqIA Screening are accurate? The Trust will publish a summary of the impact analysis carried out to meet the duty and make this available to the public on the Trust Internet site.
Yes
Completed by Manager Information Governance and Records Manager/DPO
Q A approved IGG
Page 27 of 33
Director approved Associate Director of Informatics
Page 28 of 33
16 APPENDIX B: KEY CHANGES FOR GDPR
The aim of the GDPR is to protect all citizens from privacy and data breaches in an increasingly data-driven world. Although the key principles of data privacy still hold true to the Data Protection Act 1998, many changes have been proposed to the regulatory policies.
The key points of the GDPR as well as information on the impacts it will have on business can be found below.
Penalties
Under GDPR organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements for example, not having sufficient consent to process data or violating the core of Privacy by Design concepts.
There is a tiered approach to fines, for example, an organisation can be fined 2% for not having their records in order (article 28), not notifying the Information Commissioner and data subject about a breach or not conducting a Privacy Impact assessment.
Consent
The conditions for consent have been strengthened, and organisations will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.
Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Data Subject Rights
Breach Notification
Under the GDPR, breach notification will become mandatory where a data breach is likely to “result in a risk for the rights and freedoms of individuals”.
This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
Right to Access
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.
Further, the Trust will provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.
Page 29 of 33
Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data Trust erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests. Data Portability
GDPR introduces data portability - the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine readable format' and have the right to transmit that data to another party. Privacy by Design
Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR.
At it’s core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.
More specifically - 'The controller shall implement appropriate technical and organisational measure in an effective way in order to meet the requirements of this Regulation and protect the rights of data subjects'. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing. Data Protection Officers
Currently, controllers are required to notify their data processing activities with the Information Commissioner,
There will be internal record keeping requirements, and a Data Protection Officer (DPO) appointment will be mandatory only for those organisations whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences. Importantly, the DPO:
Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
May be a staff member or an external service provider Contact details must be provided to the Information Commissioner Must be provided with appropriate resources to carry out their tasks and maintain
their expert knowledge Must report directly to the highest level of management Must not carry out any other tasks that could results in a conflict of interest.
Page 30 of 33
17 APPENDIX C: OBTAINING PERSONAL DATA
When obtaining personal data, the Trust will provide the data subject with all of the following information: the identity and contact details of the Trust and their representative; the contact details of the data protection officer; the purposes of the processing of as well as the legal basis for the processing; the legitimate interests pursued by the Trust; the recipients or categories of recipients of the personal data; the period of time that the data will be stored; the right to rectification, erasure, restriction, objection; the right to data portability; the right to withdraw consent at any time; the right to lodge a complaint with Information Commissioner; the consequences of the data subject failure to provide data; the existence of automated decision-making, including profiling, as well as the
anticipated consequences for the data subject Where personal data has not been obtained directly from the data subject: the identity and contact details of the Trust and their representative; the contact details of the data protection officer; the purposes as well as the legal basis of the processing; the categories of personal data concerned; the recipients of the personal data, where applicable;
Page 31 of 33
18 APPENDIX D: LAWFUL BASIS FOR PROCESSING PERSONAL INFORMATION
18.1 Lawful Purpose for Health and Adult Social Care
All health and adult social care providers are subject to the statutory duty under section 251B of the Health and Social Care Act 2012 to share information about a patient for their direct care. This duty is subject to both the common law duty of confidence and currently the DPA 2018 and GDPR.
NHS Foundation Trusts may also use the Health and Social Care (Community Health and Standards) Act 2003 for a statutory duty.
The GDPR sets out conditions for lawful processing of personal data (Article 6) and further conditions for processing special categories of personal data (Article 9).
6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
Relying on this lawful basis requires that: 1) it is necessary for the controller to process the personal data for those purposes (i.e. it is reasonable, proportionate and you cannot achieve your objective by some other reasonable means); and
2) the controller can point to a clear and foreseeable legal basis for that purpose under UK law (whether in statute or common law).
The legal basis does not need to refer specifically to the processing of personal data but must establish the ‘official authority’ to conduct the activity for which the processing is necessary.
Alternative conditions that may be applicable where 6(1)(e) is not available are:
6(1)(c) ‘...necessary for compliance with a legal obligation to which the controller is subject or:
6(1)(d) ‘…necessary in order to protect the vital interests of the data subject or of another natural person’
6(1)(c) may be the appropriate basis for the submission and collection of commissioning and other datasets by providers to NHS Digital.
6(1)(d) is available in life or death situations but should not be necessary for health or social care organisations to use in the performance of its tasks. This might apply in a situation where an organisation needs to act to prevent harm being caused by a patient or service user, to someone who has no relationship with the organisation.
Personal data concerning health are special categories of personal data; the most appropriate Article 9 condition for direct care or administrative purposes is:
9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
These conditions will also be the most appropriate basis for local administrative purposes such as:
Page 32 of 33
• waiting list management • performance against national targets • activity monitoring • local clinical audit • production of datasets to submit for commissioning purposes and national collections.
These conditions will also apply where an organisation participates in activities with a statutory basis, such as responding to a public health emergency.
Where the processing is necessary for the exercise of a mandated regulatory function, the most appropriate Article 6 and 9 conditions are:
6(1)(c) ‘…necessary for compliance with a legal obligation…’ and:
9(2)(j) ‘ …necessary for reasons of public interest in the area of public health…or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…
18.2 Lawful basis for employment purposes
For employment purposes, the following condition for lawful processing will apply:
6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’
For necessary processing of special categories, e.g. health data for employment purposes the following condition will apply:
9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment…social protection law in so far as it is authorised by Union or Member State law..’
As information relating to criminal convictions and offences are not special categories data. Organisations will need to reference the Article 10 provisions of DPA18 and for example, the provisions of the Safeguarding Vulnerable Groups Act 20069 as a basis for Disclosure and Barring Service (DBS) checks and other processing of such data.
The GDPR Articles need to be read alongside the Data Protection Act 2018, which adds more specific conditions and safeguards:
Schedule 1 Part 1 contains specific conditions for the various employment, health and research purposes under Articles 9(2)(b), (h), (i) and (j).
Schedule 1 Part 2 contains specific ‘substantial public interest’ conditions for Article 9(2)(g).
18.3 Processing of special categories of personal data
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies:
Page 33 of 33
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
(e) processing relates to personal data which are manifestly made public by the data subject;
(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
