data protection & confidentiality policy · the trust has a legal obligation to comply with all...

Ref: WHHT: G022 Date: Dec 2014 Version no: 5 Author: Nicola Bateman Review Date: Oct 2016 of 35

Data Protection & Confidentiality Policy Controlled document This document is uncontrolled when downloaded or printed.

Reference number WHHT: G022

Version 5

Author Nicola Bateman

Date ratified 30th October 2014

Committee/individual responsible

Trust Leadership Executive Committee

Issue date December 2014

Review date October 2016

Target audience All Staff

Key Words Data Protection, Confidentiality, Information Governance

Previous Policy Name n/a


CONTRIBUTION LIST Key individuals involved in developing this version of the document

Name Designation

Nicola Bateman Information Governance Manager

Approved by Committee 30th October 2014

Change History

Version Date Author Reason

1 April 2007 Nicola Bateman

Policy approved.

2 June 2009 Nicola Bateman

Included section on Confidentiality & Monitoring & Review. Updated section on Responsibilities. Further minor changes made throughout the policy.

3 Feb 2010 Nicola Bateman

Recommendations from Information Commissioners Office incorporated into the policy document.

3 May 2012

Nicola Bateman

Minor amendments -

4 July 2012 Nicola Bateman

Full update as policy due to expire

5 Aug 2014 Nicola Bateman

Review minor amendments and additions


CONTENTS

1 Introduction ............................................................................................................ 5

2 Aim ........................................................................................................................ 5

3 Purpose ................................................................................................................. 5

4 Objectives .............................................................................................................. 5

5 Definitions .............................................................................................................. 6

5.1 Data ................................................................................................................ 6

5.2 Personal Data ................................................................................................ 6

5.3 Sensitive Personal Data ................................................................................. 6

5.4 Relevant Filing System ................................................................................... 7

5.5 Accessible Records ........................................................................................ 7

5.6 Data Controller ............................................................................................... 7

5.7 Data Subject ................................................................................................... 7

5.8 Data Processor .............................................................................................. 7

5.9 Recipient ........................................................................................................ 8

5.10 Third Party .................................................................................................. 8

5.11 Processing .................................................................................................. 8

5.12 Disproportionate Effort ................................................................................ 8

6 Scope .................................................................................................................... 9

7 Responsibilities ..................................................................................................... 9

7.1 Chief Executive .............................................................................................. 9

7.2 Caldicott Guardian.......................................................................................... 9

7.3 Senior Information Risk Owner (SIRO) .......................................................... 9

7.4 Information Governance (IG) Manager ......................................................... 10

7.5 Directors and Divisional Managers ............................................................... 10

7.6 General Managers........................................................................................ 10

7.7 All Staff ......................................................................................................... 10

8 The Data Protection Act 1998 ............................................................................. 11

9 Data Protection Principles ................................................................................... 11

9.1 Principle 1 .................................................................................................... 12

9.2 Principle 2 .................................................................................................... 12

9.3 Principle 3 .................................................................................................... 13

9.4 Principle 4 .................................................................................................... 13

9.5 Principle 5 .................................................................................................... 14

9.6 Principle 6 .................................................................................................... 14

9.7 Principle 7 .................................................................................................... 16


9.8 Principle 8 .................................................................................................... 16

10 Notification ....................................................................................................... 18

11 Research & Development ................................................................................ 19

11.1 Introduction ............................................................................................... 19

11.2 General Principles ..................................................................................... 19

11.3 Consent Procedures ................................................................................. 20

11.4 Safeguarding confidentiality ...................................................................... 21

11.5 Data Transfers .......................................................................................... 22

12 Confidentiality .................................................................................................. 22

12.1 Protecting Patient Information: .................................................................. 23

12.2 Inform Patients Effectively: ........................................................................ 23

12.3 Provide Choice to Patients ........................................................................ 23

12.4 Improve Wherever Possible ...................................................................... 23

12.5 Using & Disclosing Confidential Information ............................................. 24

13 Evaluation measures ....................................................................................... 24

13.1 Monitoring ................................................................................................. 24

13.2 Audit Review ............................................................................................. 24

14 References ...................................................................................................... 24

15 Related Policies ............................................................................................... 25

16 Equality Impact Assessment............................................................................ 26

17 Policy and Procedure Sign-off Sheet ............................................................... 27

18 Policy Ratification Form ................................................................................... 28

19 APPENDIX B – FLOWCHART FOR FAIR & LAWFUL PROCESSING ........... 30

APPENDIX C – FLOWCHART FOR DATA Transfers ............................................... 31

APPENDIX D – SCHEDULE 2 .................................................................................. 32

APPENDIX E – SCHEDULE 3 .................................................................................. 33

APPENDIX F – SCHEDULE 4 ................................................................................... 35


1 Introduction The Trust has a legal obligation to comply with all appropriate legislation and guidance when processing personal data about patients, employees and other individuals. This policy is primarily based upon the Data Protection Act 1998 that is the key piece of legislation covering security and confidentiality of personal information. 2 Aim The aim of the policy is to ensure the Trust meets its legal obligations under the Data Protection Act 1998. 3 Purpose The purpose of this document is to set out the Trust’s high-level policy in relation to data protection, outline the principles of data collection, usage and duties attached, and to list the specific actions that the Trust is taking in order to meet each of the specific policy aims. The Trust is committed to properly protecting the information that it holds and the Trust Board and senior management have agreed this policy and associated practices and procedures.

4 Objectives The Trust will, through appropriate management, and strict application of criteria and controls:

observe fully conditions regarding the fair and lawful collection and use of information

meet its legal obligations to specify the purposes for which information is used

collect and process appropriate information to the extent that it is needed to fulfil operational needs or to comply with legal requirements

ensure the quality of information used

apply strict checks to determine the length of time information is held

ensure that the rights of people about whom information is held can be fully exercised under the Data Protection Act 1998

take appropriate technical and organisational security measures to safeguard personal information

ensure that personal information is not transferred abroad without suitable safeguards.


5 Definitions The following terms, essential to an understanding of data protection law, are used repeatedly in the legislation and throughout this policy. This appendix reproduces the definition of the terms from the Data Protection Act. Rather than being set out in alphabetical order, the terms below appear in a sequence that seems to be more conducive to their understanding. 5.1 Data Section 1 (1) of the 1998 Act defines ‘data’ as: Information which –

(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,

(b) is recorded with the intention that it should be processed by means of such equipment,

(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,

(d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record, or

(e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d).

5.2 Personal Data The provisions of the Act apply only to personal data. The term ‘personal data’ is defined, in section 1(1) as: data which relate to a living individual who can be identified-

(a) from those data, or (b) from those data and other information which is in the possession of, or is

likely to come into the possession of, the Data Controller, and includes any expression of opinion about the individual and any indication of the intentions of the Data Controller or any other person in respect of the individual. 5.3 Sensitive Personal Data Personal data consisting of information as to-

the racial or ethnic origin of the Data Subject, political opinions, religious beliefs or other beliefs of a similar nature whether they are a member of a trade union, physical or mental health or condition, sexual life alleged offences legal proceedings.


5.4 Relevant Filing System A ‘relevant filing system’ is defined in section 1(1) of the Act as: Any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible. 5.5 Accessible Records Paragraph (d) of the definition of ‘data’ includes accessible records within that definition. Section 68 defines an accessible record as: A health record, an education record or an accessible public record. 5.6 Data Controller

A ‘Data Controller’ is: A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

The Act, by virtue of section 5, applies to Data Controller’s only if:

the Data Controller is established in the United Kingdom and the data is processed in the context of the establishment; or

the Data Controller is established neither in the United Kingdom nor any other EEA state but uses equipment in the United Kingdom for processing the data otherwise than for the purposes of transit through the United Kingdom.

5.7 Data Subject A ‘Data Subject’ means an individual who is the subject of personal data and must be a living individual. Organisations, such as companies and other corporate and unincorporated bodies of persons cannot, therefore, be Data Subjects. The ‘Data Subject’ needs not be a United Kingdom national or resident. Provided that the Data Controller is subject to the Act, rights with regards to personal data are available to every Data Subject, wherever his nationality or residence. 5.8 Data Processor

A ‘Data Processor’ is: any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.


5.9 Recipient A ‘recipient’, in relation to personal data, means any person, to whom the data are disclosed, including any person (such as an employee or agent of the Data Controller, a data processor or an employee or agent of the data processor) to whom they are disclosed in the course of processing the data for the Data Controller.

5.10 Third Party

Third party, in relation to personal data, means any person other than:

the Data Subject the Data Controller, or any Data Processor or other person authorised to

process data for the Data Controller or processor. The expression third party does not include employees or agents of the Data Controller or data processor, which persons are for the purpose of this expression to be interpreted as part of the Data Controller or processor. As such, this expression is distinguishable from ‘recipient’, which effectively separates employees/agents or the Data Controller/processor from the Data Controller/processor itself. 5.11 Processing

‘Processing’, in relation to information or data, means: obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including-

organisation, adaptation or alteration of information or data, retrieval, consultation or use of the information or data, disclosure of the information or data by transmission, dissemination or

otherwise making available, or alignment, combination, blocking, erasure or destruction of the information or

data. 5.12 Disproportionate Effort The first of the ‘primary conditions’ (which allow a Data Controller to escape from the obligation to notify the Data Subject of the fair collection information) requires the effort on the part of the Data Controller in contacting the Data Subject to be ‘disproportionate’. The Act does not define the term or the data protection directive; however it can be reasonably inferred that in order for this condition to operate the effort involved in contacting the Data Subject must be disproportionate to the prejudice caused by the lack of any such information supplied. Where the effort needed to contact the Data Subject is considerable, such effort is likely to be disproportionate unless it is outweighed by severe consequences for the


Data Subject, e.g., because it involves significant, or otherwise important, processing (for example, of sensitive personal data). The test thus appears to involve a balancing exercise and relevant factors will be the time and expense involved to the Data Controller in providing the relevant information to the Data Subject and the prejudicial effort on the Data Subject caused by the withholding of such information. 6 Scope The Policy will apply to all personal data concerning living individuals processed by West Hertfordshire Hospitals NHS Trust 7 Responsibilities 7.1 Chief Executive The Chief Executive holds overall responsibility for data protection throughout the Trust, but on a day-to-day basis will be delegated to the Information Governance Manager. 7.2 Caldicott Guardian

The Caldicott Guardian is responsible for protecting the confidentiality of patient and service-users information and enabling appropriate information sharing with external and collaborative agencies. They will act as the conscience of the Trust; the Caldicott Guardian actively supports work to enable information sharing where appropriate and advises on options for lawful and ethical processing of information.

The Guardian plays a key role in ensuring that the Trust and partner organisations satisfy the highest practical standards for handling patient identifiable information.

Acting as the 'conscience' of an organisation, the Guardian actively supports work to enable information sharing where it is appropriate to share, and advises on options for lawful and ethical processing of information.

The Caldicott Guardian also has a strategic role, which involves representing and championing Information Governance requirements and issues at Board or management team level and, where appropriate, at a range of levels within the organisation's overall governance framework.

7.3 Senior Information Risk Owner (SIRO) The Trust has appointed the Chief Information Officer as the Senior Information Risk Owner (SIRO). The SIRO is responsible for:


taking overall ownership of the Trust’s Information Risk Policy

acting as champion for information risk on the Board and provide written advice to the Accounting Officer on the content of the Trust’s statement of internal control in regard to information risk

implementing and lead the NHS information governance risk assessment and management processes

advising the Board on the effectiveness of information risk management across the Trust.

7.4 Information Governance (IG) Manager

The Information Governance Manager will undertake the Data Protection Officer role, which includes:

maintaining the Trust notification

facilitating Information Governance training sessions

overseeing subject access requests (SAR)

auditing compliance to the Act and this policy

acting as initial point of contact for any data protection issues which may arise within the Trust, including those relating to staff.

7.5 Directors and Divisional Managers Directors and Divisional Managers are responsible for ensuring this policy is implemented throughout their directorates. 7.6 General Managers General Managers must adhere to this policy and ensure staff undertake annual Information Governance awareness training. These sessions are mandatory and can be booked through the Training Department or can be accessed via e-learning http://wghintra01/human_resources/training_and_development/e-learning/ 7.7 All Staff

All staff that process personal data in any form must ensure they comply with:

the requirements of the Data Protection Act 1998 (including the Data Protection Principles)

this policy and any procedures and guidelines which may be issued.


8 The Data Protection Act 1998

The Data Protection Act 1998 covers two elements:

standards to be applied when handling personal information about living individuals

practices to be applied to achieve and maintain those standards.

and stemmed from a need to achieve a balance between the competing forces of individual’s rights to privacy and the need for organisations to carry out their lawful functions. Main changes from previous (1984) Data Protection legislation The legislation is no longer limited specifically to data held electronically and now applies to all personal information held in 'relevant filing systems' in any medium (paper, database, spreadsheet, etc.). The criteria for whether something is a 'filing system' in the terms of the Act relate to whether the information is held in a structured way and indexed by individual identifiers. In essence, any file held specifically on a particular individual should now be regarded as subject to the legislation. There is new emphasis on giving Data Subjects advance notification about data being collected and what will be done with it (how it is to be 'processed'). In this context, Data Subjects must be given the opportunity to consent to the collection and processing of their data if the Trust is unable to rely on another condition for processing from Schedule 2, and where necessary, Schedule 3. There are new 'Fair Processing' principles. Personal data that is collected and processed must be for specified, explicit and legal purposes, and the data held must be accurate, relevant and not excessive to those purposes. Personal data must be kept secure, up-to-date and not longer than actually necessary. The legislation now defines a category of sensitive personal data which are subject to more stringent conditions on their processing than other personal data. Transfers of personal data to countries outside the European Economic Area (EEA) are banned unless certain conditions are satisfied. Stronger rights for individuals exist under the new legislation including the right to compensation for damage or distress caused by unlawful processing.

9 Data Protection Principles

There are eight principles of good practice within the Data Protection Act 1998 that are normally referred to as the ‘Data Protection Principles’.


9.1 Principle 1 Personal data shall be processed fairly and lawfully

9.1.1 There is a requirement to make the general public, which may use the services of the Trust, aware of why the Trust needs information about them, how this is used and to whom it may be disclosed. The Trust is obliged under the Data Protection 1998 Act and Caldicott recommendations to produce patient information leaflets and posters which stipulate the Trust’s uses of patient information.

9.1.2. A requirement of the fairness obligations, contained in the First

Principle is to ensure, so far is practicable, that the Data Subject is supplied with the following information at the point of data capture.

the identity of the Data Controller

the purpose or purposes for which the data are intended to be processed

any other information that is necessary to enable the particular processing to be fair.

9.1.3. There must also be procedures to notify staff, temporary employees (volunteers, locums) etc. of the reasons why their information is required, how it will be used and to whom it may be disclosed. This should occur during induction or by their individual manager.

9.1.4. The Trust’s information booklet ‘Your Information’ clearly informs

patients about confidentiality and the way patient information may be used and shared. Trust staff must ensure that these leaflets are provided to patients when their personal data is first collected. These leaflets are available from most patient areas within the Trust and from the Trust’s website: If you require additional copies please contact the Information Governance Department x2718

9.1.5. Personal data must be processed ‘lawfully’. For personal data to be lawful at least one of the six conditions in Schedule 2 to the Act must be met, see Appendix D. In the case of sensitive personal data, processing will not be lawful unless one of the conditions in Schedule 2 and one of the conditions in Schedule 3, see Appendix E, are met.

9.2 Principle 2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be processed in any manner incompatible with that purpose or those purposes.


9.2.1 Personal information will only be processed for the purposes set out in our registration with the Information Commissioner and manner consistent with the purpose(s) for which they were obtained. The Trust’s registration can be found on the public register of Data Controllers from the Information Commissioner’s website. www.ico.gov.uk

9.3 Principle 3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

9.3.1 The Third Principle, also known as the ’adequacy principle’, essentially obliges the Trust to obtain from Data Subjects only those pieces of information that are necessary for the Trust’s purpose for processing such data.

9.3.2 A record must therefore contain sufficient details about a patient’s

medical condition to enable medical practitioners to administer care and treatment. In addition, if personal data is irrelevant it is more likely to be excessive. For example, a medical record containing a doctor’s personal opinions in respect of a patient’s character may in some cases be both irrelevant and excessive.

9.3.3 The Trust is responsible for reviewing all instances of data collection

– such as employment application forms, supplier detail forms and registration forms – to ensure that information requested from individuals is adequate, relevant, and not excessive for its purpose(s).

9.4 Principle 4 Personal data shall be accurate and, where necessary, kept up to date.

9.4.1 The interpretation provisions provide that the Fourth Principle will not be breached where inaccurate information in personal data accurately records information obtained from the Data Subject or a third party if:

o the Trust has taken reasonable steps to ensure the accuracy of

the data; and o where the Data Subject has informed the Trust of his view that

the data are inaccurate, the data indicates that fact.

9.4.2 Staff are responsible for informing the Trust of changes to their personal information that they provide to the Trust in connection with

http://www.ico.gov.uk/


their employment. They must ensure this is accurate and up-to-date, for example change of address.

9.4.3 Patients must be asked to validate the information held about them when attending appointments. This can be achieved by asking them to confirm their postcode or by showing them a printed label showing their demographics.

9.5 Principle 5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

9.5.1 Keeping personal data beyond the length of time necessary for the purpose for which data were or are processed will breach the Fifth Principle. This principle therefore requires the destruction of personal data that are no longer relevant for their purpose(s).

9.5.2 The Trust’s Records Retention & Disposal Schedules, available from

the intranet, sets out retention and disposal schedules for most record types held and is compliant with the Records Management: NHS Code of Practice Part 1 & 2.

9.6 Principle 6 Personal data shall be processed in accordance with the rights of Data Subjects under the 1998 Act.

9.6.1 ‘Data Subjects’ have the following rights under the Sixth Principle:

access to personal data

prevention of processing likely to cause damage or distress

prevention of processing for direct marketing

prevention of automated decision-taking

rectification, blocking, erasure and destruction

compensation

request for assessment.

Access to personal data

9.6.2 Individuals whose information is held within the Trust have rights of

access to it, regardless of the media that information may be held in. Individuals also have a right to complain if they believe that the Trust is not complying with the requirements of the Data Protection Act 1998.


9.6.3 Data Subjects wishing to access their Health Records must apply in writing to the Access to Health Records Administrator at the hospital where they received treatment. Please refer to the Trust’s Access to Health Records Policy.

Prevention of processing likely to cause damage or distress

9.6.4. Data Subjects can give written notice requesting the Trust to stop

processing personal information, in certain circumstances, giving the reasons why they feel it is causing damage or distress. This requires the Trust to respond within 21 days from receipt of the notice.

9.6.5 An example of this may include sending letters to deceased patients or

their family where the Trust has not been notified of the death.

Prevention of processing for direct marketing

9.6.6 Data Subjects have the right to require a Data Controller to ensure

that data will not be used for sending them advertising or direct marketing material. The Trust does not use personal information for advertising or for direct marketing.

Prevention of automated decision making

9.6.7 Data Subjects can give written notice preventing a Data Controller from taking decisions based on automated processing of their personal data. The Trust has a responsibility to notify an individual when automated decisions have been made using their data. Data Subjects can then ask that the decision be reconsidered but there are certain exceptions within this right.

9.6.8 The Trust has identified that no decisions are taken on any of the

Trust’s main IT systems that would significantly affect individuals that are based solely on the processing of personal information by automatic means.

Rectification, blocking, erasure and destruction

9.6.9 Data Subjects can apply for a court order requiring a Data Controller

to rectify, block, erase or destroy any inaccurate data relating to them and any assessment or opinion based on such inaccurate data.

Compensation

9.6.10 A Data Subject who feels they have suffered damage or distress as

the result of a breach of the Act may be entitled to compensation. The Trust has in place an effective complaints system and process


that ensures a full investigation and response to the concerns of the complainant.

Request for assessment

9.6.11 Data Subjects can ask the Information Commissioner to assess

whether or not a Data Controller, in a particular instance; is processing personal data in compliance with the Act.

9.7 Principle 7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing, of personal data and against accidental loss or destruction of, or damage, to personal data.

9.7.1 Information relating to identifiable individuals must be kept secure at all times. The Trust will ensure there are adequate procedures in place to protect against unauthorised processing of information and against accidental loss, destruction and damage. Details of how this is achieved can be found by accessing the Trust’s Information Security Policies available from the intranet on http://wghintra01/imt/security.htm

Disposal of non-clinical waste

9.7.2 The Trust has a legal obligation to maintain confidentiality standards

for all information relating to patients, employees and Trust business. It is important that this information is disposed of in a secure manner.

9.7.3 All employees will be made aware of how easy it is to breach

confidentiality and how to dispose of confidential waste during staff induction and mandatory update training. The Trust’s Waste Management Policy is available from the intranet.

9.8 Principle 8 Personal data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level or protection for the rights and freedoms of Data Subjects in relation to the processing of personal data.

9.8.1 The Trust currently doesn’t transfer personal data to countries outside of the EEA. Appendix C – Flowchart for Data Transfers must be followed if personal data needs to be transferred outside the EEA.

http://wghintra01/imt/security.htm


9.8.2 All transfers of personal data outside the EEA must be for a lawful and justified purpose and the Information Governance Manager informed of such transfers.

9.8.3 The EEA is currently made up of the following countries.

Austria Belgium Bulgaria Croatia Cyprus

Czech Republic

Denmark Estonia Finland France

Germany Greece Hungary Iceland Ireland

Italy Latvia Liechtenstein Lithuania Luxembourg

Malta Netherlands Norway Poland Portugal

Romania Slovakia Slovenia Spain Sweden

United Kingdom

Adequacy

9.8.4 The Trust will also consider the following guiding factors when determining the adequacy of the level of protection afforded by a third country.

the nature of the personal data;

the country or territory of origin of the information contained in the data;

the country or territory of final destination of the data;

the purposes for which, and period during which, the data are intended to be processed;

the law in force in the country or territory in question;

the international obligations of the country or territory;

any relevant codes of conduct or other rules which are enforceable in the country or territory (whether generally or by arrangement in particular cases).

9.8.5 The European Commission has decided that certain countries have an adequate level of protection for personal data. Currently, the following countries are considered as having adequate protection

Andorra Guernsey New Zealand

Argentina Isle of Man

Switzerland Canada Israel Uruguay Faroe Islands

Jersey


Safe Harbor

9.8.6 ‘Safe Harbor’ is the name given to the agreement that enables the transfer of personal data from any European Union country to the United States without breaching the export ban contained in the Eighth Data Protection Principle.

9.8.7 Safe Harbor is a self-certification system that allows a United States

company to state publicly that it complies with a set of privacy rules regarding the processing of personal information acquired from the EU. For UK organisations, the main advantages of the regime are that exports to Safe Harbor companies can take place without breaching the data export ban and that there is no need to continually review contractual terms prior to new types of transfers taking place.

9.8.8 To obtain an up-to-date list of Safe Harbor companies, visit the Safe

Harbor website www.export.gov/safeharbor

10 Notification

The Information Commissioner maintains a public register of Data Controllers who process personal information on a computer. Each register entry includes the name and address of the Data Controller and a general description of the processing of personal data by a Data Controller. Individuals can consult the register to find out what processing of personal data is being carried out. If the Trust fails to complete this process and keep the information up-to-date it has committed a criminal offence and could face criminal prosecution. The Information Governance Manager will ensure the purposes for all personal information held in computerised form are registered. The notification procedure requires details of:

the Data Controller's name and address

the type of processing undertaken

the purpose of the processing

any recipients of the personal information

the measures taken to ensure compliance with the seventh principle of the data protection act 1998

The Trust annually submits a notification to the Information Commissioner’s Office (ICO) – and is available from the public register of Data Controllers from the Information Commissioner’s website. www.ico.gov.uk

http://www.export.gov/safeharbor

www.ico.gov.uk


11 Research & Development

11.1 Introduction

11.1.1 Researchers must gain an understanding of the confidentiality and security requirements defined in the Data Protection Act 1998 and guidance from the Medical Research Council (MRC) www.mrc.ac.uk, when applying to the Ethics Committee for approval to carry out a programme of research using patient information.

11.1.2 Researchers are required to complete an Ethics Committee

application form for permission to conduct a research programme. The form is split into several key areas asking about the type of research the applicant intends to do, the information to be collected, how information will be acquired, and how it will be used.

11.1.3 To assist in completing such an application this policy looks at the

areas of confidentiality and security that must be considered when using patient information during research.

11.2 General Principles

The following principles will guide all research involving people or their information.

11.2.1 Personal information of any sort, which is provided for health care, or

obtained in medical research, must be regarded as confidential. Wherever possible people should know how information about them is used, and have a say in how it may be used. Research should therefore be designed to allow scope for consent, and normally researchers must ensure they have each person’s explicit consent to process personal information. In most clinical research this is practicable.

11.2.2 A Research Ethics Committee must approve all medical research

using identifiable personal information, or using anonymised data from the NHS, which is not already in the public domain.

11.2.3 Personal information must be coded or anonymised as early as possible and consistent with the needs of the study.

11.2.4 Researchers must ensure that only health professionals or staff with

an equivalent duty of confidentiality handle personal information. 11.2.5 Principal investigators must take personal responsibility for ensuring

that training, procedures, supervision, and data security arrangements are sufficient to prevent unauthorised breaches of confidentiality.

http://www.mrc.ac.uk/


11.2.6 Researchers must also have procedures in place to minimise the risk

of causing distress to the people they contact in course of their research.

11.2.7 At the outset, researchers must decide what information about the

results should be available to the people involved in the study once it is complete, and agree these plans with the Research Ethics Committee.

11.3 Consent Procedures

11.3.1 To collect personal information you are normally legally obliged to obtain consent from the Data Subject unless you have a legal reason to collect the data. For consent to be applicable as a condition for processing sensitive personal data, it must be explicit. The use of the word ‘explicit’ in Schedule 3 suggests that the individual’s consent should be absolutely clear. It should cover the specific processing details; the type of information; the purpose of the processing; and any special aspects that may affect the individual.

11.3.2. Consent must be given voluntarily, not under any duress or undue

influence from health professionals, family or friends. 11.3.3 Obtaining consent should be seen as a process, not a one-off event.

The process of discussing options and coming to a decision should be seen as part of the consent process.

11.3.4 Where patients are asked to participate in any clinical study, the

patient information sheet must directly refer to the treatment of personal data, and explain:

the goals, methods and possible benefits of the research who will collect the data (name of project, department and

telephone number) why the data is collected who will have access to the data, including any external

organisations that might be given the data the circumstances in which data may be disclosed to those

allowed access whether copies of the data may be made the arrangements for storing the data how long the data will be stored whether the data may be used for similar future research

projects the implications of taking part in the project including any

risks how the research will be published and whether individuals

will be identifiable.


11.3.5 Information must also be provided covering the following points:

That there is no pressure to take part and they can withdraw consent at any time without their medical care being affected.

If the research is a clinical trial, the nature of the trial, and the information so far on the therapy’s effectiveness and side effects.

If the research is a randomised controlled trial, the fact that they will be randomly assigned to the standard treatment, the new treatment or (if applicable) the placebo.

11.3.6 If a patient cannot be contacted to obtain consent, it should not be assumed that their medical details could be used for research purposes.

11.3.7 Research studies may gain support under Section 251 of The NHS Act

2006 where explicit consent cannot be gained or where the public interest does not justify breaching patient confidentiality.

11.3.8 Researchers must understand that where support under Section 251

of The NHS Act 2006 is given, this does not create new statutory gateways, so the processing must still be for a lawful function. Where these powers apply the Data Protection Act 1998 also continues to apply.

11.4 Safeguarding confidentiality

11.4.1 Researchers should use unlinked, truly anonymised data wherever possible. In circumstances where this is not possible, the amount of personal data stored by researchers should be kept to the minimum necessary to achieve the purpose of the study.

11.4.2 Researchers must ensure that data held must be ‘adequate, relevant,

and not excessive’ in relation to the project involved. 11.4.3 Personal data must be modified as early as possible in the processing

of data. While anonymisation may introduce delays, even a basic coding system can provide a safeguard against accidental or mischievous release of confidential information.

11.4.4 Sharing of identifiable data should be limited to those who have a

demonstrable need to know it as part of their role in the research project.

11.4.5 Researchers must always consider when planning a project, giving

data to and receiving data from others, and before publishing


information, whether their research data may lead to the identification of individuals or very small groups.

11.4.6 If an organisation is providing data for research purposes the data

should ideally be anonymised before it is received. 11.4.7 Anonymising records do not just involve removing the subject’s name.

Researchers must understand the risks involved with data stored as individual data sets as they could be linked to a Data Subject by age, postcode or medical condition. The more information included in each data set, the greater the risk of identification.

11.4.8 Researchers must be aware that removing the name and address may

not be sufficient to prevent identity. If it is a countrywide study using many thousands of records this may be acceptable. However, in small communities it may still be possible to identify an individual even without their name and address, by a combination of other obvious characteristics such as ethnic origin, gender, disability, health issues, postcode (in Britain postcodes contain, on average, 14 contiguous addresses, but some postcodes cover only a few addresses).

11.4.9 Researchers must be aware that, cross-tabulation of data in a study

with a small number of subjects could identify individuals. In general, the more characteristics there are in a personal record and the fewer people there are sharing those characteristics, the easier it is to identify individuals.

11.5 Data Transfers

11.5.1 If the transfer of personal data is to a third party outside the EEA then normally a contract must be in place governing the transfer to ensure adequate protection, unless a Schedule 4 condition of the Data Protection Act 1998 applies. See: Appendix C Flowchart for Data Transfers and Appendix F – Schedule 4) for guidance when transferring personal data outside the EEA.

Researchers must also be familiar with the Trust’s Research & Development Standard Operating Procedures.

12 Confidentiality

A duty of confidence arises when one person discloses information to another (e.g. patient to clinician) in circumstances where it is reasonable to expect that the information will be held in confidence. It –

is a legal obligation that is derived from case law;

is a requirement established within professional codes of conduct; and

must be included within NHS employment contracts as a specific requirement inked to disciplinary procedures.


The requirements that must be met in order to provide patients/service users with a confidentiality service are detailed below:

PROTECT - look after the patient’s/service user’s information; INFORM - ensure that patients/service users are aware of how their information is used; PROVIDE CHOICE - allow patients/service users to decide whether their information can be disclosed or used in particular ways; IMPROVE – look for better ways to protect, inform and provide choice.

12.1 Protecting Patient Information: Personal identifiable information will be protected through implementation of the following measures:

staff, 3rd party contractors and volunteers must be fully aware of their responsibilities regarding confidentiality

advice can be sought from the Caldicott Guardian or the Information Governance Manager

the recording of information must be accurate and consistent

information is kept private

information is physically secure

appropriate care is taken when disclosing and using Information 12.2 Inform Patients Effectively:

when information is to be recorded or their records accessed

when they are disclosing information to others

of the choices available to them on how their information may be disclosed, and to ensure that patients have no concerns about the disclosure

on their rights when the patient wishes to access their health records.

12.3 Provide Choice to Patients

by asking patients before using their information in ways that do not directly impact on their delivery of care e.g.: research and audits

respecting patient’s wishes if they wish to restrict disclosure

informing patients of the implications to restricting disclosures. 12.4 Improve Wherever Possible

being aware of possible confidentiality issues

attend training sessions implemented by the Trust

seek support from the Caldicott Guardian/ Information Governance Manager for the Trust when required


report possible breaches or risk of breaches as soon as possible by completing an incident form, and directly contacting the Information Governance Manager.

12.5 Using & Disclosing Confidential Information There are three basic rules for making a lawful disclosure of confidential Information:

Where a client to whom the information relates has consented.

Where the disclosure is in the public interest

Where there is a legal duty to do so (court order). It is important that patients are made aware of information disclosures, which relate to them, so as not to breach confidentiality or the Data Protection Act.

The Department of Health’s Confidentiality: NHS Code of Practice gives clear guidance on confidentiality with disclosure models to assist with identifying if information held under a duty of confidentiality can be shared.

https://www.gov.uk/government/publications/confidentiality-nhs-code-of-practice The Caldicott Guardian and the Information Governance Manager should also be approached for advice relating to the use and disclosure of confidential information.

13 Evaluation measures 13.1 Monitoring The IG Toolkit contains guidance on expected standards and key performance indicators, which together will be used to monitor the effectiveness of this policy The Information Governance Manager is responsible for monitoring compliance with this policy and ensuring its effectiveness. 13.2 Audit Review The content of this policy will be audited annually against the IG Toolkit and by Internal and External Audit. 14 References

1. Information Commissioner’s Office [online]. (2013) The Guide To Data Protection [pdf] Available from: http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/the_guide_to_data_protection.pdf

2. Data Protection Act 1998, London: HMSO

http://www.dh.gov.uk/PublicationsAndStatistics/Publications/PublicationsPolicyAndGuidance/PublicationsPolicyAndGuidanceArticle/fs/en?CONTENT_ID=4069253&chk=jftKB%2B

https://www.gov.uk/government/publications/confidentiality-nhs-code-of-practice

http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/the_guide_to_data_protection.pdf

http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/the_guide_to_data_protection.pdf


15 Related Policies

The Policy will be supported by a number of Information Governance policies that set out both user level and operational level details for implementing effective information security across the Trust. These include;

Access to Health Records Policy

Safe Haven Policy

Information Sharing Protocol

IT Code of Conduct

Information Security Policy


16 Equality Impact Assessment

Yes/No Comments

1. Does the policy/guidance affect one group less or more favourably than another on the basis of:

Race No

Ethnic origins (including gypsies and travellers)

No

Nationality No

Gender No

Culture No

Religion or belief No

Sexual orientation including lesbian, gay and bisexual people

No

Age No

Disability - learning disabilities, physical disability, sensory impairment and mental health problems

No

Marriage & Civil partnership No

Pregnancy & maternity No

2. Is there any evidence that some groups are affected differently?

No

3. If you have identified potential discrimination, are any exceptions valid, legal and/or justifiable?

No

4. Is the impact of the policy/guidance likely to be negative?

No

5. If so can the impact be avoided? N/A

6. What alternatives are there to achieving the policy/guidance without the impact?

N/A

7. Can we reduce the impact by taking different action?

N/A

If you have identified a potential discriminatory impact of this procedural document, please refer it to (Insert name and position) together with any suggestions as to the action required to avoid/reduce this impact. For advice in respect of answering the above questions, please contact (Insert name and position).


17 Policy and Procedure Sign-off Sheet

Policy Name and Number: Data Protection & Confidentiality Policy Version Number and Date: No: 5 Service Location: Information Governance All staff members must sign to confirm they have read and understood this policy.

Name Signature Name Signature


18 Policy Ratification Form Name of Document: Ratification Date:

Name of Persons Job Title Date

Divisional Support (Direct Line Manager / Matron / Consultant / Divisional Manager)

Nicola Bateman Information Governance Manager Aug 14

Consultation Process (list of stakeholders consulted / staff groups presented to)

Lisa Emery Senior Information Risk Owner Aug 14

Fiona Smith Research & Development Manager Aug 14

Mike Van De Watt Medical Director Aug 14

Endorsement By Panel/Group

Name of Committee Chair of Committee Date

Informatics Lisa Emery 30th Sep 14

Document Checklist Yes / No

1. Style & Format

Is the title clear and unambiguous? Y

Is the font in Arial? Y

Is the format for the front sheet as per Appendix 1 of the policy framework

Y

Has the Trust Logo been added to the Front sheet of the policy? Y

Is it clear whether the document is a guideline, policy, protocol or standard operating procedure?

Y

2. Rationale

Are reasons for development of the document stated? Y

3. Content

Is there an introduction? Y

Is the objective of the document clear? Y

Does the policy describe how it will be implemented? Y

Are the statements clear and unambiguous? Y

Are definitions included? Y

Are the responsibilities of individuals outlined? Y

4. Evidence Base

Is the type of evidence to support the document identified explicitly? Y

Are key references cited? Y

Are supporting documents referenced? Y

5. Approval

Does the document identify which committee/group will approve it? Y


Document Checklist Yes / No

6. Review Date

Is the review date identified? Y

Is the frequency of review identified? If so is it acceptable? Y

7. Process to Monitor Compliance and Effectiveness

Are there measurable standards or Key Performance Indicators to support the monitoring of compliance with and effectiveness of the document?

Y

Is there a plan to review or audit compliance with the document? Y

Standard Equality Impact Assessment Tool

Persons likely to be affected by policy change / implementation

Staff

Are there concerns that the proposed documentation / change could have an adverse impact on:

Race. Ethnicity, National Origin, Culture, Heritage N

Religion, Faith, Philosophical Belief N

Gender, Marital Status, Pregnancy N

Physical or Learning Disabilities N

Mental Health N

Sexual Orientation / Gender Reassignment N

Age N

Homelessness, Gypsy / Travellers, Refugees / Asylum Seekers N

Please give details of any adverse impact identified: N/A

If adverse impacts are identified, are these considered justifiable? (Please give reasoning) N/A

There is unlikely to be an adverse impact on different minority groups

Name of Person completing Ratification Form

Job Title Date

Nicola Bateman Information Governance Manager

Aug 14

Ratification Group/Committee Chair Signature Date

Trust Leadership Executive Committee


19 APPENDIX B – FLOWCHART FOR FAIR & LAWFUL PROCESSING

FAIR & LAWFUL PROCESSING YES NO

NO YES YES

NO NO YES

NO YES NO

YES YES

NO

YES

NO NO YES

Did I obtain the personal data from the Data Subject (DS)?

Did the DS have ready access to the relevant information at the relevant time?**

Would the provision of the information involve ***disproportionate effort?

Was the recording of the information necessary for the compliance with a non-contractual legal obligation?

First Principle breached

Does the DS have ready access to the

relevant information*?

Has the DS consented to the processing?

Do any of the specified conditions in Schedule 2 apply to the processing?

Do any of the specified conditions in Schedule 3 apply?

First Principle satisfied

Are the data sensitive?

Has the DS consented to the processing?

* The information specified in Schedule 1 Part II, paragraph 2.3 (see Section 5 / 5.1) ** The time defined in Schedule 1 Part II, paragraph 2(2) of the (DPA 1998) *** See Appendix A Definitions Source – Data Protection A Practical Guide to UK and EU Law, Peter Carey

First Principle breached


APPENDIX C – FLOWCHART FOR DATA Transfers CAN THE TRUST SEND PERSONAL DATA ABROAD?

NO YES

YES NO

YES

NO

YES

NO YES

NO YES

NO

Source – Data Protection A Practical Guide to UK and EU Law, Peter Carey

Is the Trust transferring personal data to a country, which is not within the EEA?

Is the country on the EU

approved list?

Does the country of the transferee have adequate data protection controls by virtue of a legal or self-regulatory regime (including ‘Safe Harbor’ where the transferee is a Safe Harbor company)?

Is there a contract in place governing the transfer, which ensures adequate protection?

Has the Data Subject consented to the transfer?

Does any other Schedule 4 exemption (including contractual necessity) apply?

The transfer is unlawful

The transfer does NOT breach the Eighth Principle

The transfer is lawful


APPENDIX D – SCHEDULE 2

Conditions relevant for purposes of the first principle: processing of any personal data 1. The Data Subject has given consent to the processing

2. The processing is necessary-

(a) for the performance of a contract to which that Data Subject is a party, or (b) for the taking of steps at the request of the Data Subject with a view to

entering into a contract 3. The processing is necessary for compliance with any legal obligation to which

the Data Controller is subject, other than an obligation imposed by contract 4. The processing is necessary in order to protect the vital interests of the Data

Subject 5. The processing is necessary –

(a) for the administration of justice; (b) for the exercise of any functions of either House of Parliament; (c) for the exercise of any functions conferred on any person by or under any

enactment; (d) for the exercise of any functions of the Crown, a Minister of the Crown or a

government department; or (e) for the exercise of any other functions of a public nature exercised in the

public interest by any person

6. The processing is necessary for the purposes of legitimate interests pursued by the Data Controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason or prejudice to the rights and freedoms or legitimate interests of the Data Subject


APPENDIX E – SCHEDULE 3

Conditions relevant for purposes of the first principle: processing of sensitive personal data 1. The Data Subject has given his explicit consent to the processing of the

personal data.

2. The processing is necessary for the purposes of exercising or performing any right or obligation, which is conferred or imposed by law on the Data Controller in connection with employment.

3. The processing is necessary-

(a) in order to protect the vital interests of the Data Subject or another person, in a case where-

(i) consent cannot be given by or on behalf of the Data Subject, or (ii) the Data Controller cannot reasonably be expected to obtain the

consent of the Data Subject, or (b) in order to protect the vital interests of another person, in a case where

consent by or on behalf of the Data Subject has been unreasonably withheld.

4. The processing-

(a) is carried out in the course of its legitimate activities by any body or association which-

(i) is not established or conducted for profit, and (ii) exists for political, philosophical, religious or trade-union

purposes, (b) is carried out with appropriate safeguards for the rights and freedoms of

Data Subjects, (c) relates only to individuals who either are members of the body or

association or have regular contact with it in connection with its purposes, and

(d) does not involve disclosure of the personal data to a third party without the consent of the Data Subject.

5. The information contained in the personal data has been made public as a

result of steps deliberately taken by the Data Subject. 6. The processing-

(a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),

(b) is necessary for the purpose of obtaining legal advice, or (c) is otherwise necessary for the purposes of establishing, exercising or

defending legal rights. The processing is necessary-

(a) for the administration of justice,


(b) for the exercise of any functions conferred on any person by or under an enactment, or

(c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department.

7. The processing is necessary for medical purposes and is undertaken by-

(a) a health professional, or (b) a person who in the circumstances owes a duty of confidentiality which is

equivalent to that which would arise if that person were a health professional.

In this paragraph "medical purposes" includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.

9. The processing-

(a) is of sensitive personal data consisting of information as to racial or ethnic origin,

(b) is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and

(c) is carried out with appropriate safeguards for the rights and freedoms of Data Subjects.

10. The personal data are processed in circumstances specified in an order made

by the Secretary of State for the purposes of this paragraph.

Ref: WHHT: G001 Date: October 2014 Version no: 5 Author: Nicola Bateman Review Date: October 2016 of 35

APPENDIX F – SCHEDULE 4

Schedule 4 to the Data Protection Act 1998 contains a list of nine circumstances whereby the Eight Data Protection Principles will be excluded from preventing personal data transfers to third countries.

1. The Data Subject has given consent to the transfer.

2. The transfer is necessary: (a) for the performance of a contract between the Data Subject and the Data

Controller; or (b) for the taking of steps at the request of the Data Subject with a view to

his entering into a contract with the Data Controller.

3. The transfer is necessary: (a) for the conclusion of a contract between the data controller and a person

other than the Data Subject which: (i) is entered into at the request of the Data Subject, or (ii) is in the interests of the Data Subject; or

(b) for the performance of such a contract.

4. The transfer is necessary for reasons of substantial public interest.

5. The transfer: (a) is necessary for the purpose of, or in connection with, any legal

proceeding (including prospective legal proceedings); (b) is necessary for the purpose of obtaining legal advice, or (c) is otherwise necessary for the purposes of establishing, exercising or

defending legal rights.

6. The transfer is necessary in order to protect the vital interests of the Data Subject.

7. The transfer is of part of the personal data on a public register and any

conditions subject to which the register is open to inspection are complied with by any person to whom the data are or may be disclosed after the transfer.

8. The transfer is made on terms, which are of a kind approved by the Information

Commissioner as ensuring adequate safeguards for the rights and freedoms of Data Subjects.

9. The transfer has been authorised by the Information Commissioner as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of Data Subjects.

data protection & confidentiality policy · the trust has a legal obligation to comply with all...

Documents