Understanding Confidentiality Understanding Confidentiality and Securityand Security
ObjectivesObjectives
To foster an awareness of the importance of Confidentiality and Security
To understand the main threats and counter measures
To raise awareness of the relevant legislation in particular the Data Protection Act 1998
To be able to secure automated and manual data
ContentContent
Introduction
Some recent surveys
What can go wrong?
Legal frameworks
Practical guidance
Case Study
Summary and Conclusion
Recent surveys on attitudes to Recent surveys on attitudes to Confidentiality and SecurityConfidentiality and Security
Patient/Client Attitudes to Patient/Client Attitudes to ConfidentialityConfidentiality
Survey by NHS and Consumer Association in 2002 findings: General happiness to share info with doctors being
trusted most; 25% wished to exclude sensitive information from routine
sharing; Over 33% wanted to be consulted every time their details
were shared; Under 50% felt reassured that confidentiality would be
protected by NHS policies; Nearly 25% didn’t know what NHS did with patient
information. Non-English speakers were happiest to share total record.
Who cares about data Who cares about data protection?protection?
Information Commissioner survey 2003 identified 5 groups: The concerned (40%) very worried The proactive (13%:) not worried The self-reliant (10%) unconcerned The social observers (17%) Extremely worried The naïve (19%) unconcerned
BMA Survey: June 2005BMA Survey: June 2005
75% of patients would not mind their health information being held on a central database
75% had concerns about the security of information
81% were worried about accessibility by people other than the healthcare professionals providing their care
93% said the public should be fully consulted about the proposals before they are finalised
Information Commissioner Information Commissioner survey November 2005survey November 2005
4 out of 5 concerned about their Health and Safety if data falls into wrong hands 52% concerned personal details may be passed to
others. 80% expressed concerns about the use, transfer and
security of personal information. 50% thought that bodies collecting personal
information handled the data fairly or properly. IC stated that “No doubt they are increasingly aware
of the dangers of identity theft and the serious consequences if their health, financial and other personal records fall into the wrong hands or are otherwise misused.”
News items on Confidentiality News items on Confidentiality and Securityand Security
What do we mean by Data What do we mean by Data Protection?Protection?
Covers: Confidentiality Integrity Availability
Covers the use and management of data through organised systems of all forms, whether based on human endeavours, paper methods or information technology.
What do we hold?What do we hold?
Information about you
Information about patients/clients
Information about the Trust
Reflective Exercise 1 Reflective Exercise 1
What do we use personal information for?
What do use personal What do use personal information for?information for?
Personal care and treatmentAssuring and improving the quality of care and treatment (e.g., through clinical audit);Monitoring and protecting public health;Coordinating HPSS care with that of other agencies (e.g., voluntary and independent services);Effective health and social care administrationTeaching/researchStatistical analysis
What can go wrong?What can go wrong?
What can go wrong?What can go wrong?
Incorrect inputTheftWilful damageUnauthorised access External Internal
Software VirusCyber crime
Security Breaches: examplesSecurity Breaches: examples
A set of patients' medical records left in a skip by retiring doctor (real example!)
A security guard reading personal data left on an employee’s desk overnight.
A copy of a child at risk register found on a second hand computer (real example)
A employee using the PC of another employee (who logged in and left PC unattended) to process data without authorisation
A patient at a GP surgery viewing the personal data of a previous patient on a PC screen.
Security Breaches: examples Security Breaches: examples (2)(2)
A patient in a waiting room at a doctor’s surgery overhearing information about another patient’s ailments.An employee using data for which they have authorised access for unauthorised purposes – e.g a police officer using the police national computer to check out daughter’s boyfriend. (real example)A passenger on a train was sitting next to someone who was reading a solicitor’s brief about a person who had been charged with murder – he happened to be a relative of the passenger.
The Impact of the ThreatsThe Impact of the Threats
Personal privacy
Personal health and safety
Financial
Commercial confidentiality
Legal damages and penalties
Disruption
Political embarrassment
Ethical ConsiderationsEthical Considerations
Promote patient/client well-being
Avoid detrimental acts/omissions
Open and co-operative manner
Recognise patient/client dignity
No abuse of position
Protect confidential information
Legal FrameworksLegal Frameworks
The Computer Misuse Act The Computer Misuse Act 19901990
Introduced three offences
Unauthorised access to computers
Unauthorised access with intent
Unauthorised modification
Case Study: Computer Case Study: Computer Misuse Act. Misuse Act.
A man was convicted in London (6/10/05) of hacking into a charity website, set up after the Indian Ocean tsunami disaster, in breach of the Computer Misuse Act. A computer consultant, was given a £400 fine and ordered to pay £600 in costs. He fell foul of section one of the Computer Misuse Act, the UK’s main cybercrime legislation, on New Year’s Eve last year.
He clicked on a banner ad to donate £30 to the Disaster Emergency Committee (DEC) appeal. However, when he did not get a confirmation or thank you in response to his donation, he feared that he had fallen for a phishing site, and decided to test the site to make sure. Unfortunately, in doing so he set off the DEC protection systems, and the police were called in.
The Judge found the accused guilty with “some considerable regret”, but the wording of the Act made it clear that the security consultant was guilty. "Unauthorised access, however praiseworthy the motives, is an offence," said the judge.
Data Protection Act 1998: Data Protection Act 1998: Main Provisions Main Provisions
Covers all HPSS records including electronic records
Defines ‘processing’ as obtaining, holding and disclosing data
Permits subject access to all records
Imposes considerable penalties
Data Protection ’98 The Data Protection ’98 The PrinciplesPrinciples
1. Personal data shall be processed fairly and lawfully
2. Personal data shall be obtained only for one or more specified and lawful purpose
3. Personal data shall be adequate, necessary and not excessive in relation to the purpose for which it was provided
3. Personal data shall be accurate and up to
date
4. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for those purposes
5. Personal data shall be processed in accordance with the rights of the subject under the Act
Data Protection ’98 The Data Protection ’98 The Principles continued...Principles continued...
Data Protection ’98 The Data Protection ’98 The Principles continued...Principles continued...
7. Technical & organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or damage to personal data
8. Personal data shall not be transferred to a country outside the European Economic Area.
Case Study 1: Data ProtectionCase Study 1: Data Protection
An employee of the Child Support Agency, having read what he believed to be an inaccurate press article derogatory of the CSA and concerning a CSA client known to him, decided to set the record straight by faxing the true story to the newspaper concerned. Whilst the fax was sent anonymously, an investigation identified him as the author. He was dismissed from his employment and convicted of unlawful disclosure of personal data.
Case Study 2: Data ProtectionCase Study 2: Data Protection
The complainant who was employed by a hospital was summoned to the office of his Personnel Manager to discuss his sickness record. The Personnel Manager had accessed the hospital’s clinical computer information system in order to challenge certain aspects of the employee’s account of events. As a result of this complaint the hospital revised its security arrangements and the Personnel Manager incurred disciplinary action as a result of the inappropriate use of confidential clinical information for non-medical purposes.
Case Study 3: Data ProtectionCase Study 3: Data Protection
The complainant visited his local hospital for a course of physiotherapy. Some months after the therapy was complete the complainant received a letter from the physiotherapist who had since set up her own business. The physiotherapist had used the complainant’s information that had originally been given in confidence to the hospitals for the earlier treatment.
Personal DataPersonal Data
data which relates to a living individual who can be identified from those data and is: system processed or intended to be
processed automatically,or recorded as part of a relevant filing,or part
of an accessible record.
Scope of Data Protection Scope of Data Protection LegislationLegislation
Automated Data
Relevant filing systems (Manual data)
Accessible Records
Automated DataAutomated Data
On computer
Document image processing
Audio/Video
Digitized images
CCTV images
Relevant Filing SystemRelevant Filing System
Non-automated systems structured by reference to individuals Standard manual files Impact of Durant case
Organised to allow ready access to specific information about individuals
Accessible RecordsAccessible Records
Covers all Health and Social Care records
Structured to allow access to individuals
StorageStorage
Diaries
Computers
message books
appointments register
disks
address books
Complaints register
Legitimacy of Processing Legitimacy of Processing (1998)(1998)
Principle 1: Personal data shall be processed fairly and lawfully and,in particular,shall not be processed unless:
(a) at least one of the conditions in Schedule 2
is met, and
( b)in the case of sensitive personal data,at least one of the conditions in Schedule 3 is met”
Schedule 2 conditions Schedule 2 conditions (1998)(1998)
1. Data Subject has given consent
2. Performance of a contract.
3. Compliance with legal obligation.
4. Protection of subject’s vital interest.
5. Crown/public functions
6. Legitimate interests of controller or third party.
Sensitive DataSensitive Data
Racial or ethnic origin
political opinion
religious beliefs (or similar beliefs)
membership of trade union
physical or mental health or condition
sexual life
any offence or alleged offence
any proceedings or sentence
Sensitive Data - Schedule 3Sensitive Data - Schedule 3
1. Data subject has given explicit consent2. Performance of legal duty in relation to employment 3. Protection of subject’s or third party’s vital interests
4. Legitimate activities of some non-profit organisations 5. The information has been made public deliberately by the data
subject 6. In connection with legal proceedings 7. Administration of justice, statutory obligations or crown/public
functions 8. Medical purposes9. For equal opportunities monitoring10. By order Secretary of State
Subject Access RequestsSubject Access Requests
Right of access to personal data in computer or manual formEntitled to: Be informed whether personal data is processed A description of the data held, the purposes for
which it is processed and to whom the data may be disclosed;
A copy of the data; and Information as to the source of the data
There are limited exemptions
Subject Access Requests Subject Access Requests cont’dcont’d
Responding: request should be in writing to the Data
Protection Coordinator, Data should never be read over phone,
faxed or emailed to data subject, Must be given in 40 days.
Practical GuidancePractical Guidance
Securing automated dataSecuring automated data
Key areas:
Faxing Avoid the use of fax for sending personal
data - if there is no alternative use secure protocols;
Passwords Good password management will help
protect personal data and staff
Securing automated data Securing automated data (2)(2)
Email Personal data should not be transmitted by email
Data can be accessed by data subjectsEmail can be insecureSurvey of 800 UK companies revealed that 22% Directors had reprimanded staff for gossiping using email and 85% considered email to be facilitating scandalous material around office.
Portables/laptops Do not leave unattended; when leaving ensure that
it is locked away; be aware of others being able to see your computer screen,
PDA’s and Memory sticks must not contain personal information
Securing manual dataSecuring manual data
Do not allow sensitive conversations to be overheard
Guard against people seeking information by deception
Message books Accessible to staff only; sensitive data
should not be recorded in message books
Lock filing cabinets
Securing manual data (2)Securing manual data (2)
Diaries Patient/client data, which is held in diaries
should be given the same security as any other record
Telephone conversations Staff should be careful about those within
earshot when discussing sensitive information; check the authenticity of any caller before divulging any information
Securing manual data (3)Securing manual data (3)
Minutes of meetings Minutes which render the subject identifiable
should be marked confidential; stored in a secure area; available only to the personnel concerned.
Staff Supervision records/Staff Appraisal
Sick leave recordsSuch information is classified as sensitive data. Care should be taken when transferring information from medical certificates to notification form i.e abbreviations can lead to misinterpretation
Case StudyCase Study
Questions to consider: Type of data held on clients/patients Who holds it? Who shares it? Who else has access to data? What security surrounds it? Any data held on others in the case study? Is data accurate, up-to-date
Summary of key points.Summary of key points.
Duty to PROTECT informationDuty to OBTAIN information fairlyDuty to ensure information is SECUREDuty to JUSTIFY use and storage of personal dataDON’T PASS ON information unless you are sureRemember Subject Access
BE CAREFUL WHEN YOU’RE BE CAREFUL WHEN YOU’RE ASKED FOR PERSONAL DETAILS ASKED FOR PERSONAL DETAILS
YOU NEVER KNOW WHERE YOU NEVER KNOW WHERE THEY’LL END UP THEY’LL END UP
**************************************************************************
EVERY TIME YOU’RE ASKED FOR PERSONAL EVERY TIME YOU’RE ASKED FOR PERSONAL INFORMATION THINK BEFORE YOU GIVE IT AWAY INFORMATION THINK BEFORE YOU GIVE IT AWAY
**************************************************************************
Thank you for attendingThank you for attending