Information Governance Policies

Please ensure all staff are made aware of the IG policies. You can press Ctrl +F to search the document

Rapid Equality Impact Assessment (for use when writing policies and procedures)Policy Title (and number) Information Governance

PoliciesVersion and Date 1

Nov 2020Policy AuthorAn equality impact assessment (EIA) is a process designed to ensure that a policy, project or scheme does not discriminate or disadvantage people. EIAs also improve and promote equality. Consider the nature and extent of the impact, not the number of people affected.EQUALITY ANALYSIS: How well do people from protected groups fare in relation to the general population?PLEASE NOTE: Any ‘Yes’ answers may trigger a full EIA and must be referred to the equality leads belowIs it likely that the policy/procedure could treat people from protected groups less favorably than the general population? (see below)Age Yes ☐ No☒ Disability Yes ☐ No☒ Sexual Orientation Yes ☐ No☒Race Yes ☐ No☒ Gender Yes ☐ No☒ Religion/Belief (non) Yes ☐ No☒Gender Reassignment Yes ☐ No☒ Pregnancy/ Maternity Yes ☐ No☒ Marriage/ Civil

PartnershipYes ☐ No☒

Is it likely that the policy/procedure could affect particular ‘Inclusion Health’ groups less favorably than the general population? (substance misuse; teenage mums; carers1; travellers2; homeless3; convictions; social isolation4; refugees)

Yes ☐ No☒

Please provide details for each protected group where you have indicated ‘Yes’.

VISION AND VALUES: Policies must aim to remove unintentional barriers and promote inclusionIs inclusive language5 used throughout? Yes ☒ No☐Are the services outlined in the policy/procedure fully accessible6? Yes ☒ No☐Does the policy/procedure encourage individualised and person-centered care? Yes ☒ No☐Could there be an adverse impact on an individual’s independence or autonomy7? Yes ☐ No☒If ‘Yes’, how will you mitigate this risk to ensure fair and equal access?

EXTERNAL FACTORSIs the policy/procedure a result of national legislation which cannot be modified in any way? Yes ☒ No☒What is the reason for writing this policy? (Is it a result in a change of legislation/ national research?)A mixture of national legislation and local policy to support staff in Information Governance

Who was consulted when drafting this policy/procedure? What were the recommendations/suggestions?

ACTION PLAN: Please list all actions identified to address any impactsAction Person responsible Completion date

AUTHORISATION: By signing below, I confirm that the named person responsible above is aware of the actions assigned to themName of person completing the form Elaine Yersin Signature EYERSINValidated by (line manager) Emma Davies Signature EDAVIES

Any issues Please contact Diversity & Inclusion LeadDebbie Maynard on Debbie.maynard@nhs.net or Mobile Number 07976895349

1 Consider any additional needs of carers/ parents/ advocates etc, in addition to the service user 2 Travelers may not be registered with a GP - consider how they may access/ be aware of services available to them3 Consider any provisions for those with no fixed abode, particularly relating to impact on discharge4 Consider how someone will be aware of (or access) a service if socially or geographically isolated5 Language must be relevant and appropriate, for example referring to partners, not husbands or wives6 Consider both physical access to services and how information/ communication in available in an accessible format7 Example: a telephone-based service may discriminate against people who are d/Deaf. Whilst someone may be able to act on their behalf, this does not promote independence or autonomy

TSDFT Information Governance Policies

Document InformationDate of Issue: November 2020 Next Review Date: November 2021Version: 1 Last Review Date: New documentDocument Ref: TSDFT Information Governance PoliciesAuthor: Data Security and Protection LeadDirectorate: South Devon Health Informatics

Approval Route: Information Governance Steering Group the Audit and Assurance CommitteeApproved By: Date Approved:IGSG November 2020

Amendment HistoryVersion Status Date Reason for change Authorised

0.1 Draft September 2020

New document combining all IG policies in one place

Elaine Yersin

In the application of this policy Torbay and South Devon NHS Foundation Trust will not discriminate against any persons regardless of sex, race, colour, language, religion, political, or other opinion, national or social origin, association with national minority, property, birth, or other status as defined under Article 14, European Convention human Rights (ECHR) 1998, Race Relations (Amendment) Act 2000 and the Disability Discrimination (Amendment) Action 2005

ContentsDATA PROTECTION STATEMENT.................................................7

INFORMATION GOVERNANCE POLICY..............................................7Executive Summary.......................................................................7Introduction....................................................................................8Aims and Objectives......................................................................8Principles of Information Governance............................................8Openness.......................................................................................8Legal Compliance...........................................................................9Information Security/Assurance.....................................................9Quality Assurance........................................................................10Responsibilities............................................................................10Training........................................................................................10Resources....................................................................................10

CODE OF CONFIDENTIALITY FOR EMPLOYEES IN RESPECT OF CONFIDENTIALITY.....................................................................10Introduction..................................................................................11Aim and Objectives......................................................................11Caldicott Principle........................................................................12Patients/Service Users.................................................................12Staff: abuse of privilege...............................................................13Other Health Service business.....................................................13Maintaining Confidentiality..........................................................13Structure and Responsibilities.....................................................14Sharing Information.....................................................................14

DATA PROTECTION AND ACCESS POLICY.....................................16Introduction..................................................................................16Aims and Objectives....................................................................16New Legislation: Summary of key changes..................................17 Accountability.........................................................................17 Conditions for processing.......................................................17 Breach Notifications...............................................................17 Fair Processing Notices..........................................................17Roles & Responsibilities...............................................................18

4

Training........................................................................................19Monitoring, Auditing, Reviewing & Evaluation.............................19

POLICY AND PROCEDURE FOR INFORMATION SHARING..........20Aims and Objectives....................................................................21Definitions....................................................................................21Duties...........................................................................................22Deciding to share personal information.......................................23Legal Duties and Powers to Share Information in Relation to

Children and Young People....................................................23Process for Information Sharing in the Trust................................23Training........................................................................................24Secondary Uses............................................................................24Subject Access Requests.............................................................24Legal Acts Covered Under This Policy..........................................25Useful references.........................................................................25Consent Guidance for Information Sharing..................................25Consent........................................................................................26Definition of Consent...................................................................26Informed Consent........................................................................26Implied Consent...........................................................................27Express/Explicit Consent..............................................................27Recording Consent.......................................................................27Keeping consent up to date.........................................................27What you need to know before sharing information....................27Multi – Agency Working................................................................28Assessment of capacity...............................................................28Adults who lack capacity..............................................................29Relatives, carers and friends........................................................29Next of kin....................................................................................30Proxy decision-makers.................................................................30Abuse and neglect.......................................................................30Children and Young People..........................................................30Children who lack capacity..........................................................31Parental responsibility..................................................................31

5

Safeguarding children & adults....................................................32Best interests...............................................................................32Public interest..............................................................................33Serious crime and national security.............................................34Public safety.................................................................................34Information Sharing that Requires Express Consent....................34Legislation Enabling / Requiring/ Restricting Information Sharing

...............................................................................................36Requiring Information Sharing.....................................................36Restricting Information Sharing...................................................37Anonymisation and Pseudonymisation........................................38Deceased persons........................................................................38Extract from Data Protection Legislation: Conditions for sharing

personal information..............................................................39Appendix 3: Caldicott Principles...................................................40Appendix 4: Sample Information Sharing Protocol.......................41Guidance on Completing an Information Sharing Protocol..........45Process for Authorising Information Sharing................................47

PSEUDONYMISATION AND THE MANAGEMENT OF PERSON IDENTIFIABLE INFORMATION WITHIN THE TRUST...............47Aims and Objectives....................................................................47Introduction..................................................................................48Responsibilities............................................................................49Definitions/Glossary.....................................................................50Information Sharing Process........................................................51Data Presentation........................................................................51Training and Awareness...............................................................52Contacts.......................................................................................52Monitoring and Review................................................................52Specific Data Warehouse Responsibilities...................................53

PRIVACY IMPACT ASSESSMENT POLICY......................................53Aims and Objectives....................................................................53Introduction..................................................................................54Data Protection Impact Assessments (DPIAs)..............................54DPIA Process................................................................................55

6

Responsibilities............................................................................56FREEDOM OF INFORMATION POLICY...........................................57

Introduction..................................................................................57Scope...........................................................................................58Aims and Objectives....................................................................58Guide to Information....................................................................58General Rights of Access.............................................................59Conditions and Exemptions..........................................................59Charges and Fees........................................................................60Time limits for compliance with requests....................................61Refusal of requests......................................................................62Duty to provide advice and assistance........................................64Transferring Requests for Information.........................................64Consultation with Third Parties....................................................65Public Sector Contracts................................................................67Accepting Information in Confidence from Third Parties..............68Records Management..................................................................68“Round Robin” FOI requests........................................................68Exemptions..................................................................................69Internal FOI complaints and review process................................71

7

8

DATA PROTECTION STATEMENT

Torbay and South Devon NHS Foundation Trust (TSDFT) has a commitment to ensure that all policies and procedures developed act in accordance with all relevant data protection regulations and guidance. This policy has been designed with the UKs current data protection legislation in mind, and therefore provides the reader with assurance of effective information governance practice.

The UK data protection regime has 6 principles that need following which require that personal data shall be: 1. Processed fairly, lawfully and in a transparent manner. 2. Collected for specified, explicit, and legitimate purposes and not further processed for other purposes, incompatibly with the original purpose. 3. Adequate, relevant and limited to what is necessary in relation to the purposes. 4. Accurate and kept up to date. 5. Kept in a form that permits identification no longer than is necessary. 6. Processed in a way that ensures appropriate security of that personal data.

Have all of the data protection principles been considered in the development or update of this policy? Yes ☒ No ☐

For more information: Contact the Data Access and Disclosure Office on dataprotection.tsdft@nhs.net, See TSDFT’s Data Protection & Access Policy, Visit our Data Protection site on the public internet.

INFORMATION GOVERNANCE POLICY

Executive Summary

These policies describe the Torbay and South Devon NHS Foundation Trust (the Trust) Information Governance (IG) aims and objectives.

They confirm the Trust’s commitment to compliance with information rights legislation. They also confirm commitment to good practice through the implementation of local and national guidance.

The policies set out an approach that will deliver all of the essential compliance elements, in a way that also actively enables and supports the delivery of corporate objectives. It is an approach that will be flexible and responsive to new or changed operational requirements, and that will enable the Trust to take proportionate risk.

They demonstrate how effective information governance can help us to make the best use of our information, and as a consequence, assist in the delivery of our objectives and the improvement of our business processes.

It is an approach which will further our corporate objectives to be open and transparent about what we do, and to be accountable for the actions we take. It will give confidence to those who provide personal information to know that their information will be managed appropriately.

9

The IG team will set out to communicate our IG Policies and champion the IG agenda. The team will work with, and provide specialist advice and support to our staff.

Introduction

Information Governance assists the Trust and individual members of staff in ensuring that information, including personal and sensitive information is handled legally, securely, efficiently and effectively, in order to deliver the best It enables the Trust to put in place procedures and processes for their corporate information that support the efficient location and retrieval of corporate records when needed, in particular to meet requests for information and assist compliance with Corporate Governance standards.

Aims and Objectives

The policies aim to set out how the Trust provides a robust Information Governance Management Framework to ensure the delivery of internalIG assurance in accordance with national operating frameworks, legislation and the Data Security and Protection Toolkit (DSPToolkit)

Principles of Information Governance

The Trust recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. The Trust fully supports the principles of corporate governance and recognises its public accountability, but equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal information about patients, staff and commercially sensitive information. The Trust also recognises the need to share patient information with other organisations in a controlled manner consistent with the interests of the service user and, in some circumstances, the public interest.

The Trust believes that accurate, timely and relevant information is essential to deliver the highest quality health and social care. As such it is the responsibility of all staff to ensure and promote the quality of information and to actively use information in decision making processes.

There are four key interlinked strands to our IG Policy:i. Openness;ii. Legal Compliance;iii. Information Security; andiv. Quality Assurance.

Openness

Non confidential information on the Trust and its services should be available to

10

the public through a variety of media in line with the Department of Health Code of Practice on openness in the NHS and Freedom of Information legislation. To ensure ‘openness’ the Trust will:

establish and maintain policies to ensure compliance with the Freedom of Information Act 2000;

undertake or commission routine annual assessments and audits of some of its policies and arrangements for openness;

provide patients with access to information relating to their own health and social care, their options for treatment and their rights as patients;

have clear procedures and arrangements for liaison with the press and broadcasting media;

have clear procedures and arrangements for handling queries from patients, staff and the public;

inform patients about the proposed uses of their personal information.

Legal Compliance

To ensure ‘legal compliance’ the Trust will:

respect all identifiable personal information relating to patients as confidential;

undertake or commission routine annual assessments and audits of its compliance with legal requirements

respect all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise;

establish and maintain policies to ensure compliance with data protection legislation, Human Rights Act 1998, the common law of confidentiality and the Freedom of Information Act 2000 and that those policies comply with an Equality Impact Assessment;

establish and maintain policies for the controlled and appropriate sharing of patient information with other agencies, taking account of relevant legislation (e.g. Health and Social Care Act 2008/12/15/18, Crime and Disorder Act 1998, Children’s Act 2004, NHS Service Act 2006).

Information Security/Assurance

To ensure ‘Information Security\Assurance’ the Trust will:

establish and maintain policies for the effective and secure management of its information assets and resources;

undertake or commission annual assessments and audits of its information and IT Security arrangements;

promote effective confidentiality and security practice to its staff through policies, procedures and training;

establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of

11

confidentiality and security.Quality Assurance

To ensure ‘legal compliance’ and quality assurance the Trust will:

establish and maintain policies and procedures for information quality assurance and the effective management of records in accordance with national standards;

undertake or commission annual assessments and audits of its information quality and records management arrangements;

ask all managers to take ownership of, and seek to improve, the quality of information within their services;

ensure wherever possible, information quality should be assured at the point of collection;

ensure data standards are set through clear and consistent definition of data items, in accordance with national standards;

promote information quality and effective records management through local policies whilst adhering to Department of Health guidelines.

Responsibilities

An IG Steering Group, chaired by the Trust’s Senior Information Risk Officer (SIRO) has been convened, with representatives from each component of the IG Toolkit. The purpose of this group is to support and deliver the IG agenda and ensure best practice mechanisms are in place across the Trust. The group will also monitor performance via a predefined list of Key Performance Indicators (KPI’s).

Training

Fundamental to the success of delivering IG Policies is developing an IG aware culture within the Trust, providing training and promoting awareness for all staff. Awareness and training needs to be provided to all staff that utilise information in their day to day work to promote this culture. In order to achieve this, a training plan will be monitored by the IG Steering Group.

Resources

Resource implications incurred by the implementation of the IG Policies and action plan will be identified by the IG Steering Group and met where appropriate by the organisation.

12

CODE OF CONFIDENTIALITY FOR EMPLOYEES IN RESPECT OF CONFIDENTIALITY

Introduction

The obligation to keep information confidential arises out of the common law dutyof confidentiality, professional obligations and staff employment contracts.

Confidential information can be anything that relates to individuals (including non-contract, volunteers, bank / agency staff, locums, student placements), and family or friends, and however stored.

Confidential information may be held on paper, floppy disc, CD/DVD, computer systems/files (including memory sticks and flash drives) or print out, video, photograph or even heard by word of mouth. It also includes information stored on portable devices such as laptops, palmtops, mobile phones and digital cameras and covers both corporate and health systems.

Person identifiable data (PID) is anything that contains the means to identify a person. Examples of personal and confidential information are listed at the end of this section.

Certain categories of information are legally defined as particularly sensitive and should be most carefully protected by additional requirements stated in legislation (e.g. information regarding in-vitro fertilisation, sexually transmitted diseases, HIV and termination of pregnancy).

Working from the premise that all personal information obtained about individuals of the organisation should be treated confidentially, the document outlines instances when a breach of confidentiality may be justified, or necessary, and gives guidance on how this may best be achieved.

It is important to note that this guidance is designed for those authorised and qualified to make decisions about disclosure i.e. Qualified Medical, Nursing and Professional staff (plus Senior Management in the case of information on employees).

The policy document is intended as a supplement to the guidance and/or Codes of Conduct concerning confidentiality laid down by individual medical and professional bodies. Reference should be made to the numerous publications these organisations have produced such as the British Medical Association and National Medical Council.

Aim and Objectives

13

This document has been created to assist Health and social care professionals when working with confidential information e.g. patient identifiable data held by Torbay and South Devon NHS Foundation Trust (TSDFT)

This policy has been drafted in accordance with the principles of significant legislation outlined in Appendix Three. Under the Freedom of Information Act 2000, the section is classified as ‘OPEN’.

Caldicott Principle

When considering the sharing of personal and/or confidential information all staff, should as a minimum apply the following seven Caldicott principles:

1. Justify the purpose(s) of using confidential information2. Only use it when absolutely necessary3. Use the minimum that is required4. Access should be on a strict need-to-know basis only5. Everyone must understand his or her responsibilities6. Understand and comply with the law (i.e. Data Protection Legislation)7. The duty to share information can be as important as the duty to

protect patient confidentiality

In the course of your duties you may have access to confidential information, including material held electronically, on paper and verbally about:

Patients/Service Users

Staff are authorised to have access to patient information they need to know in order to perform their duties. Gaining access or attempting to gain access to information that you do not need to see to carry out your work is a breach of confidentiality as is passing information on to someone who is not authorised to receive it.

Personal information relating to individual patients must not be divulged to anyone without the patient’s consent, other than authorised persons who are directly concerned with their care, diagnosis or treatment e.g. Medical Staff, Nursing Staff or other Professional Staff.

However, there are certain circumstances under which information can be disclosed without seeking and obtaining consent or where consent is refused. Examples are where the law requires or there is an overriding public interest

e.g. where child abuse is suspected; or for the protection of vulnerable adults or where failure to disclose would put someone else at risk. Check with your Manager, Caldicott Guardian (CG) or Data Access & Disclosure Office prior to any sharing of information.

14

If a patient does not wish their information to be shared, their decision must be respected unless to do so would compromise their care. If necessary seek guidance from one of the contacts outlined below. Any decisions must be documented in the individual’s health/social care record.If you are in any doubt about the authority/identity of anyone, including a relative or friend of the individual or member of staff, asking for information of this nature, you must immediately seek advice from your line manager, Caldicott Guardian, the IGTeam, Data Security and Protection lead or the Data Access and Disclosure Office

All requests for identifiable information should be on a justified need and some may also need to be agreed by a Caldicott Guardian (CG).

Staff: abuse of privilege

It is strictly forbidden for employees to look at any information relating to themselves, their own family, friends or acquaintances whether held in a paper record or IT system unless they are directly involved in the patient’s clinical care or with the employees administration on behalf of the organisation. Action of this kind will be viewed as a breach of confidentiality and may result in disciplinary action.If you have any concerns about this issue please discuss with your line manager or one of the contacts above

Individual members of staff are entitled to request access to their personal file; any such request should be made in writing to the individual’s line manager in the first instance.

You must not divulge information of a personal or confidential nature concerning individual members of staff or their families. You must undertake / complete annual mandatory Information Governance training annually.

Other Health Service business

In the course of your duties you may have access to other sensitive information not related to individual care. This information should also be treated as confidential and must only be discussed with relevant personnel.

Failure to observe this Code of Conduct;

Will be regarded as misconduct Could breach individual’s rights and damage the reputation of

the Health Community Could result in disciplinary action being taken against you, up to

and including dismissal Could lead to your conduct being reported to Professional

Regulatory Bodies Could lead to legal action being taken against you by others Could lead to the organisation being fined by the

Information Commissioner’s office

15

Maintaining Confidentiality

Do not talk about individuals in public places or where you can be overheard. Do not leave any medical/social care records or confidential information lying

around unattended. Before removing documents from a printer, check that they are your own

documents and do not belong to anybody else. Check outgoing correspondence for accuracy. Additionally, check that letters

containing personal identifiable information relate to the subject matter and that they are being sent or given to the intended recipient.

Handle both incoming and outgoing mail from a clear desk. Check intended recipient’s email address before sending. Sometimes the name

will be completed automatically. Do not assume that the name/email address is correct at all times.

If absolutely necessary, confidential information that identifies an individual can be sent but only to a Government secure site or NHSmail – see list of secure government email domains on NHS Mail.

Confidentially destroy personal identifiable information eg handover sheets, clinic lists in line with Trust policies eg Trust Confidential Waste, Procedure for Managing the Destruction of Health & Social Care case notes/ Non-Medical case notes, make sure that any computer screens, or other displays of confidential or sensitive information cannot be seen by the general public or anybody else not entitled to see it.

Filing in patient health & social care records – check before filing that the information is being filed/stored within the correct patient’s records.

If you are sending a fax, please use the cover sheet and follow safe haven procedures.

Structure and Responsibilities

Best practice guidelines for staff are outlined in TSDFT Information Assurance Policy

All staff will have included in their Contract of Employment a paragraph relating to Information Governance and a confidentiality disclaimer. The disclaimer will need to be signed by all staff. A copy should be retained by the member of staff and the original placed in their personal file.All staff are to undertake Information Governance training annually as a mandatory requirement

Sharing Information

The TSDFT fully supports the sharing of information in accordance with agreed Information Sharing protocols

Whilst the TSDFT seeks to maximise partnership and information exchange the

16

confidentiality, integrity and availability of the TSDFT information systems will be a priority.

Guidance on information sharing can be found in the Information Assurance Policy and Trust document “Policy and Procedure for Information Sharing (including consent)”

Requests from other hospitals for photocopies of a patient’s medical records should be dealt with by the relevant health professional involved in the care of the patient.

Requests by patients for access to their own health records, or from solicitors, insurance companies, private consultants, requesting access to medical records from solicitors or for insurance purposes should be referred to the Data Access & Disclosure Office, Kitson Hall, Torbay Hospital for processing. Tel: 01803 654868 or email dataprotection.tsdft@nhs.net

In the event of any doubt, reference must be made to the Data Security and Protection Lead

Requests from solicitors in relation to a clinical negligence claim should be referred to the Litigation Office, Bowyer Building, Torbay Hospital.

DATA PROTECTION AND ACCESS POLICY

Introduction

Torbay and South Devon NHS Foundation Trust (TSDFT) is required to ensure that all reasonable and appropriate measures are taken to ensure the security, privacy and confidentiality of the Personal Identifiable Data (PID) that is held about patients, staff and service users. This requirement is mandated in law and by the Department of Health within a number of Acts and Guidance documents (See Appendix One).

All legislation relevant to an individual’s right of confidence and the ways in which that can be achieved and maintained are paramount to the Trust. This relates to roles that are reliant on computer systems or manual records such as; patient/client administration/payment, purchasing, invoicing, care/treatment planning and the use of manual records relating to individuals whose information may be held within the Trust.

Under UK data protection legislation, the Information Commissioner (ICO) may, in certain circumstances, service a monetary penalty notice on an organisation up to the maximum of €20,000,000 (£17million) or up to 4% of annual turnover for breach of the legislation. This can be combined with an undertaking which may involve the changing of processes and procedures at the Trust as appropriate.

This policy outlines how the Trust will meet its legal obligations under current law to hold, obtain, record, use, and store all personal identifiable data in a secure and confidential

17

manner. It is the policy of the Trust that all processing of personal data by, or on behalf of the Trust will be in accordance with the six principles of good practice put in place by the legislation.

The Trust will take reasonable measures to obtain informed consent wherever possible, for the sharing of information. The organisation recognises that for consent to be valid, the data subject must be informed of the purpose for which the information is being collected, how it will be used and with whom it will be shared.

Aims and Objectives

This Policy provides the expectation on how the Trust and it’s staff will ensure compliance with the relevant Acts, including the specific roles and responsibilities, training, monitoring and audit. Specifically this Policy will support the Six Principles of current UK data protection legislation as well as Caldicott Principles, which are:

Processed fairly, lawfully and in a transparent manner. Collected for specified, explicit, and legitimate purposes and not further

processed for other purposes, incompatibly with the original purpose Adequate, relevant and limited to what is necessary in relation to the

purposes. Accurate and kept up to date. Kept in a form that permits identification no longer than is necessary. Processed in a way that ensures appropriate security of that personal data.

Caldicott Principles

Justify the purpose(s) for using confidential information Don't use personal confidential data unless it is absolutely necessary Use the minimum necessary personal confidential data Access to personal confidential data should be on a strict need-to-know

basis Everyone with access to personal confidential data should be aware of their

responsibilities Comply with the law The duty to share information can be as important as the duty to protect

patient confidentiality

New Legislation: Summary of key changes

New Data Subject Rights• The Trust will only be able to charge for requests in exceptional

circumstances• New right to object to the processing of data for risk

stratification or case finding if this amounts to profiling• New right of data portability and enhanced rights of erasure

Accountability

18

• The Trust will need to demonstrate compliance and can be fined even if no harm has occurred.

• New systems must be designed in accordance with privacy by design and privacy by default

Conditions for processing• Schedule 3 medical purposes is expanded to include Social Care• New Schedule 3 condition for public health, quality and safety of

health care and quality and safety of drugs and medical devices.

Breach Notifications• New duty to inform subjects of high risk breaches• Duty to notify the ICO within 72 hours of breaches unless they are

unlikely to result in a risk to the rights and freedoms of people• Duty to report to the ICO even if only small numbers of service

users affected.

Fair Processing Notices• Additional information will need to be included in privacy

notices including data retention periods, source of data and data processing conditions relied on

• Privacy notices should be able to be understood by children whose data is processed.

Roles & Responsibilities

The Chief Executive has the ultimate responsibility for compliance with all relevant Acts and Guidance within the Trust. They have delegated the responsibility for bringing Data Protection issues to the Board to the Caldicott Guardian.

The Caldicott Guardian plays a key role in ensuring that the Trust and its partner organisations satisfy the highest practical standards to handling personal information. Acting as the “conscience” of the Trust, the Caldicott Guardian will actively support work to facilitate and enable information sharing, advising on options for lawful and ethical processing of information as required.

The Data Protection Officer (DPO) is responsible for the following: Ensuring that TSDFT complies with all relevant Acts and Guidance in

relation to Data Protection and Access. Promoting Data Protection awareness throughout the Trust by providing

written procedures/guidance that are widely disseminated and available to staff.

Co-coordinating the work of other staff with data protection responsibilities Ensuring patients and service users are provided with information on their

rights under data protection legislation and how the information we collect is held, used, shared and stored.

Monitoring compliance with the Act and the effectiveness of procedures through the use of compliance checks/audits and ensures appropriate action

19

is taken where non-compliance is identified. Assisting with investigations into breaches of confidentiality or data loss of

personal and sensitive information Co-ordinate, investigate and report incidents involving the breaching of

person confidential data Maintaining the Registration with the Information Commissioner for data

handling activities Implement and maintain a process for handling Subject Access Requests

including from patients, services users, and third parties, Solicitors, Courts and Police.

Managers will ensure that all staff including contractors, bank, voluntary and other agencies staff are:

aware of and comply with the Data Protection & Access Policy, its associated procedures/guidelines and any updates,

attend all mandatory and appropriate training, have appropriate access to systems which contain personal and sensitive

data, know how to respond to subject access requests, know how to access and store personal identifiable information, both manual

and electronic records

All Staff need to be aware that confidentiality and security of information includes all information relating to the Health and Social Care Community, its patients, service users, carers and employees. Such information may relate to staff or patient/client’s records, telephone enquiries about individual’s, electronic databases or methods of communication containing personal identifiable information including mobile devices. Staff will be expected to:

read and comply with the Confidentiality: Staff Code of Practice which forms part of their contract of employment;

adhere to this Policy and any associated procedures/guidelines; to attend all mandatory training and awareness programs; to ensure that all personal identifiable information is accurate, relevant, up-

to-date and used appropriately on both electronic and manual records and devices;

to share information on a ‘need to know’ basis only (see checklist in Appendix 2);

to ensure that all personal identifiable information is kept safe and secure at all times and in line with the Trust’s Retention & Disposal Schedule;

be aware that personal and sensitive information should not be published on the Trust’s website.

It must be stressed that you must not take personal identifiable and/or sensitive data home with you or keep it at home, particularly on your home computer unless authorised to do so or when using home-accessible environments specifically designed to offer the necessary protections (e.g. NHSmail, Accellion, BoardPacks, Bring Your Own Device (BYOD)). Home computers can be easily compromised putting all the information at risk.

If as an employee you are found to have made an unauthorised disclosure

20

you may face disciplinary action, which could lead to your dismissal and legal action being taken against you.

Training

To support the implementation of this Policy and the adherence to the relevant Acts and Guidance, ALL STAFF will complete the mandatory Information Governance Training module on an annual basis. Additionally, for specific staff groups, more in depth training is required via the Information Governance Training Tool and local modules. This information can be found within the IG Training Implementation Plan.

Monitoring, Auditing, Reviewing & Evaluation

The sharing of personal confidential data will be monitored through the Information Sharing processes at the Trust, including adherence to the Information Sharing Agreements in place.

This Policy, its associated procedures/guidelines will be monitored by the Data Security and Protection Lead

Data Protection issues and updates will be included as a matter of routine into the Information Governance Steering Group and where appropriate to the Board.

Internal Audit will review this policy and its implementation as part of their annual Audit Plan. The DPO may also ask them to assist with specific areas of assurance.

The Trust will implement the use of the complaints procedure to deal with complaints in connection with current data protection legislation. If the complainant is dissatisfied with the conduct of the Trust, then they can be referred to the Information Commissioner.

This Policy and associated procedures will be reviewed annually or earlier if appropriate, to take into account any changes to legislation that may occur, and/or guidance from the Department of Health, the NHS Executive and/or the Information Commissioner or following recommendations from internal and/or external audit reports.

Legislation and Guidance

Data Protection Act 1998Data Protection Act 2018Access to Health Records 1990Human Right Act 1998Freedom of Act 2000Environmental Regulations Act 2004Regulation of Investigatory Powers Act 2000Crime and Disorder Act 1998Mental Capacity Act 2005

21

Police and Criminal Evidence Act 1984Health and Social Care Act 2012 2015Confidentiality NHS Code of PracticeCaldicott Guardian ManualInformation Security and Management NHS Code of Practice Records Information Governance: to share or not to shareGeneral Data Protection Regulations GDPR

POLICY AND PROCEDURE FOR INFORMATION SHARING

Introduction

Sharing personal Information can bring many benefits. It can support more efficient, easier to access services. It can help to make sure that the vulnerable are given the protection they need, that organisations can co-operate to deliver the care that those with complex needs rely on.

Sharing personal information also presents risks. Information systems are becoming more complex and widespread. There is a potential for more information about our private lives, often highly sensitive, to become known to more and more people.

This information sharing policy and procedure for South Devon Healthcare NHS Foundation Trust (the Trust) sets out the obligations and commitments that staff must follow to ensure that legislation is not breached and the confidentiality of patients/clients/families/carers/staff/ employees is maintained.

The current Data Protection Legislation, the Common Law Duty of Confidence, Caldicott Principles and Human Rights Act 1998 play a major role in the use and protection of personal information.

The Freedom of Information Act 2000 gives everyone the right to ask for information held by a public authority, to be told whether the information is held, and, unless exempt, to have a copy of the information.

Aims and Objectives

The objectives of this policy are to:

provide a framework to clarify Trust procedures relating to the sharing of information

ensure everyone working with personal information understands the importance of information sharing, where it improves care for patients and it is for the direct continuing care of patients

ensure that only the minimum information necessary for the purpose should be shared

ensure that when information needs to be shared, that sharing complies with

22

the law, guidance and best practice ensure that the individuals’ rights are respected ensure that confidentiality is adhered to unless there is a robust public

interest in disclosure or a legal justification to do so outline the importance and benefits of information security and confidentiality

training.

Definitions

Any of the following information collected in the course of a patient’s care or staff employment will/could constitute person identifiable information:

name address post code date of birth NHS number National Insurance Number carer’s details next of kin details contact details bank details lifestyle family details voice and visual records (e.g. photographs, tape recordings).

This list is not exhaustive.

Further sensitive ‘special category’ personal information that could also be recorded within a patient/employee’s record may be:

racial or ethnic origin political opinions religious beliefs trade union membership physical or mental health condition sexual life offences alleged or committed or the sentencing from any court proceedings school, employment, and social services bank and financial biometric data genetic data.

Information sharing may apply to staff information as well as patient information.

Duties

Caldicott GuardianThe Trust has appointed a Caldicott Guardian (the Medical Director) who will act as the gatekeeper of patient information. The Caldicott Guardian will be

23

familiar with current legislation, guidance and best practice.

Senior Information Risk Owner (SIRO)The SIRO will act as an advocate for information risk on the Board and in internal discussions, and will provide written advice to the Accountable Officer (the Chief Executive) on the content of their annual Statement of Internal Control (SIC) in regard to information risk

Responsibilities of the TrustThe Trust will ensure that information sharing protocols exist for all transfers for person identifiable information outside of the NHS and agrees to do the following.

Keep information confidential, and ensure it is effectively protected against inappropriate disclosure at all times.

Seek patient consent to disclosure of information wherever possible unless there is a legal requirement for disclosure, or an overriding public interest in disclosure.

Develop processes for sharing good information management practices to help organisations work together.

Make sure that those people giving information also give permission to share it, where appropriate.

Work towards a common set of goals for sharing information. Work towards BS ISO-IEC 17799; 2005 (Part 1) and BS ISO-IEC 27001;

2005 (Part 2), the technical standards for information security.

Responsibilities of IndividualsNormally all information sharing requires some form of consent. Every member of staff contemplating sharing information should refer to Appendix 1 Consent Guidance for Information Sharing for an explanation of the following areas:

what is consent? an overview as to when information can and cannot be shared examples of best practice.

Deciding to share personal information

Any information sharing must be necessary and any information shared must be relevant and not excessive. Before sharing information staff should decide on the following.

Why you need to share personal information? Do you need to share information in a personally identifiable form or would

anonymised, pseudonymised, or statistical information be enough? What legal provisions exist that require or permit you to share information? Whether any issues might arise as the result of sharing confidential or

sensitive information.

24

Is consent from the individual required, and if so how would you obtain consent?

What would you do if consent is withheld?

Legal Duties and Powers to Share Information in Relation to Children and Young People

In addition to legislation about information sharing, there are a large number of specific Acts of Parliament that give a duty or power to share information about children and young people for various purposes. Appendix 1 gives information about these statutory duties and powers.

Process for Information Sharing in the Trust

In order for the Trust to meet its obligation under Requirement 207 of the Connecting for Health Data Security and Protection Toolkit to have in place information sharing protocols with all non NHS organisations, the Caldicott Guardian will initially consider any protocols that need to be set up and then if appropriate submit to the Information Governance Steering Group for final approval. All staff who share person identifiable information must ensure that a protocol exists before sharing any information with non NHS Organisations.

Any information to be shared electronically (e.g. by email, only to designated Government Secure Intranet (GSI) address or on disc, regardless with who) must first be encrypted.When submitting an information sharing protocol for consideration staff should give details of the method in which data will be secured in transit.

Training

All staff should attend, as part of their induction, training sessions on Information Governance and supplementary training will be provided annually to all staff through a mandatory training online or face-to-face programme.

Secondary Uses

Health professionals may receive requests for disclosure of patient information from those not directly involved in the patient’s care. Such secondary use of patient information falls into three broad categories:

Use within the NHS for administration, planning, audit, commissioning and payment by results

use by agencies commissioned by the NHS to carry out such roles on its behalf

use where identifiable information goes beyond health care provision in the NHS to include research and education.

Patient data may be disclosed to an appropriate and secure authority and used for secondary purposes if:

25

they have been effectively anonymised or pseudonymized they are required by law the patient has given explicit consent the health professional is satisfied, in some limited circumstances, that the

patient is aware of the use and has not objected to it and so has effectively provided implied consent

disclosure is authorised by the Ethics and Confidentiality Committee of the National Information Governance Board under S251 of the NHS Act 2006

the health professional is satisfied that the legal and professional criteria for disclosure without consent in the ‘public interest’ have been met and has sought advice from the Caldicott guardian, professional body or defence organisation in the case of any doubt.

Consideration must be given to the National Data Opt Out

In the absence of patient consent, anonymised data should be used for any secondary purpose where it is practicable to do so. Some secondary uses of patient data are for social purposes unconnected with the provision of health care, e.g. for insurance or employment purposes. Such disclosure requires explicit patient consent.

Subject Access Requests

The Trust has internal procedures in place for handling and responding to Subject Access Requests (ie requests for access to personal data made pursuant to current Data Protection Legislation). All requests are dealt with by the Data Access and Disclosure Office, Kitson Hall, Torbay Hospital

Legal Acts Covered Under This Policy

Data ProtectionHuman Rights Act 1998Freedom of Information Act 2000Access to Health Records Act 1990 (Where not superseded by the Data Protection Legislation)Computer Misuse Act 1990Copyright, designs and patents Act 1988 (as amended by the Copyright Computer Programs Regulations 1992)Crime and Disorder Act 1998Electronic Communications Act 2000Regulation of Investigatory Powers Act 2000Children Act 1989

Useful references

Information Commissioner’s

26

Office. www.ico.gov.uk

Connecting for Health. www.connectingforhealth.nhs.uk/systemsandservices/infogov/confidentiality

General Medical Councilwww.gmc-uk.org

Consent Guidance for Information Sharing

Introduction

The aim of this document is to give guidance to enable personal information concerning patients and if appropriate members of staff to be shared between organisations without compromising confidentiality unless there is a legal requirement, or an overriding public interest to do so.

Confidentiality is an essential requirement for the preservation of trust between patients and health professionals and is subject to legal and ethical safeguards. Patients should be able to expect that information about their health which they give in confidence will be kept confidential unless there is a compelling reason why it should not. There is also a strong public interest in maintaining confidentiality so that individuals will be encouraged to seek appropriate treatment and share information relevant to it.

As a general principle all personal information must only be collected, held and shared on a strict ‘need to know’ basis and all decisions to share information that are not directly associated with the direct continuing healthcare of the patient should be recorded.

Consent

Consent is required in all cases of sharing patient/employee identifiable information unless disclosure is required by law, or there is an overriding public interest in disclosure.

Definition of Consent

Consent to disclosure may be explicit or implied. It may also be consent to disclosure of specific information to a particular person or body for a particular purpose or it may be consent to general future disclosure for particular purposes. In either case consent should be informed and freely given.

Consent is defined in Confidentiality: NHS Code of Practice (2003) as follows.

Informed Consent

27

All consent should be informed. Every patient should be informed about what happens to the information they give to the NHS (it is the minimum requirement under Data Protection Legislation). For each episode of care staff should ensure that the patient is aware of who will see their information, what they will be doing with it and give them the opportunity of saying ‘no’ to information sharing, unless legislation dictates otherwise.

All patients should receive the following information: who the Data Controller is why the information is needed the purposes for which the information will be processed who will see the

information any disclosures that may need to be made to other organisations (e.g. other

acute hospitals, social care, clinical audit, GP, mental health teams, drug and alcohol teams etc)

the circumstances in which information may be disclosed without consent, where there is an overriding public interest (e.g. adult / child protection or serious crime)

information restricted by legislation (e.g. serious communicable diseases) information that must be passed on because of legislation (e.g. births, deaths,

cancer registries, abortion).

If patient/employees have any reservations about information sharing then it should be explained that direct continuing care could be affected by restrictions placed on sharing. If patients still refuse to share any information then consent has not been gained and patient’s wishes must be respected unless there is a legal requirement, or an overriding public interest in disclosure, (see above).

Implied Consent

Patient agreement that has been signaled by behaviour of an informed patient.

Implied consent is not a lesser form of consent but in order for it to be valid it is important that patients are made aware that information about them will be shared, with whom it will be shared, and of their right to refuse. Health professionals bear responsibility for the disclosures they make, so when consent is taken to be implied, they must be able to demonstrate that the assumption of consent was made in good faith and based on good information. If not, consent has not been given and some other justification will be needed for its disclosure. In addition to information provided face to face in the course of a consultation, leaflets, posters and information included with an appointment letter can play a part in conveying to patients the reality and necessity of information sharing. Implied consent is usually sufficient for direct patient care

Express/Explicit Consent

Articulated patient agreement. Clear and voluntary indication of preference or choice, usually given orally or in writing and freely given in circumstances where the

28

available options and the consequences have been made clear. Explicit consent is the ideal as there is no doubt as to what has been agreed.

Recording Consent

It should be recorded in the patients’ notes if they have been provided with, and understand, the notice/leaflet regarding information sharing and has not said ‘no’ to sharing any part of their information.

Where a patient has refused to share information this should be recorded in the patient’s record, dated, timed and signed. That information must not be shared unless there is a legal requirement or an overriding public interest in disclosure.

Keeping consent up to dateIt is essential that children, or adults who have been unwell, once they gain capacity, are asked to confirm their own choice, as a previous recorded choice regarding consent will have been made by another party, on their behalf, which may not reflect their own choice.

It may also be essential to revisit the consent at other times e.g. when changes which impact on how information is used are introduced. Consent should also be reviewed whenever there are changes to information sharing/disclosure during an episode of care.

What you need to know before sharing information

Sharing information with other health professionals

In the absence of evidence to the contrary, patients are normally considered to have given implied consent for the use of their information by health professionals for the purpose of the care they receive. Information sharing in this context is acceptable to the extent that health professionals share what is necessary and relevant for patient care on a need to know basis.

Health and social care although often closely related, do not always fall into the same category, and disclosures of information to social care usually require explicit consent from competent patients. Sometimes two competing interests come into conflict, such as the patient’s informed refusal to allow disclosure, and the need to provide effective treatment to that person. A patient’s refusal to allow information sharing with another health professional may compromise patient safety, but if this is an informed decision by a competent person it should be respected.

Multi – Agency Working

Health professionals during the course of their treatment of patients will have contact with partner organisations from time to time. These include social care, housing and benefits agencies. Health professionals should from the outset discuss

29

with patients the desirability of sharing information with other agencies as appropriate. Other agencies may wish to be involved in discussions about patients at various points in their treatment, or to attend case conferences, or multi- disciplinary meetings. Health professionals may also be invited to attend external case conferences organised by partner organisations to discuss the health and welfare of patients. In all these circumstances information sharing should take place with explicit consent or in the absence of explicit consent where disclosure is required by law, or there is an overriding public interest in disclosure.

Assessment of capacity

All people aged 16 and over are presumed, in law, to have the capacity to give or withhold their consent to disclosure of confidential information unless there is evidence to the contrary. A patient who is suffering from a mental disorder or impairment does not necessarily lack the capacity to give or withhold their consent. Equally, patients who would otherwise be competent may be temporarily incapable of giving valid consent due to factors such as extreme fatigue, drunkenness, shock, fear, severe pain or sedation. The fact that an individual has made a decision that appears to others to be irrational or unjustified should not be taken on its own as conclusive evidence that the individual lacks the mental capacity to make that decision. If, however, the decision is clearly contrary to previously expressed wishes, or is based on a misperception of reality, this may be indicative of a lack of capacity and further investigation will be required.There is no presumption of capacity for people under 16 in England, and Wales, and those under this age must demonstrate their competence by meeting certain standards set by the courts. The central test is whether the young person has sufficient understanding and intelligence to understand fully what is proposed.

To demonstrate capacity individuals should be able to:

understand in simple language (with the use of communication aids, if appropriate) what is to be disclosed and why it is being disclosed

understand the main benefits of disclosure understand, in broad terms, the consequences of disclosure retain the information long enough to use it and weigh it in the balance in

order to arrive at a decision communicate the decision (by any means) make a free choice (i.e. free from undue pressure).

Adults who lack capacity

Temporary or permanent mental incapacity

Patients with mental disorders or learning disabilities should not automatically be regarded as lacking the capacity to give or withhold their consent to disclosure of confidential information. Unless unconscious, most people suffering from a mental impairment can make valid decisions about some matters that affect them. An individual’s mental capacity must be judged in relation to that particular decision

30

being made. If therefore a patient has the requisite capacity, disclosure of information to relatives or third parties requires patient consent. One of the most difficult dilemmas for health professionals occurs where the extent of such patient’s mental capacity is in doubt. In such cases health professionals must assess the information which is available from the patient’s health record and from third parties. They should attempt to discuss with patients their needs and preferences as well as assess their ability to understand their condition and prognosis. If there is still doubt about a patient’s competence to give or withhold consent, health professionals should seek a second opinion.

Relatives, carers and friends

If a patient lacks capacity, health professionals may need to share information with relatives, friends or carers to enable them to assess the patient’s best interests. Where a patient is seriously ill and lacks capacity, it would be unreasonable always to refuse to provide any information to those close to the patient on the basis that the patient has not given explicit consent. This does not, however, mean that all information should be routinely shared, and where the information is sensitive, a judgement will be needed about how much information the patient is likely to want to be shared, and with whom. Where there is evidence that the patient did not want information shared, this must be respected.

Next of kin

Although widely used, the phrase ‘next of kin’ has no legal definition or status. If a person is nominated by a patient as next of kin and given authority to discuss the patient’s condition, such a person may provide valuable information about the patient’s wishes to staff caring for the patient. However, the nominated person cannot give or withhold consent to the sharing of information about the patient and has no rights of access to the patient’s medical records. The patient may nominate anyone as next of kin. In the absence of such a nomination, no- one can claim to be next of kin.

Proxy decision-makers

In England and Wales, the Mental Capacity Act 2005 allows people over 18 years of age who have capacity to appoint a welfare attorney to make health and personal welfare decisions once capacity is lost. The Court of Protection may also appoint a deputy to make these decisions. Where a patient lacks capacity and has no relatives or friends to be consulted, the Mental Capacity Act requires an Independent Mental Capacity Advocate to be appointed and consulted about all decisions about ‘serious medical treatment’, or place of residence. An attorney or deputy can also be appointed to make decisions relating to the management of property and financial affairs. In the case of health information, health professionals may only disclose information on the basis of the patient’s best interests.

31

Abuse and neglect

Where health professionals have concerns about a patient lacking capacity that may be at risk of abuse or neglect, it is essential that these concerns are acted upon and information is given promptly to an appropriate person or statutory body, in order to prevent further harm. Where there is any doubt as to whether disclosure is considered to be in the patient’s best interests, it is recommended that the health professional discusses the matter on an anonymised basis with a senior colleague. Health professionals must ensure that their concerns and the actions they have taken or intend to take, including any discussion with the patient, colleagues or professionals in other agencies, are clearly recorded in the patient’s medical records

Children and Young People

Competent children

There is no presumption of capacity for people under 16 in England, Wales and Northern Ireland and those under that age must demonstrate they have sufficient understanding of what is proposed. However, children who are aged 12 or over are generally expected to have capacity to give or withhold their consent to the release of information. Younger children may also have sufficient capacity. When assessing a child’s capacity it is important to explain the issues in a way that is suitable for their age. If the child is competent to understand what is involved in the proposed treatment, the health professional should, unless there are convincing reasons to the contrary, for instance abuse is suspected; respect the child’s wishes if they do not want parents or guardians to know. However, every reasonable effort must be made to persuade the child to involve parents or guardians particularly for important or life-changing decisions.

Children who lack capacity

The duty of confidentiality owed to a child who lacks capacity is the same as that owed to any other person. Occasionally, young people seek medical treatment, for example, contraception, but are judged to lack the capacity to give consent. An explicit request by a child that information should not be disclosed to parents or guardians, or indeed to any third party, must be respected save in the most exceptional circumstances, for example, where it puts the child at risk of significant harm, in which case disclosure may take place in the ‘public interest’ without consent. Therefore, even where the health professional considers a child to be too immature to consent to the treatment requested, confidentiality should still be respected concerning the consultation, unless there are very convincing reasons to the contrary. Where a health professional decides to disclose information to a third party against a child’s wishes, the child should generally be told before the information is disclosed. The discussion with the child and the reasons for disclosure should also be documented in the child’s record

Parental responsibility

32

Anyone with parental responsibility can give or withhold consent to the release of information where the child lacks capacity. Not all parents have parental responsibility.

In relation to children born after 1 December 2003, both of a child’s biological parents have parental responsibility if they are registered on a child’s birth certificate.

In relation to children born before these dates, a child’s biological father will only automatically acquire parental responsibility if the parents were married at the time of the child’s birth or some time thereafter. If the parents have never been married, only the mother automatically has parental responsibility, but the father may acquire that status by order or agreement. Neither parent loses parental responsibility on divorce.

Where the child has been formally adopted, the adoptive parents are the child’s legal parents and automatically acquire parental responsibility.

Where the child has been born as a result of assisted reproduction, there are rules under the Human fertilisation and Embryology Act 2008 that determine the child’s legal parentage.

In some circumstances people other than parents acquire parental responsibility, for example by the appointment of a guardian or on the order of a court.

A local authority acquires parental responsibility (shared with the parents) while the child is the subject of a care or supervision order.

In some circumstances parental responsibility can be delegated to other carers such as grandparents and childminders.

If there is doubt about whether the person giving or withholding consent has parental responsibility, legal advice should be sought.

Where an individual who has parental responsibility refuses to share relevant information with other health professionals or agencies and the health professional considers that it is in the best interest of the child to share information (for example, not sharing information puts the child at risk of significant harm), disclosure may take place in the public interest without consent.

Safeguarding children & adults

Where health professionals have concerns about a child or adult who may be at risk of abuse or neglect, it is essential that these concerns are acted upon and information is given promptly to an appropriate person or statutory body, in order to prevent further harm. The best interests of the child or adult involved must guide decision-making at all times. Knowing what to do when patients do not want confidential information disclosed, despite this being the best way to ensure that they do not suffer harm or abuse, is very difficult for health professionals. Health professionals should not make promises about confidentiality that they may not be able to keep but, as in the case of any patient, trust is best maintained if disclosure is not made without prior discussion between the health professional and the child

33

or adult, unless to do so would expose them or others to an increased risk of serious harm.

Where there is any doubt as to whether disclosure is in the child or adults best interests, it is recommended that the health professional has a confidential discussion with an experienced colleague, the Caldicott Guardian, the Data Protection Lead, or their professional defence body. Health professionals must ensure that their concerns, and the actions they have taken, or intend to take, including any discussion with the child or adult, colleagues or professionals in other agencies, are clearly recorded in the medical record. Health professionals may be involved in case reviews for which the records may need to be disclosed, but care should be taken not to disclose the notes of other family members without consent unless it can be justified in the public interest.

Best interests

All decisions taken on behalf of someone who lacks capacity must be taken in their best interest. A best interest judgement is not an attempt to determine what the patient would have wanted. It is as objective a test as possible of what would be in the patient’s actual best interests, taking into account all relevant factors. A number of factors should be addressed including:

the patient’s own wishes (where these can be ascertained) where there is more than one option, which option is least restrictive of the

patient’s future choices the view of the parents, if the patient is a child the views of people close to the patient, especially close relatives,

partners, carers, welfare attorneys, court-appointed deputies or guardians, about what the patient is likely to see as beneficial.

Public interest

General Principles

In the absence of patient consent, a legal obligation or anonymisation, any decision as to whether identifiable information is to be shared with third parties must be made on a case by case basis and must be justifiable in the public interest. Public interest is the general welfare and rights of the public that are to be recognised, protected and advanced. Disclosures in the public interest based on the common law are made where disclosure is essential to prevent a serious and imminent threat to public health, national security, the life of the individual or a third party or to prevent or detect serious crime. Ultimately, the public interest can only be determined by the courts. However, when considering disclosing information to protect the public interest, health professionals must:

consider how the benefits of making the disclosure balance against the harms associated with breaching the patient’s confidentiality both to the individual clinical relationship and to maintaining public trust in a confidential service;

34

assess the urgency of the need for disclosure; discuss with and encourage the patient to disclose voluntarily; inform the patient before making the disclosure and seek his or her consent,

unless to do so would increase the risk of harm or inhibit effective investigation;

disclose the information promptly to the appropriate body; reveal only the minimum information necessary to achieve the objective; seek assurance that the information will be used only for the purpose for

which it is disclosed; document the steps taken to seek or obtain consent, and the reasons for

disclosing the information without consent; be able to justify the decision; document both the extent of and grounds for the disclosure.

Health professionals should be aware that they risk criticism, and even legal liability, if they fail to take action to avoid serious harm. There is no specific legislation which tells health professionals whether or not to disclose information in a particular case, but general guidance about the categories of cases in which decisions to disclose may be justifiable are below. Guidance should be sought from the Caldicott guardian, Data Protection Lead, Trust Solicitor, professional body or defence body where there is any doubt as to whether disclosure should take place in the public interest.

Serious crime and national security

There is no legal definition as to what constitutes a serious crime. In the Police and Criminal Evidence At 1984 a ‘serious arrestable offence’ is an offence that has caused or may cause:

serious harm to the security of the state or to public order serious interference with the administration of justice or with the

investigation of an offence death serious injury substantial financial gain or serious loss.

This includes crimes such as murder, manslaughter, rape, treason, kidnapping and abuse of children or other vulnerable people. Serious harm to the security of the state or to public order and serious fraud will also fall into this category. In contrast, theft, minor fraud or damage to property where loss or damage is less substantial would generally not warrant breach of confidence.

Public safety

A common example of what can be categorised as public safety occurs in connection with the assessment of patients with, for example, diabetes, epilepsy, defective eyesight, hypoglycaemia or serious cardiac conditions who have been advised by health professionals to discontinue driving, but who nevertheless continue. The DVLA should be informed if anybody is thought to be at risk.

35

Issues of public safety may similarly arise in circumstances where an individual who legitimately possesses firearms is thought by health professionals to be a risk because of drug or alcohol addiction or a medical condition such as depression. The police should be informed if anybody is thought to be at risk.

Information Sharing that Requires Express Consent

National guidance has identified certain areas of information sharing that must only be carried out on an express/explicit consent basis. Consent is required for information sharing that does not directly contribute to direct continuing healthcare, unless there is a robust public interest in releasing information without the patient/employee’s consent or you have the express/explicit consent in writing, from the patient/employee or recorded in the patient/employees record (health or employee personal file).

For most information sharing issues that are not for the direct continuing care of a patient you should consult the Caldicott Guardian. The following table gives further details.

Carers and relatives Generally where a patient/employee has the capacity to consentexpress/explicit consent is required before sharing health information. Confidentiality can be a highly controversial issue.Carers want and need information about the person they are caring for, whereas professionals feel bound by codes of conduct onconfidentiality.

Complaint investigations

Complaint investigations will invariably need patient information. However, express consent of the complainant, and any other individual whose record may need to be reviewed, is required priorto disclosure

Managementpurposes

Commissioners, prescribing advisors, financial audit, and resourceallocation etc., no restrictions are imposed if the data is anonymised.

Occupational Health Information on staff referred to occupational health departments.However, if clinicians are the patients, the powers of professional regulatory bodies for disclosure may apply

36

Researchers The use of patient information for research goes beyond health care provision in the NHS, and explicit patient consent is therefore required.

For example, whilst most people would be happy to be included in research there may be some that might object on the grounds of, for example, religion.

However, if the research project is to use anonymised data, (which is preferable) no restrictions are imposed, (refer to Anonymisation and Pseudonymisation below). Alternatively, an application can be made to the Ethics and Confidentiality Committee of the National Information Governance Board under section 251 of the NHS Act 2006.

Before any research project can be undertaken an application must be made to the Local Research Ethics Committee for approval and before making any application to the Ethics and Confidentiality Committee Of the National Information Governance Board underSection 251 of the NHS Act 2006.

Teaching According to the Confidentiality: NHS Code of Practice teaching is not to be regarded as direct healthcare purposes and will requireexplicit consent.

The media You need explicit consent to release information to the media about care and treatment (including a patient’s presence in a hospital)unless there is an exceptional robust public interest in releasing information.

Police Information required by the Police either needs explicit consent of the patient or other individual, a Court Order or, where criminalactivities are concerned. Refer to section 6.1 below on Enabling Information Sharing in the Public Interest

Solicitors Solicitors requesting information must produce an up to date written signed consent from the patient / employee before information is released. For medical legal purposes the request should beforwarded to the Data Protection Office and for clinical negligence claims the request should be forwarded to the Litigation Office.

Legislation Enabling / Requiring/ Restricting Information Sharing

Enabling Information Sharing in the Public Interest

The following legislation permits information to be shared without seeking consent e.g. if you believe someone has committed serious harm, or a serious crime, However the legislation does not require you to do so. Decisions to share should be made on a case by case basis, and in the public interest.

1. Child Protection (Children’s Act 1989 and the Protection of Children Act 1999), allows information to be shared if a child is considered at risk of

37

significant harm2. Prevention and Detection of Crime (Section 115 of the Crime and Disorder Act

1998),e.g. request from the Police where someone is suspected of committing a serious crime.

3. Data Protection legislation provides that the non-disclosure rules will not apply if information sharing is required for: the prevention or detection of crime the apprehension or prosecution of offenders the collection or assessment of any tax or duty.

The police may request information under current the Data Protection Law, which allows data processing for the purpose of “prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.” The Data Protection Lead or Caldicott Guardian should be contacted for further guidance.

Information may be shared with the Children & Young People’s Service (CYPS) for the purposes of protecting the health and welfare of a child or young person if it is believed to be in the public interest to do so. Note: information shared will automatically be shared with the Police.

Note: The Trust has signed Information Sharing Protocols between South Devon Healthcare NHS FoundationTrust and Devon & Cornwall Constabulary for sharing information in relation to specific purposes eg incidents of domestic violence, incidents of domestic abuse. Full list of signed information sharing protocols are available on the Data Protection intranet page.

Requiring Information Sharing

Information can be shared without consent if requested to do so by the following public bodies/officials but patients should be informed that disclosure has been required:

1. Courts, including a coroner’s court, tribunals and enquiries – Only give the information requested in the order and no more. Many different Acts give courts the powers to issue court orders.

2. General Medical Council (GMC) – Entitled to access confidential patient health records as part of an investigation under the Medical Act 1983. The GMC have indicated that they would always try to obtain consent first.

3. Audit Commission – Entitled to access confidential patient health records as part of an investigation under section 6 of the audit Commission Act 1998

4. Health Service Ombudsman – Has the same powers as the courts to disclose person identifiable information. Any request made should be complied with, without obtaining a court order.

5. Care Quality Commission - Entitled to access confidential patient health records as part of an investigation

38

6. Public Health and Infectious Diseases – Public Health (Control of Diseases) Act 1984 & Public Health (Infectious Diseases) Regulations 1988

7. Immunisations and vaccinations – Under the Education Act 1944 information must be passed to NHS Trusts from schools

8. Births and Deaths – The Births and Deaths Act 1984 provides for the registration of births, still-births and deaths

9. Information Sharing Index (England) Regulations 2007 (Contactpoint) - health professionals must provide basis identifying information to the local authority for every child up to the age of 18

10. Abortion Regulations 1991 – a doctor carrying out a termination of pregnancy must notify the Chief Medical Officer, giving a reference number and the date of birth and postcode of the woman concerned

11. Section 251 of the NHS Act 2006 – gives the Secretary of State for Health power to make regulations permitting the disclosure of identifiable information without consent in certain circumstances. Health professionals can apply to the Ethics and Confidentiality Committee of the National Information Governance Board, an independent public body which advises the Secretary of State for Health in England And wales about the lawful disclosure of patient identifiable information.

12. Members of Parliament – Non-statutory investigations (e.g. Members of Parliament). If MP states, in writing that he/she has a patient’s consent for disclosure this may be accepted without further contact with the patient but – carefully consider the request and contact the patient if in any doubt.

Restricting Information Sharing

Health professionals are required by law to restrict the disclosure of some specific types of information due to the nature of the information, for example:

Human Fertilisation and Embryology Act 2008 NHS (Venereal Diseases Regulations) 1974 and the NHS Trusts and PCTs

(Sexually Transmitted Diseases) Directions1992 The Gender Recognition Act 2004 The Adoption Act 1976.

Anonymisation and Pseudonymisation

Anonymisation

Information can be used without patient consent and requires the removal of: name address full postal code NHS number date of birth local identifiers

39

anything else that could identify a patient e.g. photograph, x-ray, dental records.

Information that has been anonymised can never be reverted to its original form.

Information may be used more freely if the subject of the information is not identifiable in any way. When anonymised data will serve the purpose, health professionals must anonymise data to this extent and, if necessary, take technical advice about anonymisation before releasing data. Whilst it is not ethically necessary to seek consent for the use of anonymised data, general information about when their data will be anonymised should be available to patients.

Pseudonymisation

Pseudonymisation is sometimes referred to as reversible anonymisation. Patient identifiers, such as name, address or NHS number, are substituted with a pseudonym, code or other unique reference so that the data will only be identifiable to those who have the code or reference. Where those who are using data have no means to reverse the process, and so no way to identify an individual from the data they have, the data may be treated as anonymised and there is no common law requirement to seek consent for their use. For those who have access to both pseudonymised data and the means to reconstitute them, they should be treated as identifiable. The use of pseudonymised data is common in research. As with anonymised data, patients should generally be informed when it is intended that their information will be pseudonymised

Deceased persons

Although the Data Protection Legislation does not apply to records of deceased persons the ethical obligation to respect a patient’s confidentiality extends beyond death. The Information Tribunal in England and Wales has also held that a duty of confidence attaches to the records of the deceased under section 41 of the Freedom of Information Act 2000. If a patient has requested that their information is not disclosed after their death this must be respected. The Access to Health Records Act 1990 gives limited statutory rights of access to those who may have a claim arising out of the death of a deceased patient. Care must always be taken when sharing records of the deceased and advice should be sought in cases of doubt.

Extract from Data Protection Legislation: Conditions for sharing personal information

Italics indicates that the text is a direct quotation from the Act

Chapter 2, Article 6, of the Data Protection Legislation allows the processing of personal information if any one of the following conditions has been met.

40

a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c) processing is necessary for compliance with a legal obligation to which the controller is subject;

d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

As well as meeting the Article 6 condition, processing special categories of personal data must also meet one of the following the Article 9 conditions:

a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent

d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

e) processing relates to personal data which are manifestly made public by the data subject;

f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity

g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued,

41

respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy; L 119/38 EN Official Journal of the European Union 4.5.2016

j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Caldicott Principles

Principle 1 - Justify the purpose(s) for using confidential Information Principle 2 - Only use it when absolutely necessary Principle 3 - Use the minimum that is required Principle 4 - Access should be on a strict need to know basis Principle 5 - Everyone must understand his or her responsibilities Principle 6 - Understand and comply with the law

Sample Information Sharing ProtocolSharing information between partner organisations is vital to the provision of co-ordinated and seamless services. In addition, the sharing of information can help to meet the requirements of statutory and local initiatives.

This protocol sets out the details of sharing information.

42

Legality

Sharing personal information in accordance with this protocol is lawful under the Data Protection Legislation Article 6 condition

and other legislation or statute as follows

Managing the protocol

The members involved in this information sharing protocol are:

…

This protocol is owned equally by all participating signatories and is co-ordinated and administered on their behalf by (role)

of (organisation).

This protocol will be reviewed after (period or date) and routinely reviewed following changes in legislation or statutory notices.

Where relevant, signatories should seek the agreement of their Caldicott Guardian, nominated deputy or Information Governance Officer before signing this protocol.

Purpose of sharing information

The purpose of this information sharing protocol is

The information to be shared between signatories or designated officer is

Data Controller(s)

The Data Controller for (see above) is

(organisation).

(role) has operational responsibility for the data.

The Data Controller for 3.2. . (see above) is

(organisation).

43

(role) has operational responsibility for the data. …

The information must only be used for the purposes stated in paragraph 3.1. The agreement of the Data Controller must be sought before using shared information for any other purpose.

Signatories or designated officer receiving shared information must review the need to

continue to hold it after (period or date) and must

destroy it after (period or date). The outcome of review or

destruction must be notified to the relevant Data Controller.

Information quality

The quality assurance checks generally applied within

(originating organisation)

are:

Signatories or designated officer receiving shared information are responsible for applying relevant quality assurance before using the information.

If information is found to be inaccurate, it is the responsibility of the charter member discovering the inaccuracy to notify the Data Controller. The Data Controller will ensure that the source data is corrected and will notify all recipients, who will be responsible for updating the information they hold.

Signatories or designated officer will not be liable for any financial or other costs incurred by other parties to this protocol as a result of any information being wrongly disclosed by another party to this protocol or as a result of any negligent act or omission by another party to this protocol.

Information format and frequency

The format in which the information will be shared is

The frequency with which the information will be shared is

until

44

Information security and confidentiality

Security for the exchange of information will be achieved through

Signatories or designated officer receiving shared information will:

ensure that their employees are able to access only the shared information necessary for their role;

ensure that their employees are appropriately trained so thatthey understand their responsibilities for confidentiality and privacy;

protect the physical security of the shared information.

Consent to share personal information

It is generally good practice to seek the consent of patients. However, signatories or designated officer agree that disclosure without consent is lawful if certain conditions are met. For example, personal information may be shared when anonymised or to ensure the performance of public functions or legal obligations.

Occasionally, an individual may refuse to give consent to share their information. Where it is lawful to share such information in spite of the refusal, the Data Controller must record the refusal of consent and the reasons for overriding that refusal.

The Data Controller is responsible for ensuring that data subjects are advised that their information is being or may be shared.

Subject Access Requests

All signatories should have internal procedures in place for handling and responding to Subject Access Requests (ie requests for access to personal data made pursuant to Data Protection Legislation).

Complaints

Signatories or designated officer will use their standard organisational procedures to deal with complaints from the public arising from information sharing under this protocol.

Freedom of Information

This protocol is not confidential and will be available for anyone to view.It is recommended that this protocol is published through the Freedom of Information publication scheme of each charter member.

45

Agreement

We undertake to implement and adhere to this protocol.

We undertake to ensure that our organisational procedures are consistent with this protocol.

Organisation: Signed:DateNamePosition

Organisation: Signed:DateNamePosition

Organisation: Signed:DateNamePosition

The above should be completed by, and signed by, each organisation

involved in the information sharing protocol.

Guidance on Completing an Information Sharing Protocol

The purpose of an information sharing protocol is to document the aspects of the information sharing which in the future may be subject to challenge or misinterpretation. The information should be entered in sufficient detail to provide a clear record of the agreement for future reference.

Legality

If personal information is to be shared under the information sharing protocol, enter here the relevant schedule 2 condition

If the personal information to be shared is sensitive, also enter here the relevant schedule 3 condition

If either the schedule 2 condition or schedule 3 condition rely on other legislation or statute, (for example, if the relevant condition is ‘the processing is necessary to comply with any legal obligation to which the data controller is subject’), also enter here the relevant other legislation or statute.

Guidance on interpretation of the Data Protection Legislation is available on the Information Commissioner’s website

Managing the protocol

Enter here the organisations that are involved in the protocol.

Enter here the role and the organisation of the person who will administer the protocol on behalf of all the signatories or designated officer involved.

To ensure that information sharing protocols remain relevant, it is good practice to review them at regular intervals and when changes occur. Enter here the date or agreed period after which the protocol will be reviewed by the participating signatories or designated officer. For clarity and transparency, a new information sharing protocol should be drawn up when changes are necessary.

Sharing information

Enter here the purpose to be achieved through sharing the information; for example, enable early identification of young people at risk.The signatories or designated officer should agree the detail to which it is necessary to record the information to be shared. This could be:

Name, Address

or it could be:

Title, first name, last name,House name or number, street, town, postcode

46

or it could be:

Name and contact details

Data Controller

Under the Data Protection Act, a data controller determines the purposes for, and the manner in which, any personal data is processed. A data processor is someone, other than an employee of the data controller, who processes data on behalf of a data controller.

Each organisation will have a single named Data Controller. Practical responsibility for operational compliance will be delegated to those within the organisation who have day to day responsibility for the information and deciding how it is used.

Entter the Data Controller’s organisation and the role which has operational responsibility for the information to be shared, including sufficient information to enable all participating Signatories or designated officer to contact the Data Controller.

Include as many sections as necessary to document all Data Controllers involved in the protocol

Information quality

Enter here the originating organisation and brief details of the quality checks generally applied. For example, include where relevant such details as sample size, percentage response, checks for duplicates and validation rules.

Include as many sections as necessary to document quality checks within each organisation acting as a data source

Information format and frequency

Enter here the format in which shared information will be provided, for example Excel spreadsheet, CSV file, paper.

Enter here the frequency with which the information will be shared (for example weekly, monthly, as and when acquired from patients) and the date when the information sharing is due to cease.

Information security and confidentiality

Enter here the method for securing the information during transfer between organisations. This may include access controls for connected electronic systems, password protection for files, encryption, using recorded delivery mail.

Process for Authorising Information Sharing

47

Complete an Information Sharing Protocol using guidelines issued or obtain a copy of the Information Sharing Protocol if already written by another organisation

Send copy of completed Information Sharing Protocol along with details of the method in which information is to be shared to the Caldicott Guardian.

Caldicott Guardian to forward copy of Protocol to Information Governance Steering Group if appropriate.

Information Governance Steering Group either meets to discuss Protocol or communicates via email.

Caldicott Guardian notifies originator if protocol has been agreed and signed or otherwise.

If information is to be encrypted prior to sharing, IT Team to encrypt it. Information Sharing can take place. Copy of Information Sharing Protocol to be retained in the Caldicott

Guardian’s Office and/or the Data Protection Office Information Sharing Protocol should be published on the intranet - in the

Information Sharing Protocol section on Information Governance webpage.

PSEUDONYMISATION AND THE MANAGEMENT OF PERSON IDENTIFIABLE INFORMATION WITHIN THE TRUST

Aims and Objectives

To ensure that all staff who have responsibility to protect Person Identifiable Information are supported in adhering to Data Protection and Information Governance principles;

To ensure that all data subjects, that is those people for whom the information relates to, can be assured that there are suitable protective measures in place with regards to the data that is held;

To comply with the legal and secure use of personal identifiable data for secondary purposes by the NHS (and other organisations involved in the commissioning and provision of NHS-commissioned care)To reduce the amount of identifiable data transferred in non-patient care related work wherever possible;

To facilitate a single point of reference for the community to obtain annoymised and pseudonymised information and reports; and

To reduce the risk of accidental information disclosures by ensuring that there are clear processes and procedures for the sharing of person identifiable information.

48

Introduction

It is a legal requirement that when person identifiable data is used for purposes that do not involve direct care of an individual, i.e. “Secondary Uses”, the individual should not be identified unless other legal means hold, such as the person's consent or Section 251 approval. This is set out clearly in the NHS policy and good practice guidance document 'Confidentiality: the NHS Code of Practice', which states the need to 'effectively anonymise' data prior to the non- direct care usage being made of the data.

It is not possible to label individual data items as primary or secondary use data, as the purpose of each item can be changed dependent upon the process or function in place. Therefore it is essential that there are mechanisms in place to protect the information held and to ensure that any information sharing is predicated on sharing what is required in a format which protects the data subject.

Therefore, by ensuring that there is a consistent approach to information sharing here is an opportunity to ensure that only the required information is released. This approach is documented fully within this policy, but the key aspect is ensuring that information owners question each information request to ensure that only the required information is shared and that it is shared in the most appropriate format.

Personal Identifiable Information can include:

Name Initials Address Postcode Date of birth Date of death NHS Number Local system identifiers National Insurance Number

Sensitive ‘special category’ information can include personal data consisting of information as to:

Racial / ethnic origin Political opinions Religious beliefs Trade union membership Physical or mental health Sexual life / orientation Metrics data

Corporate information can include information about the organisation which

49

should be restricted due to commercial sensitivities. This could include information being restricted internally, between departments and externally to the public.

Responsibilities

All staff have a responsibility to ensure that the information that they have access to as part of their role is protected. This protection can be in the form of ensuring that procedures are followed, access is controlled, physical documented is restricted by appropriate means (filing cabinets, key pad/swipe card entry) and any breaches or near misses are reported and actioned.

All systems, including applications, databases, excel spread sheets, that hold personal identifiable information should be recorded on the Information Asset Register held by the Information Governance Team. Information Asset Owners and Administrators (IAOs and IAAs) have the responsibility of ensuring that any data extracted from the asset is managed and shared appropriately.

The Informatics Team have the responsibility for:

Data Integration Data Quality Corporate Data Warehouse In-View Reporting Local Processing Information Data Marts Secondary Uses Services

The Information Team is responsible for processing information requests made by internal and external sources. For each request made, the internal Pseudonymisation Procedure should be adhered to, to ensure not only that the request is legitimate, approved by the relevant Information Asset Owner, thatall relevant techniques have been applied to the data and that only the information that is necessary is shared.

Users are requested to complete an online Information Request template if seeking access to information. This can be used for regular requests as well as adhoc requests. However, for each new request or change to an existing request a new form should be completed.

The Caldicott Guardian for each of the organisations within the Health Community is the lead for patient/client confidentiality issues supported by the Head of Information Governance.

The SDHIS Information Governance Team are responsible for undertaking audits and spot checks in relation to data sharing and data quality.

Any issues with de-identification of data, or breaches of data security should be reported to the Information Governance Team.

50

Owners of Safe Havens will be responsible for ensuring that only staff with a genuine business need have access to personal identifiable information. Further information is contained within the Safe Haven Policy held on Contact.

Definitions/Glossary

Personal Identifiable Data (PID) – is any information that can identify one person. This could be one piece of data for example a person’s name or a collection of information for example name, address and date of birth.

Primary Use – is when information is used for direct care and medical purposes. This would directly contribute to the treatment, diagnosis or the care of the individual. This also includes relevant supporting administrative processes and audit/assurance of the quality of healthcare service provided.

Secondary Use – is when information is not used for direct care and medical purposes, generally this could be for research purposes, audits, service management, commissioning, contract monitoring and reporting facilities.

When PID is used for secondary use this should be limited and de-identified so that the secondary uses process is confidential.

Pseudonymisation – The technical process of replacing person identifiers in a dataset with other values (pseudonyms) from which the identities of individuals cannot be intrinsically inferred eg. the replacement of an NHS number with another random number. Pseudonymisation may be reversible or irreversible.

Information Sharing Process

Currently information is shared by a number of different ways, by different departments, to different destinations for different reasons. There are inherent risks with this process and therefore it has been agreed that a formal framework that can be adhered to and monitored was required.

The intention is that there will be a single point of contact for all information requests relating to information held by South Devon Healthcare NHS Foundation Trust and South Devon Health Informatics Service, which will be the Information Team. This will ensure that all staff know how to access the information that is required and also that they can direct any enquiries to the Information Team.

Any requests for information will be via the Information Request form, part of the Information Sharing Toolkit. For full details of the forms and the process, please see the Information Request Form and Information Reporting Procedure.

51

Data Presentation

Staff should be aware that any reports that have been produced which contain Person Identifiable Data should not be shared outside of the Organisation that the information relates. In addition, when saving or sharing the report internally, staff should be aware that the report contains information which may not be appropriate for other staff members to view, even if they are within the same department or area. Therefore where at all possible the report should be saved to a secure area and any email recipients should be informed that copies should not be taken and emails deleted once viewed.

When reports are produced from any database that contains personal identifiable information the way in which the data is presented should take into account the software being used. For example a report presented within Excel that uses a Pivot table may only display aggregated non-identifiable information. However, if the source data the pivot table links to contains identifiable information the end user of the report will be able to amend the data displayed and drill down to a level which is identifiable. Precautions should be taken to either amend the source data with a pseudonym, or preferably present the information using software that prevents this happening, such as a PDF document.

Training and Awareness

The annual Information Governance training that is delivered to all staff will reference the principles of Pseudonymisation.

Information Asset Owners also undertake further Information Asset training where the Pseudonymisation principles and processes will be disseminated.The Information Governance Team will raise awareness of this policy, via meetings, information contained within the Newsletter and on the IG Team site on Contact and internal training materials.

Advice and support around this policy will be provided by the Information Governance Team, Informatics Team and Information Team.

Contacts

For further information about this policy, please refer to either the Information Governance site on ICON or email via i g t eam . s dh is @ nh s . net . Additionally you can contact the Information Team via i n f o r m a ti o n .s dh c t @ nh s . ne t and the Informatics Team via da t a w a re h o u s e . s dh i s @nh s . ne t .

Contact the Data Access and Disclosure Office on d a t a p r ote c t i o n. t s d ft @ n hs.net ,See TSDFT’s D a t a P r ot e c t i on & A cc e ss P o li cy ,Visit our Dat a Pr otect ion site on the public internet.

52

Monitoring and Review

Managers are responsible for ensuring their staff comply with this Policy.

The Information Governance, Information and Informatics Team will be responsible for reviewing this document on an annual basis or after a change to the DH guidance or processes within the Trust.

Any possible breaches to this policy or data loss should be reported via theI n cid e n t Re p o rting s y st e m (DATIX), as per Trust guidance

Specific Data Warehouse Responsibilities

In-View Reporting

Business Objects are a multinational Business Intelligence software supplier and are currently considered to be the market leaders in their field. Our implementation of the XI product enables web based access to a secure Java based reporting infrastructure. The solution provides the majority of frequently used functionality from spreadsheet software (such as Excel or Open Office) from within a web browser.

Local Processing

Both local and national Payment by Results (PbR) processing is undertaken: The national within the core Data Warehouse (InView) and the local through scripted data extraction and processing. The local version allows for local commissioning agreements to vary the national solution, thus providing a better fit for the Community. Due to the bespoke extraction and process nature of the local solution, this has to be limited to a monthly local schedule.

Information Data Marts

Simplified data marts, or streamlined tables, are created to represent central reporting concepts: Such as Spells Ward-stays, Episodes etc. These are synchronized with the Corporate Data Warehouse daily and enriched with additional data attributes pulled directly from the source clinical systems or value added processing.

Secondary Uses Services

This is the National system that all NHS providers of care are required to send data to. End to end validation as well as active effort to expand, improve and monitor the Trusts data flows to SUS, Dr Foster, HES, CQC, etc. are undertaken.

53

PRIVACY IMPACT ASSESSMENT POLICY

Aims and Objectives

Within the NHS confidential information on patients/clients and staff is collected and stored so that it may be used for specific purposes. In order to be compliant with statutory regulations that are in place to protect the individuals about whom the information refers, certain safeguards must be implemented. For new projects or material changes to current Information Assets which may have an impact on the privacy risks to individuals, the Information Commissioners Office recommends that a Data Protection Impact Assessment is completed. Further information on the guidance the ICO provides can be obtained here.

The objective of this Policy is to provide Trust with a Policy that is sufficiently robust as to meet the requirements as laid out by the Information Commissioners Office and to ensure that evidence of adherence can be provided to demonstrate compliance. This document will provide information on the purposes of Data Protection Impact Assessments as well as details of what the process within the Trust entails.

Introduction

There has been a growing awareness within organisations and with the general public of privacy issues. High-profile losses of personal information and concerns about the nature and extent of what is collected by organisations has raised the profile of potential privacy risks. Therefore it is important as an organisation that we are aware that the privacy of individuals is extremely important and we must ensure that this is safeguarded. We must assure the public and ourselves that we have a robust process in place.

This Policy sets out the context of the Data Protection Impact Assessment within the Trust and provides an overarching guide on what this means to Trust staff. Further guidance is available in Privacy Impact Assessment Guidance

This policy applies to all staff working within the South Devon Health Community who are responsible for the introduction of new processes or systems that are likely to involve a new use of personal data or significantly change the way in which personal data is handled.

Data Protection Impact Assessments (DPIAs)

All new or significantly changed processes or projects that involve Person Identifiable Data must comply with confidentiality, privacy and data protection requirements. The Data Protection Impact Assessment is the preferred method of assessment.

The DPIA is to assist in: The identification of the project’s or process privacy impacts; Appreciation of those impacts from the perspectives of all stakeholders;

54

An understanding of the acceptability of the project and its features by the organisations and people that will be affected by it;

Identification and assessment of less privacy-invasive alternatives; Identification of ways in which negative impacts on privacy can be

avoided; Identification of ways to lessen negative impacts on privacy; Where negative impacts on privacy are unavoidable, clarity as to the

business need that justifies them; and Documentation and publication of the outcomes.

DPIA Process

The first step in the DPIA process is identifying whether or not the project or process involves person identifiable information. If it does then the DPIA Pre Assessment Questionnaire (PAQ) should be completed and returned to the IG Team as directed. The IG Team will evaluate the information provided in the PAQ and will undertake a risk assessment on the proposed project or process change. This risk assessment will determine what further action is required, including whether there is a need for a full scale DPIA to be undertaken. Any severe or catastrophic risks identified during this stage of the process will be escalated immediately as per the Trusts’ Risk Management Guidance and included on the relevant risk register.

It is anticipated that for the majority of projects or changes, completing the DPIA PAQ will be sufficient in demonstrating that as a Trust, all of the relevant privacy risks have been considered. Section Two of the PAQ will be completed by the IG Team who will decide which of the areas should be reviewed. At the end of the PAQ is a declaration that the IG Team will complete which will indicate an opinion on the overall privacy risk is and whether or not any further action is required. The completed document will then be sent back to the originator for their information and if necessary action.

In the event that a full scale DPIA should be undertaken, the IG Team will inform the originator of the PAQ. The IG Team will then complete the relevant areas of Section Two of the PAQ, which may include the Data Protection and Legal Compliance check. If the nature of the change is within a project, the IG Team will attend the next Project Board Meeting with the Project Sponsor and discuss the issues that have been raised. If the change is not part of a project, the IG Team will liaise with the originator to draw together a meeting with key stakeholders where the issues raised will be discussed.

The outcome of these discussions will be included within the DPIA Report, which details the nature of the project or change, the issues and risks identified and crucially what the recommendations and actions are. This report is then sent to the Trusts’ Senior Information Risk Owner (SIRO) who will review the information and will confirm whether or not the recommendations should be implemented.

55

At each step of the process the DPIA Log will be updated (See Section Six). The assessment ID will remain open until the recommendations or actions highlighted have been completed. The DPIA log will then show a status of closed.

Responsibilities

For the TrustThe SIRO is responsible for signing off the DPIAs for all systems or processes that involve Person Identifiable Information.

The Information Governance Team should: Provide advice and support in the completion of the DPIA Maintain the DPIA Log and provide regular reports to the Information

Governance Steering Group Review, update and implement the DPIA Policy

The Information Governance Steering Group Should receive DPIA log reports on a regular basis Receive, discuss and agree DPIA for all projects or process changes

which involves the use of Person Identifiable Information.

Information Asset Owners are: Responsible for ensuring that a DPIA is in place for their system(s) (if

required) Responsible for reviewing the DPIA when a process change is being

made and amend the DPIA as appropriate.

Project Sponsor/Lead/Operational Managers are: Responsible for ensuring that a DPIA is consulted upon by all interested

parties and that this is signed off by the SIRO.

The completion of Section One of the DPIA Pre-Assessment Questionnaire falls to a suitable project team member, Information Asset Owner or Operational Manager, depending upon whether the change is from a new project or process being implemented.

Completion of Section Two of the DPIA Pre-Assessment Questionnaire and any further checks which may be required will fall to Information Governance Team. Assistance may be sought by the IG Team from relevant stakeholders during the DPIA process on an Ad Hoc basis.

The IG Team will complete the Statement of Assurance, except when a Full Scale DPIA is required, in which case this will be completed by the SIRO.

As part of the responsibilities of the Information Governance Team, a DPIA Log has been created which forms a record of the projects/system changes that have completed the DPIA process. This will be available to IG Steering Group at each meeting for review. For all new Business Cases, the relevant Project Board

56

should assure themselves that this policy has been taken into consideration during the project initiation phase.

FREEDOM OF INFORMATION POLICY

Introduction

The Freedom of Information Act 2000 is part of the Government’s commitment to greater openness in the public sector, a commitment supported by South Devon Healthcare Foundation NHS Trust, referred to hereafter as ‘the Trust’. The Freedom of Information Act 2000, referred to hereafter as the Act, will further this aim by helping to transform the culture of the public sector to one of greater openness. It will enable members of the public to question the decisions of public authorities more closely and ensuring that the services we provide are efficiently and properly delivered. The Act replaces the non-statutory Code of Practice on Openness in the NHS. The main features of the Act are

a general right of access from 1 January 2005 to recorded information held by public authorities, subject to certain conditions and exemptions;

in cases where information is exempted from disclosure, except where an absolute exemption applies, a duty on public authorities to:

o inform the applicant whether they hold the information requested, and

o communicate the information to him or her,

unless the public interest in maintaining the exemption in question outweighs the public interest in disclosure;

a duty on every public authority to adopt and maintain a Guide to Information (formerly known as a Publication Scheme), specifically applicable to the NHS from 31 October 2003;

a new office of Information Commissioner with wide powers to enforce the rights created by the Act and to promote good practice, and a new Information Tribunal;

a duty on the Lord Chancellor to implement Codes of Practice for guidance on specific issues.

The Freedom of Information Act Policy is a statement of what the Trust intends to do to ensure compliance with the Act. It is not a statement of how compliance will be achieved; this will be a matter for operational procedures.

Scope The Freedom of Information Act Policy applies to all Trust employees and to Non-Executive Directors. The Policy provides a framework within which the Trust will ensure compliance with the requirements of the Act. The Policy underpins any operational procedures and activities connected with the implementation of the Act.

57

Aims and Objectives

The Policy supports the principle that openness and not secrecy should be the norm in public life. The Trust wants to create a climate of openness and dialogue with all stakeholders and improved access to information about the Trust will facilitate the development of such an environment.

The Trust believes that individuals also have a right to privacy and confidentiality. This Policy does not overturn the common law duties of confidence or statutory provisions that prevent disclosure of personal identifiable information. The release of such information is still covered by the subject access provisions of UKs data protection legislation and is dealt with in other Trust policies.

The Trust believes that public authorities should be allowed to discharge their functions effectively. This means that the Trust will use the exemptions contained in the Act where an absolute exemption applies or where a qualified exemption can reasonably be applied in terms of the public interest of disclosure.

The Trust believes that staff should have access to expert knowledge to assist and support them in understanding the implications of the Act. The Policy sets out a framework to provide this knowledge.

The Trust believes that common standards are required to ensure that the organisation is compliant with the Act. The Policy outlines the areas in which common standards will be established through other Trust policies and procedures.

Freedom of Information Act

The Trust will use all appropriate and necessary means to ensure that it complies with the Act and associated Codes of Practice issued by the Lord Chancellor’s Department pursuant to sections 45(5) and 46(6) of the Act.

Guide to Information The Trust has adopted a Guide to Information developed by the NHS Freedom of Information Project Board and Team and approved by the Information Commissioner in March 2003 followed by a revised Guide effective from 1/1/2009. This is permissible under section 20 of the Act and ensures compliance with section 19 of the Act.

The Trust’s Guide to Information is a current document, detailing the information that the Trust publishes. It details the format in which the information is available and whether or not a charge will be made for the provision of that information. The Guide to Information is available in hard copy on request and through our website www.sdhc.nhs.uk. It will be subject to regular review in terms of content both internally and by the Information Commissioner’s Office.

Applications for information listed in the Guide to Information may be received verbally or in writing. The Trust will establish systems and procedures to process applications arising from the Guide to Information. Appendix D

General Rights of Access

58

Section 1 of the Act gives a general right of access to recorded information held, subject to certain conditions and exemptions contained in the Act. Simply, any person making a request for information to is entitled:

(a) to be informed in writing whether TSDFT holds the information of the description specified in the request, and

(b) if the Trust holds the information, to have that information communicated to them.

This is referred to as the ‘duty to confirm or deny’. These provisions are fully retrospective in that if the Trust holds the information it must provide it, subject to the certain conditions and exemptions. The Trust will ensure that procedures and systems are in place to facilitate access by the public to recorded information from this date.

In accordance with section 8 of the Act, a request for information under the general rights of access must be received in writing, stating the name of the applicant and an address for correspondence, and describes the information requested. For the purposes of general rights of access, a request is to be treated as made in writing if it is transmitted by electronic means, is received in legible form and is capable of being used for subsequent reference.

The Trust will establish systems and procedures to process applications arising from the introduction of general rights of access. Appendix C

Conditions and Exemptions

The duty to confirm or deny is subject to certain conditions and exemptions. Under section 1(3) the duty to confirm or deny does not arise where the Trust:

(a) reasonably requires further information in order to identify and locate the information requested, and

(b) has informed the applicant of that requirement.

The Trust will make reasonable efforts to contact the applicant for additional information relating to their request should further information be required.

Under section 2 of the Act the Trust does not have to comply with this duty if the information is exempt under the provisions of Part II of the Act, sections 21 to 44. These provisions either confer an absolute exemption or a qualified exemption. A qualified exemption may be applied if, in all circumstances of the case, the public interest in maintaining the exclusion of the duty to confirm or deny outweighs the public interest in disclosing whether the Trust holds the information. The Part II exemptions are listed in Appendix A of this Policy. The Trust will seek to use the qualified exemptions sparingly and will, in accordance with section 17 of the Act justify the use of such exemptions.

The duty to confirm or deny does not arise if a fees notice (see 2.5.0) has been issued to an applicant and the fee has not been paid within the period of three months beginning on the day on which the fees notice is given to the applicant.

59

The duty to comply with a request for information does not arise if the Trust estimates that the cost of compliance with the request would exceed the appropriate limit established in national Fees Regulations. TSDFT will work with applicants to keep compliance costs to a minimum but reserves the right to either

(a) refuse or

(b) charge for the communication of information that exceeds this limit.

The Trust is not obliged to comply with a request for information if the request is vexatious. Where the Trust has previously complied with a request for information which was made by any person, it is not obliged to comply with a subsequent identical or subsequently similar request from that person unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request. The Trust will log all requests for information for monitoring purposes and will be able to identify repeated or vexatious requests.

Charges and Fees

The Trust will generally not charge for information that it has chosen to publish in its Guide to Information. Charges may be levied for hard copies, multiple copies or copying onto media such as a CD-ROM. The Guide to Information and the procedures that support this Policy will provide further guidance on charging.

The Trust will follow, the national Fees Regulations for general rights of access under the Act. The “appropriate limit” for the NHS has been set at £450. Section 9 of the Act applies to requests where the appropriate limit has not been met and we are obliged to provide information in compliance with Section 1 of the Act. Section 13 applies if the appropriate limit is exceeded. We are not otherwise obliged to comply with the request but would be able to answer and would like to do so in return for a fee.

In all cases where the Trust chooses to charge for information published through the Guide to Information or levy a fee arising from an information request under general rights of access, a fees notice will be issued to the applicant as required by section 9 of the Act. Applicants will be required to pay any fees within a period of three months beginning with the day on which the fees notice is given to them.

Time limits for compliance with requests

The Trust will establish systems and procedures to ensure that the organisation complies with the duty to confirm or deny and to provide the information requested within twenty working days of a request in accordance with section 10 of the Act. All staff and Non-Executive Directors will be required to comply with the requirements of these procedures; failure to do so may result in disciplinary action.

60

If the information requested by the applicant incurs a charge or a fee and the applicant has paid this in accordance with section 9(2), the number of working days in the period from when the applicant was sent the fees notice to when they paid will be disregarded for the purposes of calculating the twentieth working day timeframe. If the Trust chooses to apply an exemption to any information or to refuse a request as it appears to be vexatious or repeated, or exceeds the appropriate limit for costs of compliance, a notice shall be issued within twenty working days informing the applicant of this decision (see 2.8.0 below).

Means by which information will be conveyed

TSDFT will endeavour to provide the information in the format preferred by the applicant.

(a) a copy of the information in the format acceptable to the applicant eg email, hard copy, CD, video, photograph

(b) to inspect the record containing the information

(c) a summary of the information

In determining whether it is reasonably practicable to communicate information by a particular means, the Trust will consider all the circumstances, including the cost of doing so. If the Trust determines that it is not reasonably practicable to comply with any preference expressed by the applicant in making their request, the Trust will notify the applicant of the reasons and will provide the information by such means as which it deems to be reasonable in the circumstances.

The Trust will establish systems and procedures to monitor the provision of information arising from requests under the Act.

Refusal of requests

As indicated above, the duty to confirm or deny does not arise if the Trust: (a) using section 2 of the Act applies an exemption under Part II of the Act, as illustrated in Appendix A,

(b) has issued a fees notice under section 9 of the Act and the fee has not been paid within a period of three months beginning with the day on which the fees notice was given to the applicant,

(c) under section 12 of the Act estimates that the cost of compliance with the request for information exceeds the appropriate limit,

(d) can demonstrate that the request for information is vexatious or repeated, as indicated by section 14 of the Act.

If the Trust chooses to refuse a request for information under any of the above clauses, the applicant will be informed of the reasons for this decision within twenty working days. As set out in section 17(7) the applicant will also be informed of the procedures for making a complaint about the discharge of the

61

duties of the Trust under the Act and of the right conferred by section 50 of the Act (see 2.10.0).

If the Trust is to any extent relying on (a) a claim that any provision of Part II relating to the duty to confirm or deny is relevant to the request or (b) on a claim that information is exempt, a notice will be issued within twenty working days under section 17 of the Act. The notice will:

(a) state that fact,

(b) specify the exemption in question, and 7 (c) state (if that would not otherwise be apparent) why the exemption applies.

Where the Trust is relying on a claim: (a) that any provision of Part II which relates to the duty to confirm or deny and is not specified in section 2(3) of the Act as an absolute exemption is relevant to the request, or

(b) that the information is exempt only by virtue of a qualified exemption, a provision not specified in section 2(3),

and at the time when the notice under 2.8.3 above is given to the applicant has not yet reached a decision as to the application of subsection (1)(b) or (2)(b) of section 2 of the Act – the application of an exemption – the notice will indicate that no decision as to the application of an exemption has been reached and contain an estimate of the date by which the Trust expects that a decision will have been reached.

As indicated by the Lord Chancellor’s Code of Practice issued under section 45 of the Act, such estimates as described in 2.8.4 should be realistic and reasonable and compliance is expected unless there are extenuating circumstances. If an estimate is exceeded, the applicant will be given a reason for the delay and offered an apology by the Trust. If the Trust finds, while considering the public interest, that the estimate is proving unrealistic, the applicant will be kept informed. The Trust will keep a record of instances where estimates are exceeded, and where this happens more than occasionally, take steps to identify the problem and rectify it.

If applying a qualified exemption under subsection (1)(b) or (2)(b) of section 2 of the Act, the Trust will, either in the notice issued under 2.8.3 above or a separate notice given within such a time as is reasonable in the circumstances, state the reasons for claiming:

(a) that, in all the circumstances of the case, the public interest in maintaining the exclusion of the duty to confirm or deny outweighs the public interest in disclosing whether the Trust holds the information, or

(b) that, in all circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information.

The statement should not involve the disclosure of information which would itself be exempt information.

62

If the Trust is relying on a claim that section 12 or 14 of the Act apply, the notice will state that fact. If the Trust is relying on a claim that the request is vexatious or repeated under section 14 of the Act, and a notice under section 17 has already been issued to the applicant stating this fact, a further notice is not required.

The Trust will keep a record of all notices issued to refuse requests for information.

Duty to provide advice and assistance

The Trust will ensure that systems and procedures are in place to meet the duty of a public authority to provide advice and assistance to an applicant who proposes to make, or has made, a request for information. This is a duty under section 16 of the Act.

The Trust will ensure that the systems and procedures that are deployed to meet the section 16 duty also conform to the Code of Practice issued under section 45 of the Act.

Transferring Requests for Information

A request can only be transferred where TSDFT receives a request for information which it does not hold, within the meaning of section 3(2) of the Act, but which is held by another public authority. If TSDFT is in receipt of a request and holds some of the information requested, a transfer can only be made in respect of the information it does not hold (but is held by another public authority). The Trust recognises that "holding" information includes holding a copy of a record produced or supplied by another person or body (but does not extend to holding a record on behalf of another person or body as provided for in section 3(2)(a) of the Act).

Upon receiving the initial request for information, TSDFT will always process it in accordance with the Act in respect of such information relating to the request as it holds. The Trust will advise the applicant that it does not hold part of the requested information, or all of it, whichever applies. Prior to doing this, the Trust must be certain as to the extent of the information relating to the request which it holds itself.

If the Trust believes that some or all of the information requested is held by another public authority, the Trust will consider what would be the most helpful way of assisting the applicant with his or her request. In most cases this is likely to involve:

(a) contacting the applicant and informing him or her that the information requested may be held by another public authority;

(b) suggesting that the applicant re-applies to the authority which the original authority believes to hold the information;

63

(c) providing him or her with contact details for that authority.

If the Trust considers it to be more appropriate to transfer the request to another authority in respect of the information which it does not hold, consultation will take place with the other authority with a view to ascertaining whether it does hold the information and, if so, consider whether it should transfer the request to it. A request (or part of a request) will not be transferred without confirmation by the second authority that it holds the information. Prior to transferring a request for information to another authority, the Trust will consider:

(a) whether a transfer is appropriate; and if so 9 (b) whether the applicant is likely to have any grounds to object to the transfer;

If the Trust reasonably concludes that the applicant is not likely to object, it may transfer the request without going back to the applicant, but will inform the applicant that it has done so.

Where there are reasonable grounds to believe an applicant is likely to object, the Trust will only transfer the request to another authority with the applicant’s consent. If there is any doubt, the applicant will be contacted with a view to suggesting that he or she makes a new request to the other authority.

All transfers of requests will take place as soon as is practicable, and the applicant will be informed as soon as possible once this has been done. Where the Trust is unable either to advise the applicant which it holds, or may hold, the requested information or to facilitate the transfer of the request to another authority (or considers it inappropriate to do so) it will consider what advice, if any, it can provide to the applicant to enable him or her to pursue his or her request.

Consultation with Third Parties

The Trust recognises that in some cases the disclosure of information pursuant to a request may affect the legal rights of a third party, for example where information is subject to the common law duty of confidence or where it constitutes "personal data" within the meaning of data protection legislation. This would apply in particular to patient information and staff identity. Unless an exemption provided for in the Act applies in relation to any particular information, the Trust will be obliged to disclose that information in response to a request.

Where a disclosure of information cannot be made without the consent of a third party (for example, where information has been obtained from a third party and in the circumstances the disclosure of the information without their consent would constitute an actionable breach of confidence such that the exemption at section 41 of the Act would apply), the Trust will consult that third party with a view to seeking their consent to the disclosure, unless such a consultation is not practicable, for example because the third party cannot be located or because the costs of consulting them would be disproportionate. Where the interests of

64

the third party who may be affected by a disclosure do not give rise to legal rights, consultation may still be appropriate.

Where information constitutes "personal data" within the meaning of data protection legislation, the Trust will have regard to section 40 of the Act which makes detailed provision for cases in which a request relates to such information and the interplay between the Act and the DPA in such cases.

TSDFT will undertake consultation where:

(a) the views of the third party may assist the authority to determine whether an exemption under the Act applies to the information requested; or

(b) the views of the third party may assist the authority to determine where the public interest lies under section 2 of the Act.

The Trust may consider that consultation is not appropriate where the cost of consulting with third parties would be disproportionate. In such cases, the Trust will consider what is the most reasonable course of action for it to take in light of the requirements of the Act and the individual circumstances of the request. Consultation will be unnecessary where:

(a) the public authority does not intend to disclose the information relying on some other legitimate ground under the terms of the Act;

(b) the views of the third party can have no effect on the decision of the authority, for example, where there is other legislation preventing or requiring the disclosure of this information;

(c) no exemption applies and so under the Act's provisions, the information must be provided.

Where the interests of a number of third parties may be affected by a disclosure, and those parties have a representative organisation which can express views on behalf of those parties, TSDFT will, if it considers consultation appropriate, consider that it would be sufficient to consult that representative organisation. If there is no representative organisation, the Trust may consider that it would be sufficient to consult a representative sample of the third parties in question.

The fact that the third party has not responded to consultation does not relieve the Trust of its duty to disclose information under the Act, or its duty to reply within the time specified in the Act. In all cases, it is for the Trust, not the third party (or representative of the third party) to determine whether or not information should be disclosed under the Act. A refusal to consent to disclosure by a third party does not, in itself, mean information should be withheld.

65

Public Sector Contracts

When entering into contracts the Trust will refuse to include contractual terms which claim to restrict the disclosure of information held by the Trust and relating to the contract beyond the restrictions permitted by the Act. Unless an exemption provided for under the Act is applicable in relation to any particular information, the Trust will be obliged to disclose that information in response to a request, regardless of the terms of any contract.

When entering into contracts with non-public authority contractors, the Trust may be under pressure to accept confidentiality clauses so that information relating to the terms of the contract, its value and performance will be exempt from disclosure. As recommended by the Lord Chancellor’s Department, the Trust will reject such clauses wherever possible. Where, exceptionally, it is necessary to include non-disclosure provisions in a contract, the Trust will investigate the option of agreeing with the contractor a schedule of the contract which clearly identifies information which should not be disclosed. The Trust will take care when drawing up any such schedule, and be aware that any restrictions on disclosure provided for could potentially be overridden by obligations under the Act, as described in the paragraph above. Any acceptance of such confidentiality provisions must be for good reasons and capable of being justified to the Information Commissioner.

The Trust will not agree to hold information 'in confidence' which is not in fact confidential in nature. Advice from the Lord Chancellor’s Department indicates that the exemption provided for in section 41 only applies if information has been obtained by a public authority from another person and the disclosure of the information to the public, otherwise than under the Act would constitute a breach of confidence actionable by that, or any other person.

It is for the Trust to disclose information pursuant to the Act, and not the non- public authority contractor. The Trust will take steps to protect from disclosure by the contractor information which the authority has provided to the contractor which would clearly be exempt from disclosure under the Act, by appropriate contractual terms. In order to avoid unnecessary secrecy, any such constraints will be drawn as narrowly as possible and according to the individual circumstances of the case. Apart from such cases, the Trust will not impose terms of secrecy on contractors.

Accepting Information in Confidence from Third Parties

The Trust will only accept information from third parties in confidence if it is necessary to obtain that information in connection with any of its functions and it would not otherwise be provided.

The Trust will not agree to hold information received from third parties "in confidence" which is not confidential in nature. Again, acceptance of any confidentiality provisions must be for good reasons, capable of being justified to the Information Commissioner.

66

Complaints about the discharge of the duties of the Trust under the Act

The Trust has implemented a procedure for dealing with requests for reviews/complaints about the handling of requests for information.

The procedure will refer applicants to the right under section 50 of the Act to apply to the Information Commissioner if they remain dissatisfied with the conduct of the Trust following attempts at local resolution of their complaint.

Records Management

The Trust has a separate policy with supporting systems and procedures that will ensure compliance with the Lord Chancellor’s Code of Practice on the Management of Records under section 46 of the Freedom of Information Act 2000 and the Department of Health’s Guidance “Records Management – Code of Practice Parts 1 & 2”.

The Trust’s Records Management Policy and Procedure for Retention & Disposal of Corporate Records based on the DH recommendations, addresses issues of active records management – creation, keeping, maintenance, appraisal and disposal are available on the intranet.

“Round Robin” FOI requests

The DP/FOI Lead will inform the Communications Team if a request has been received and is believed to have been circulated to either all or selected groups of NHS organisations

Implementation, compliance and responsibilities

All staff and Non-Executive Directors are obliged to adhere to this Policy. A failure to adhere to this Policy and its associated procedures may result in disciplinary action. Managers at all levels are responsible for ensuring that the staff for whom they are responsible are aware of and adhere to this Policy and associated procedures. They are also responsible for ensuring staff are updated in regard to any changes in this Policy.

Heads of Departments will ensure that this Policy and associated procedures are accessible and available to all staff.

Corporate Oversight

The Data Protection Officer will oversee the implementation of this Policy on behalf of the Chief Executive. The Data Protection Officer will establish systems and procedures that will support the implementation of this Policy which, as stated above, all staff and Non-Executive Directors will be expected to adhere to.

Reference Documents

Freedom of Information Act 2000

67

UK data protection legislation

Human Rights Act 1998 Department of Health’s Guidance “Records Management – Code of Practice Parts 1 & 2”. Environmental Information Regulations 2004 13

Lord Chancellor’s Code of Practice on the Discharge of Public Authorities’ Functions under Part I of the Freedom of Information Act 2000, issued under section 45 of the Act, November 2002.

Lord Chancellor’s Code of Practice on the Management of Records under section 46 of the Freedom of Information Act 2000, November 2002.

NHS Confidentiality Code of Practice

Retention of FOI requests

Requests for information handled under the FOI Act will be retained for three years after full disclosure or 10 years if information has been redacted or the information requested is not disclosed

Exemptions

Exempt Information Under Part II of the Freedom of Information Act 2000

There are two types of class exemption: (a) absolute, which do not require a test of prejudice or the balance of public interest to be in favour of non-disclosure.

(b) qualified by the public interest test, which require the public body to decide whether it is in the balance of public interest to not disclose information.

With the exception of s21 (information available by other means) exemptions apply not only to the communication of information but also to the duty to confirm or deny, if that itself would disclose information that it is reasonable to withhold. The absolute exemptions under the Act are:

section 21, Information accessible to applicant by other means

section 23, Information supplied by, or relating to, bodies dealing with security matters.

section 32, Court Records

section 34, Parliamentary Privilege

section 36, Prejudice to effective conduct of public affairs

section 40, Personal Information (where disclosure may contravene the data protection legislation)

section 41, Information provided in confidence

section 44, Prohibitions on disclosure The exemptions that are qualified by the public interest test are: section 22, Information intended for future publication

68

section 24, National Security

section 26, Defence

section 27, International Relations

section 28, Relations within the United Kingdom

section 29, The Economy

section 30, Investigations and proceedings conducted by public authorities

section 31, Law Enforcement

section 33, Audit Functions section 35, Formulation of Government Policy

section 36, Prejudice to effective conduct of public affairs (for all public authorities except the House of Commons and the House of Lords)

section 37, Communications with Her Majesty, etc. and honours

section 38, Health and Safety

section 39, Environmental Information

section 42, Legal Professional Privilege

section 43, Commercial Interests

More information on the exemptions can be found on the Information Commissioner’s website www.ico.gov.uk and the Department for Constitutional Affairs website www.dc.gov.uk

Internal FOI complaints and review process

Should an applicant be dissatisfied with the way their request was handled or the outcome of their request for information under the Freedom of Information Act 2000 (FOI) they can ask for a review of the Trust’s decision by invoking the Trust’s FOI review process. The applicant will be informed of his or her right to complain to the Chief Executive in the Freedom of Information (FOI) Department's initial response to their request. The complaint will give rise to a full reconsideration of the handling of the case, as well as the final decision.

Process steps 1. On receipt of a request for an internal review, the Chief Executive, Deputy Chief Executive or DP/FOI Lead will forward the complaint to the Feedback and Engagement team who will acknowledge the request and inform the applicant of the target date for the review. The required target time for responding to the applicant is 20 working days.

2. The Feedback and Engagement team officer, on behalf of the Chief Executive or Deputy will request a full history of the case from the DP/FOI Lead and any other member of staff involved in responding to the original request. In order to complete the review within the target time, the relevant documents must be made available with the minimum of delay.

3. Where it is apparent that the response to the complaint will take longer than 20 working days (for example because of the complexity of the particular case) the

69

complainant will be informed accordingly but in those circumstances it should not exceed 40 working days.

4. Dealing with the complaint will consist of an analysis of the evidence; consideration of the appropriateness of the exemption(s) cited; review of the arguments for withholding/disclosing information in the particular circumstances of the case; consideration of whether the public interest had been properly considered and consulting the DP/FOI Lead who handled the initial request where necessary. Where it would be helpful to do so, the reviewer will also discuss the case directly with the applicant.

5. Where exemption S.36 has been applied, the review will be conducted by the Chairman of the Trust.

6. During the review period, the complainant will be kept informed of progress.

7. If the final decision is to uphold the complaint, the proposed disclosure of the information originally requested will be made in full consultation with the DSP Lead or DPO. Where the outcome of a complaint is that an initial decision to withhold information is upheld, the applicant will be informed and provided with details of his or her right to complain to the Information Commissioner.

8. All steps taken during the review process will be recorded on the TSDFT Internal Review form.

70

FOIA Internal Review

Reference No – request dated [insert date] Request for: a) [give a description of the information requested]

Persons involved in the original decision [insert those consulted upon when the original decision was made]

Response [insert date]: [give the response, i.e. the exemptions being used and the reasons why, including public interest test is appropriate]

Exemptions used: List exemptions and whether public interest test should be applied.

Reason for decision: [list the reasons on which the decision was based. Attach any relevant paperwork, i.e. ICO/DCA guidance.]

People involved in decision: List people involved in the decision and/or providing the information requested including third parties, i.e. ICO, other organizations.

List of Guidance, websites used for reference List ICO, DCA guidance used and websites that may have supported the decision being made.

Date Internal Review Requested

Reason given for Internal Review by applicant [provide information, if provided by the applicant as to why the feel the information should be disclosed]

Date by which decision of internal review should be sent to requester:

Any additional information: Include any information, guidance, changes of circumstances, etc that may have come to light in between the first response and the internal review. 21 Anything else that may be relevant to the disclosure of the information. Please bear in mind that if you have not used S36 before, you may wish to use it now. If you do then you will need to place the public interest test against the exemption, provide information here.

Options: 1. Disclose information as requested 2. Partial disclosure of information. 3. Uphold the decision not to disclose made on [insert date] Independent Review to be carried out by Chief Executive/Chair[insert name(s) of person compiling the information] Date: Decision made Signed: Date: Job Title: Letter sent to requester:

71

72

FOI/IG team will establish if the information is disclosable

FOI/IG team will locate and request the information

FOI/IG team will acknowledge receipt of the request immediately. If the question is not clear, the requester will be asked to clarify

Forward to foi.tsdft@nhs.net or Data Access and Disclosure Office, Kitson Hall

73

74

Inform the applicant that requests for information not on the website must be in writing. Please advise to email foi.tsdft@nhs.net or write to the Data Access and Disclosure Office, Kitson Hall

75