Data Protection Policy

1.Summary

Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in clinical governance, service planning and performance management.

It is therefore of paramount importance to ensure that information is efficiently managed, and that appropriate policies, procedures and management accountability and structures provide a robust governance framework for information management.

This Policy should also be considered alongside the Confidentiality Policy.

2. Relevant CQC Fundamental Standard/H+SC Act Regulation (2014)

Regulation 15:  “Premises and Equipment”.

3. Principles

The organisation recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. 

The organisation fully supports the principles of corporate governance and recognises its public accountability, but equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal information about patients and staff and commercially sensitive information. 

The organisation also recognises the need to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest.

The organisation believes that accurate, timely and relevant information is essential to deliver the highest quality health care. As such, it is the responsibility of everyone in the organisation to ensure and promote the quality of information and to actively use information in decision making processes.

There are four key interlinked strands to the Information Governance Policy:

  • Openness
  • Legal compliance
  • Information security
  • Quality assurance

Openness

  • Non-confidential information about the organisation and its services will be available to the public through a variety of media, in line with the organisation’s  code of openness.
  • The organisation will establish and maintain policies to ensure compliance with the Freedom of Information Act.
  • The organisation will undertake or commission reviews of its policies and arrangements for openness.
  • Patients will have ready access to information relating to their own health care, their options for treatment and their rights as patients.
  • The organisation will have clear procedures and arrangements for liaison with the press and broadcasting media.
  • The organisation will have clear procedures and arrangements for handling queries from patients and the public.

Legal Compliance

  • The organisation regards all person identifiable information, including that relating to patients as confidential.
  • The organisation will undertake or commission annual reviews of its compliance with legal requirements.
  • The organisation regards all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise.
  • The organisation will establish and maintain policies to ensure compliance with the Data Protection Act, Human Rights Act and the common law confidentiality.
  • The organisation will establish and maintain policies for the controlled and appropriate sharing of patient information with other agencies, including issue of a Privacy Notice, taking account of relevant legislation (e.g. Health and Social Care Act, Crime and Disorder Act, Protection of Children Act and the General Data Protection Regulations 2018).

Information Security

  • The organisation will establish and maintain policies for the effective and secure management of its information assets and resources.
  • The organisation will undertake or commission annual reviews of its information and IT security arrangements.
  • The organisation will promote effective confidentiality and security practice to its staff through policies, procedures and training.
  • The organisation will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security.  Such breaches will be dealt with promptly and effectively, and reviews undertake in order to avoid any future repetition.
  • Data will be stored confidentially – i.e. under lock and key and/or with application of secure access via passwords, etc.
  • Passwords will be subject to changing on a regular and systematic basis.
  • Information and data (both hard copy and electronic) will be disposed of safely and in accordance with current guidelines in order to protect the confidentiality of patients and the organisation.

Information Quality Assurance

  • The organisation will establish and maintain policies and procedures for information quality assurance and the effective management of records.
  • The organisation will undertake or commission annual assessments reviews of its information quality and records management arrangements.
  • Managers are expected to take ownership of, and seek to improve, the quality of information within their services.
  • Wherever possible, information quality should be assured at the point of collection.
  • The organisation will promote information quality and effective records management through policies, procedures/user manuals and training.

4. Responsibilities

It is the role of the CQC Registered Manager to define the organisation’s policy in respect of Information Governance, taking into account legal and NHS requirements.

The CQC Registered Manager is also responsible for ensuring that sufficient resources are available to support the requirements of the policy.

The CQC Registered Manager is the designated Information Governance Lead in the organisation and is responsible for:

  • Overseeing day to day Information Governance issues;
  • Developing and maintaining policies, standards, procedures and guidance;
  • Coordinating Information Governance in the organisation;
  • Raising awareness of Information Governance; and
  • Ensuring that there is on-going compliance with the policy and its supporting standards and guidelines.

All staff, whether permanent, temporary or contracted, and contractors are responsible for ensuring that they remain aware of the requirements incumbent upon them for ensuring compliance on a day to day basis.

5. Policy Approval

The organisation acknowledges that information is a valuable asset, therefore, it is wholly in its interest to ensure that the information it holds, in whatever form, is appropriately governed, protecting the interests of all of its stakeholders.

The organisation will, therefore, ensure that all staff, contractors and other relevant parties observe this policy, in order to ensure compliance with Information Governance and contribute to the achievement of the primary care objectives and delivery of effective healthcare to the local population.

6. Caldicott Guardian 

6.1.

A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing. Each NHS organisation is required to have a Caldicott Guardian; it shall be the duty of the Board to designate a Caldicott Guardian for the Company.

6.2.

Person identifiable information takes many forms. It can be stored on computers, transmitted across networks, printed or stored on paper, spoken or recorded. The organisation must safeguard the integrity, confidentiality, and availability of sensitive information.

6.3.

No one from the organisation – (this includes staff employed by commercial partners and volunteer groups) – is allowed to share any person identifiable information unless it has been authorised by the organisation’s Caldicott Guardian. It is unlikely that this authorisation will be granted unless the access is on a need to know basis and justifiable against the Caldicott principles.

6.4.

The Caldicott standard is based around six principles:

  • 6.4.1 Justify the purpose: Every proposed use or transfer of person identifiable information within or from an organisation should be clearly defined and scrutinised with continuing uses regularly reviewed by the Caldicott Guardian.
  • 6.4.2 Don’t use personal identifiable information unless it is absolutely necessary: Person identifiable information items shall not be used unless there is no alternative.
  • 6.4.3 Use the minimum necessary personal identifiable information: Where use of person identifiable information is considered to be essential, each individual item of person information should be justified with the aim of reducing identity.
  • 6.4.4 Access to personal identifiable information should be on a strict need to know basis: Only those individuals who need access to person identifiable information should have access to it and they should only have access to the personal information items that they need to see.
  • 6.4.5 Everyone should be aware of their responsibilities: Actions should be taken to ensure that all staff who handle person identifiable information are aware of their responsibilities and obligations to respect confidentiality.
  • 6.4.6 Understand and comply with the Law: Every use of person identifiable information must be lawful. Individuals have a right to believe that personal information given in confidence will be used for the purposes for which it was originally given, and not released to others without their informed consent.

7. Confidential Waste Management

7.1.

Confidential Waste is defined as ‘waste containing personally-identifiable information or waste which is business sensitive’. Below is a specific list of material classed as ‘confidential’ that would require secure disposal:

  • data relating to future activities of the Organisation;
  • payroll and pension data;
  • sensitive personal data, as defined by the Data Protection Act 1998, covering racial or ethnic origin, political opinions, religious beliefs, Trade Union activities, physical or mental health, sexual life, or details of criminal offences;
  • higher level personal data, such as information relating to staff disciplinary proceedings or harassment;
  • clinical records;
  • records of a commercially sensitive nature, such as contracts, tenders, purchasing and maintenance records, or legal documents; and
  • records containing sensitive information such as video, DVD, photographs and other multi-media formats.

7.2.

Legally, the Organisation is obliged under the provisions of the Data Protection Act 1998 to protect all personally-identifiable information and the seventh principle states that ‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’.

7.3.

The Organisation therefore recognises it has a duty of care to ensure all personally- identifiable and confidential information relating to the Organisation’s business activities is protected from the public domain and has an obligation to dispose of all clinical and non-clinical information under secure and confidential conditions. Through the proper control of the destruction of records, vulnerability to legal challenge or financial loss is minimised

7.4.

It is the responsibility of all Organisation staff to ensure confidential information they are handling is destroyed effectively, securely and in accordance with this policy and procedure.   Whether clinical or administrative, anyone who creates, receives and uses records has records management responsibilities, which includes the disposal of all documents.

7.5.

Any breach of confidentiality should be classed as a security incident and reported in accordance with the Organisation’s Incident Reporting Policy.

7.6.

In order to ensure the Organisation is meeting its legal requirements, it must ensure all records are appropriately retained for the maximum amount of time. All manual records that have reached the end of their lifecycle, in accordance with the Department Of Health Records Management: NHS Code of Practice.

7.7.

It is the responsibility of all staff to ensure information they are handling is destroyed effectively, securely and in accordance with this policy and procedure. All manual records that have reached the end of their lifecycle should be destroyed using one of the following methods:

  • Internal Shredding: Cross Cut Shredder: Paper records should be destroyed using a shredding device designed to cross cut material to ensure shredding cannot be reconstructed. Staff shredding their own records are responsible for ensuring records are destroyed adequately and in such a way that protects the security of the information contained within them.
  • Use of External Confidential Waste Disposal Company: A confidential waste disposal company will be used if necessary, subject to confirmation that it meets all relevant statutory and other standards.

    All queries with regard to the destruction of IT equipment and electronic media must be referred to the IM&T Lead.