Information for staff

INFORMATION GOVERNANCE

Introduction 1

What is the Data Protection Act 2018? 2

The Six Principles of the Data Protection Act 3

Keeping personal information secure 4

Use of computer systems 4

Keeping the network secure 5

Telephone calls 5

Social media 6

Emailing 7

Secure disposal 7

Transporting records 8

Good Information Handling in your job 9

Posting personal information 10

Confidential waste 11

Retention and disposal of records 11

Faxing 12

Reporting incidents (Data Breaches) 12

Freedom of Information 13

Further information and guidance 13

Contents Page

Page Introduction

The South Eastern HSC Trust needs to collect and use personal information about people in order to operate. All individual staff members who access or use personal information must do so responsibly and in line with the legal requirements - the Data Protection Act 2018.

Failure by a staff member to comply with these requirements could result in disciplinary action, involvement of the PSNI, and in some cases, lead to potential criminal proceedings.

Understanding the relevant Trust policies, asking the right people for advice and taking personal responsibility for how you handle personal information, will help you to get it right and comply with Data Protection requirements within your day to day role in the Trust.

FACT:

The Information Commissioner’s Office (ICO) has the power to fine organisations a maximum of £500,000 for breaching the Data Protection Act.

1I n f o r m a t i o n G o v e r n a n c e

What is the Data Protection Act 2018?

The Data Protection Act protects personal privacy and upholds individuals’ rights.

Does the Act affect me?

Yes! The Data Protection Act 2018 affects everyone who handles or has access to information about individuals. The Act also gives rights to the people the information is about.

By law, everyone in the workplace must follow the rules set out in the Act and help to protect individuals’ rights.

What are my responsibilities?

The Act helps make sure that information held on computer based systems and paper-based record systems is managed properly.

You must protect personal information by following the six principles of The Data Protection Act 2018.

I n f o r m a t i o n G o v e r n a n c e2

The Six Principles of the Data Protection Act 2018

The Act is based on six principles or rules for ‘good information handling’.

In summary, the data must be:

1. Processed lawfully, fairly and in a transparent manner

2. Collected for specified, explicit and legitimate purposes

3. Adequate, relevant and limited to what is necessary

4. Accurate and where necessary, kept up-to-date

5. Retained only for as long as necessary

6. Processed in an appropriate manner to maintain security.

3I n f o r m a t i o n G o v e r n a n c e

Personal or sensitive information should always be kept secure, whether paper or electronically held records.

Do not leave records unattended in areas where the public can access them.

If accessing electronic records on computer systems, angle the screen away from areas that are visited by non-Trust employees.

Don’t forget to activate your screen saver as soon as you plan to leave your work station (Ctrl + Alt + Del).

Keeping personal information secure

Using Trust systems gives you access to personal informationabout many individuals.

Always log onto the network using your own username and password, but do not access information unless you have a legitimate business reason for doing so.

Remember it is a crime to access systems for your own purposeseg. Looking up a neighbour or relative’s test results, or your own!

Your logon details for Trust systems must not be disclosedor shared with anyone else - it is your responsibility to keep them private!

There are easy, secure ways to give someone else access to your emails and files from their own account. Contact ICT for advice if you aren’t sure how.

Use of computer systems

I n f o r m a t i o n G o v e r n a n c e4

When do I need to keep personal

information secure?

Can I view whatever I want to on Trust

computer systems?

Keeping the network secure

Whilst technical controls are in place to help protect the networkand information from malicious files or access, we also need youto be careful! Be extra cautious of suspicious emails or web links.

Even opening these emails or links can create problems that can lead to information being compromised.

Stay alert and report suspicious activity to the ICT Help Desk. The faster it is reported, the faster it can be dealt with.

Telephone calls

Depending on your role, you may be required to handle enquiries or requests for personal information.

Did you know that you can breach the Data Protection Act if you give out information to someone who is not entitled to it?

Always check the person’s identity first and if you are unsure aboutgiving out the information, suggest they write in for it or take a number and call them back. Don’t let yourself be bullied or tricked into giving out the information - seek assistance from your line manager.

On those occasions where you need to leave a telephone message for someone on their home or mobile phone, leave your direct dial contact number and ask them to contact you - not the message itself.

Remember, the message could easily be picked up by someone else.

5I n f o r m a t i o n G o v e r n a n c e

I have to discuss personal information on

the telephone - what should I do?

Social media

Social media offers a great way to communicate with friends, colleagues and other people, but there are risks and issues for both the individual and the Trust.

If you can be identified as a member of Trust staff when using social media, such as Facebook or Twitter, you must not mention any information relating to a patient/client.

Never post comments that others may find offensive, such as racist or sectarian remarks, or talk about the Trust or colleagues in a negative way. This could result in disciplinary action being taken against you.

Always act in a professional and responsible way when using social media. If you don’t want your mother to see it, your manager to read it, or a newspaper to print it, then don’t post it.

I n f o r m a t i o n G o v e r n a n c e6

I can’t get into trouble for saying whatever I want

on social media outside work - right?

Secure disposal

Electronic devices which are used to process personal or sensitive information must be securely erased before disposalor re-use. This includes devices like PC’s, laptops, mobile phonesetc. and even some printers.

Using an authorised contractor means that the data is securelyerased and therefore sensitive information will be kept private andnot available on the internet!

Contact ICT Help Desk for advice on the correct disposal processand authorised contractor(s).

Emailing

When emailing sensitive or personal information to organisations external to the Trust, and who are not part of the HSCNI protected network, the data will be sent over the internet. Therefore, you must encrypt the information before sending.

Personal or sensitive information should never be emailed to yourhome email account.

If you do work at home, request a secure access home working fob or access to FortiToken with the agreement of your manager. This will allow you to access your work computer at home (application form available on ICT portal).

When using Trust email, do not put a patient/client or staff namein the ‘subject box’ of an email. Always check you have selected the correct person you intend the email to go to - one click and it is gone!

7I n f o r m a t i o n G o v e r n a n c e

I want to send information to my hotmail

account at home. Is this ok?

Transporting records

Did you know that records are at their biggest risk when being transported outside the organisation?

‘Records’ also includes personal work diaries, reports, emails, correspondence, not just patient/client files.

The Trust Records Management Procedure requires records to be tracked out when they are ‘on the move’ and back in on their return.

On those occasions where you must take records home as part of your job, put them in a ‘secure vessel’ (container or bag) andplace them in the boot of the car.

Remove the records into your home on arrival.

Beware! Never be tempted to leave records in your car overnight or leave them where they are visible - even for a short period.

I n f o r m a t i o n G o v e r n a n c e8

I keep my personal work diary on the front seat of my car - that’s

ok isn’t it?

Good Information Handling in your job - your five a day!

1. Keep it secure

When handling personal or sensitive information, keep it secure, both during and after use. Never leave records, such as patient files, personal work diaries or appointment letters where they can be accessed or removed inappropriately.

2. A place for everything and everything in its place

If you write personal identifiable details, such as name, address,date of birth, treatment etc. onto loose sheets of paper, this information belongs in the patient record or placed in the confidential waste, as appropriate, when no longer needed.

Loose sheets can be easily dropped or lost - would you like your sensitive information picked up by a member of the public?

If you discover personal information has been mis-filed into the wrong file, please notify your line manager.

3. Should I hand this information over?

Think! Before handing over personal or sensitive information just because someone has asked you for it.

Only staff who need the information for the purpose of their work, should have access to it.

Requests from patients/clients or staff, for information the Trust holds on them, must be made in writing to the Trust.

Contact the Information Governance Department for more information.

9I n f o r m a t i o n G o v e r n a n c e

4. It only takes a moment

Some roles may involve handing a patient/client their own record, such as Antenatal Clinic appointments.

Always check it is the right file for the right patient. It only takes a moment and can avoid causing unnecessary distress to a patient/client.

5. Keep it current

Where possible, check that the patient/client address and contact number have not changed.

Personal information that is incorrect, inaccurate or out of date can result in delays to patient appointments or to sensitive information being opened by the wrong person. Help get it right every time!

Posting personal information

Posting

As part of your job, you may need to send personal or sensitive information by post. Always write the full address. Do not be tempted to use abbreviations for Trust facilities, as this can be confusing.

Do you know what LAC or F&CC stands for? - Not everyone does! If you post sensitive information outside the Trust, consider using an appropriate return address on the back of the envelope - this allows it to be returned if necessary and send via Special Delivery.

I n f o r m a t i o n G o v e r n a n c e10

FACT:

Personal information sent to an out of date or incorrect address can result in a breach of the Data Protection Act.

Confidential waste

The Trust has a process for ensuring staff securely dispose of personal identifiable or business sensitive information appropriately. This is important so that the Trust can comply with its obligations under the Data Protection Act.

Disposing of this information into confidential waste bags helps ensure the information cannot be obtained or used inappropriately for identity theft and helps protect patients and staff members’ rights to privacy and confidentiality.

Confidential waste bags are located in every department across all Trust sites. You should retain the audit trail issued by the contractor.

You can also dispose of DVD’s/videos/laminates in a separate confidential waste bag, labelled appropriately. Remember to seal the bag promptly. Don’t leave the bags in corridors, foyers or hallways.

Retention and disposal of records

The Trust has a legal obligation to manage, retain and destroy its records in line with Department of Health guidelines.

Therefore all records within the Trust should be retained and destroyed in accordance with the Trust’s Retention and Disposal Schedule/Policy.

At time of publication, record disposal is now temporarily suspsended due to the ongoing Historical Institutional Abuse Inquiry.

11I n f o r m a t i o n G o v e r n a n c e

Why do I need to use confidential waste?

Faxing

Personal/sensitive information should only be faxed in urgent cases, where there is no other suitable method of transferring the information.

A fax should never be sent just because it is the most convenient option.

Faxes containing personal/sensitive data, should be redacted (the personal identifiers removed) and the patient’s hospital number/unique identifying number and initials used instead. This helps keep the faxed information anonymous.

If you regularly fax to the same number, pre-programme this to reduce the risk of faxing to the wrong number.

Reporting incidents (Data Breaches)

If you are aware or suspect that a data breach has occurred,report it to your line manager immediately and complete a Trust incident form (IR1). The Trust’s Information Governance Department can be contacted for further advice and assistance.

If an electronic device has been lost or stolen, ensure the ICT Help Desk is notified immediately so that the device can be disabled and remotely wiped (where possible).

It is important the incident is appropriately dealt with as soon as possible, in order to minimise any potential distress to the people concerned.

FACT:

Organisations have been fined £100,000 for faxing personal identifiable information to the wrong fax number.

I n f o r m a t i o n G o v e r n a n c e12

Freedom of Information

The Freedom of Information (FOI) Act 2000 makes it easier for people to get information about the Trust. This law, which came into force on 1 January 2005, means that anyone, anywhere can ask for information we hold.

Under the Freedom of Information Act 2000, the Trust is legallycommitted to providing timely and accessible information to the public and responding to reasonable requests for information.

There are no time limits on how far back you can gain access to information, as long as we hold it on record.

If you are unsure about providing corporate information, contact the Information Governance.

Further information and guidance

For more information contact:

The Information Governance DepartmentLough HouseArds Community HospitalChurch StreetNewtownardsBT23 4AS

Tel: (028) 9151 2201

email: informationgovernance@setrust.hscni.net

13I n f o r m a t i o n G o v e r n a n c e

Designed by Communications Department

Reproduced with kind permission from Belfast HSC Trust

Published June 2018