• No results found

INFORMATION GOVERNANCE POLICY

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "INFORMATION GOVERNANCE POLICY"

Copied!
125
0
0

Loading.... (view fulltext now)

Download now ( 125 Page )

Full text

(1)

1

INFORMATION

GOVERNANCE POLICY

Including the

Information Governance Strategy Framework

and associated

Information Governance Procedures

Last Review Date N/A

Approving Body Governing Body

Date of Approval 20th September 2013 Date of Implementation 1st October 2013

Next Review Date October 2016

Review Responsibility Chief of Corporate Services

(2)

2

REVISIONS/AMENDMENTS SINCE LAST VERSION

Date of Review Amendment Details

August 2013 New policy developed from a range of previous PCT Information Governance policies, frameworks and related procedures.

December 2014 Policy updated on PIA Procedure, Caldicott Principle 7, Roles and Accountabilities, additional definitions,

application forms for access to records, further clarity on information sharing principles.

(3)

3

CONTENTS

Page Definitions 5 Section A – Policy 9 1. Policy Statement, Aims & Objectives 9 2. Legislation & Guidance 11 3. Scope 11 4. Accountabilities & Responsibilities 12 5. Dissemination, Training & Review 16 Section B – Information Governance Strategy & Management

Framework

18 1. Introduction 18 2. Strategic Aims 19 3. Openness & Information Sharing 26 4. Information Security 27 5. Information Quality Assurance / Data Quality 28 6. Data Protection 29 7. Records Management / Information Lifecycle Management 30 8. Freedom of Information and Environmental Information

Regulations

30 9. Confidentiality Code of Conduct / Caldicott 31 10. Information Risk Management & Lessons Learned 33 11. Information Asset Lists & Database List 35 12. Improvement Plan and Assessment 35

(4)

4

Section C – Information Governance Procedures 36

A INFORMATION SHARING PROCEDURE 37

B RECORDS MANAGEMENT PROCEDURE 47

C ACCESS PERSONAL DATA UNDER THE DATA PROTECTION ACT 1998 AND ACCESS TO HEALTH RECORDS ACT 1990

63

D CONFIDENTIALITY CODE OF CONDUCT AND DATA PROTECTION PROCEDURE

78

E DATA QUALITY PROCEDURE 86

F LAPTOPS, OTHER PORTABLE DEVICES OFFSITE USERS PROCEDURE

90

G MOBILE TELEPHONE PROCEDURE 96

H PROCEDURE FOR REGISTERING AND AUTHORISING COMPUTERISED DATABASES FOR THE STORING AND PROCESSING OF PERSONAL DATA

103

I PASSWORD MANAGEMENT PROCEDURE 108

J INTERNET, EMAIL & SOCIAL NETWORKING POLICY 111

(5)

5

DEFINITIONS

Term Definition

Access Control The prevention of unauthorised use of a resource, including the prevention of use of a resource in an unauthorised manner.

Accountability The property that will enable the originator of any action to be identified (whether the originator is a human being or a system.

Anonymised information

Information from which no individual can be identified.

Caldicott Maintaining the legal right to patient confidentiality.

Confidentially Data access is confined to those with specified authority to view the data.

Consent Explicit Consent means articulated agreement and

relates to a clear and voluntary indication of preference of choice, usually given orally or in writing and freely given in circumstances where the available options and the

consequences have been made clear.

Implied Consent

This means agreement that has been signalled by the behaviour of an individual with whom a discussion has been held about the issues and who therefore

understands the implications of the disclosure of information.

Informed Consent

An informed consent can be said to have been given based upon a clear appreciation and understanding of the facts, implications, and future consequences of an action. In order to give informed consent, the individual

concerned must have adequate reasoning faculties and be in possession of all relevant facts at the time consent is given.

Data controller A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

(6)

6

Term Definition

Data processor Any person (other than an employee of the data

controller) who processes the data on behalf of the data controller.

Information Asset

Administrator (IAA)

The IAO can assign day to day responsibility for each Information Asset to an IAA or other manager. This should be formalised in job descriptions.

Information Asset Owner (IAO)

Guidance for standard 307 of the Information Governance Toolkit Version 11 defines an owner as a member of staff senior enough to make decisions concerning the asset at the highest level. The IAO should understand what information is held, what is added and removed, how information is moved, who has access and why. As a result they should be able to understand and address risks to the information and to ensure that information is fully used within the law for the public good. The IAO will also be responsible for providing regular reports to the Senior Information Risk Owner (SIRO), a minimum of annually on the assurance and usage of their assets.

Information Governance

The good practice guidelines necessary to ensure that organisations and individuals deal with information legally, securely, efficiently and effectively in order to deliver the best possible care.

Information Lifecycle Management

The main principles of Information Lifecycle Management are that it applies to information in paper and other

physical forms e.g. electronic, microfilm, negatives, photographs, audio or video recordings and other assets, and that it relates to the 5 distinct phases in the life of information; creation, retention, maintenance, use and disposal.

Information Risk Information Risk is inherent in all activities and an

information risk assurance process is set out as a requirement of the Information Governance Toolkit.

Information risk management seeks to identify and control information risks in relation to business processes and functions and is led by the Senior Information Risk Owner (SIRO).

NHS Doncaster CCG

(7)

7

Term Definition

Password Confidential authentication information composed of a string of characters.

Personal Confidential Data

Data consisting of information which relates to a living individual who can be identified from that information (or from that and other information in the possession of the Data User), including any expression of opinion about the individual but not any indication of the intentions of the Data User in respect of that individual.

Processing of data

Obtaining, recording or holding information or data or carrying out any operation or set of operations on the information or data, including

a) organisation, adaptation or alteration of the information or data,

b) retrieval, consultation or use of the information or data,

c) disclosure of the information or data by

transmission, dissemination or otherwise making available, or

d) alignment, combination, blocking, erasure or destruction of the information or data.

Risk The chance that something will happen that will have an impact on achievement of the organisation’s aims and objectives. It is measured in terms of likelihood

(probability of the risk occurring) and consequence (impact or magnitude of the effect of the risk occurring).

Risk

assessment

A process of identifying the hazards in a workplace so as to effectively eliminate or adequately control the risks.

Risk

Management

A process that enables organisations to identify, analyse, control and monitor risks. By doing this we can protect our patients, visitors, contractors and employees.

Safe Haven The term Safe Haven refers to a location (or in some cases a piece of equipment) situated on NHS Doncaster CCG premises where arrangements and procedures are in place to ensure person-identifiable information can be held, received and communicated securely

Security breach Any event that has, or could have resulted in, loss or damage to NHS assets, or an action that is in breach of NHS security procedures.

(8)

8

Term Definition Senior

Information Risk Owner

The SIRO understands how the strategic business goals of the organisation may be impacted by information risks. The SIRO acts as an advocate for information risk on the NHS Doncaster CCG Board and in internal discussions and will provide written advice to the Chief Officer on the content of their Annual Governance Statement in regard to information risk.

Sensitive Personal Data

Data relating to individuals which is classified as sensitive as defined by the Information Commissioner and for which a greater degree of confidentiality is owed. This includes records relating to health and social care, personal financial circumstances, sexuality, ethnicity etc.

(9)

9

SECTION A

1. Policy Statement, Aims & Objectives

1.1. NHS Doncaster Clinical Commissioning Group (CCG) fully supports the principles of information governance, recognising its public

accountability, but equally placing importance on the confidentiality of, and the security arrangements to safeguard personal information about patients, employees and commercially sensitive information and for implementing risk management and embedding risk management into the culture of the organisation.

1.2. This document sets out the NHS Doncaster CCG’s policy for

Information Governance within the organisation. This policy includes the Information Governance Framework and all associated procedures. 1.3. The organisation recognises the need for an appropriate balance

between openness and confidentiality in the management and use of information. Equal importance is placed on the confidentiality of, and the security arrangements to safeguard personal information about patients and employees, and commercially sensitive information. The organisation also recognises the need to safely share patient

information with other health organisations and other partner care organisations, with the explicit consent of the patient or where there is a legal gateway to share. In certain circumstances information may be shared with other agencies in the public interest in line with agreed protocols.

1.4. Information Governance plays a key part in supporting clinical and corporate governance. The organisation recognises the importance of reliable information, both in terms of the clinical management of

individual patients and the efficient management of services and resources. It also gives assurance to the organisations and to individuals that personal information is dealt with legally, securely, efficiently and effectively.

1.5. There are 4 principle areas which form the scope of Information Governance:

• Information Governance Management • Confidentiality and Data Assurance • Information Security Assurance • Clinical Information Assurance

(10)

10 1.6. The aims of this policy are to:

• Provide employees with a framework through which all the elements of Information Governance will be met.

• Ensure a proactive use of information within the organisation both for patient care and service management as determined by law, statute and best practice.

• Ensure NHS Doncaster CCG complies with the requirements contained in the Information Governance Toolkit.

• Ensure Information Governance Training is completed by all employees and agency workers on an annual basis.

• Describe the management and accountability arrangements for Information Governance within NHS Doncaster CCG.

• Ensure a proactive use of information between the organisation and other NHS and partner organisations to support patient care as determined by law, statute and best practice.

• Ensure non-confidential information is made widely available in line with responsibilities under the Freedom of Information Act (2000) and Environmental Information Regulations (2004).

• Ensure there are effective arrangements to support confidentiality, security and the integrity of personal and other sensitive

information.

• Ensure the organisation’s information is of the highest quality in terms of accuracy, timeliness and relevance.

1.7. To ensure continuous improvement in information governance the organisation has a range of key performance indicators (KPIs) which it uses for monitoring purposes:

No Key Performance Indicator Method of Assessment

1 Minimum of Level 2 compliance with the Information Governance Toolkit.

Self-assessment completed as required by the Health & Social Care Information Centre and annual audit.

2 Mandatory Information Governance training completed by all staff.

Reports through the Corporate Assurance quarterly report and Information Governance

Training Tool. 3 Production of quarterly

Corporate Assurance reports.

Audit Committee & Governing Body minutes.

(11)

11

2. Legislation and Guidance

2.1. The following legislation and guidance has been taken into consideration in the development of this policy:

• The Data Protection Act (1998)

• The Freedom of Information Act (2000)

• Environmental Information Regulations (2004) • Access to Health Records Act (1990)

• Human Rights Act (1998)

• European Directive 95/46C (Data Protection Directive) • Crime and Disorder Act (1998)

• Criminal Procedures and Investigations Act (1996) • Regulatory and Investigatory Powers Act (2000)

• ICO Framework Code of Practice for Sharing Personal Information (2007)

• NHS Act (2006) and as updated 2012

• Information Sharing Guidance for Practitioners and Managers (2008)

• Confidentiality NHS Code of Practice (2003) • Health and Social Care Act (2012)

• Caldicott Guidance (2010)

• Information: To Share or Not to Share: Government Response to Caldicott Review (2013)

• Computer Misuse Act 1990 • Fraud Act 2006

• Information Governance Toolkit

• Ensuring Security & Confidentiality in NHS Organisations (E5498) • Copyrights, Designs & Patents Act 1990

• HSC 2000/09 Protection & Use of Patient Information

• Department of Health: Records Management: Code of Practice June 2009

• Information Governance Assurance Programme Guidance 2008/09 • Public Records Acts 1958 and 1967

• Common Law Duty of Confidentiality • Public Interest Disclosure Act 1998

3. Scope

3.1. This policy applies to those members of staff that are directly employed by NHS Doncaster CCG and for whom NHS Doncaster CCG has legal responsibility. For those staff covered by a letter of authority / honorary contract or work experience this policy is also applicable whilst

undertaking duties on behalf of NHS Doncaster CCG or working on NHS Doncaster CCG premises and forms part of their arrangements with NHS Doncaster CCG. As part of good employment practice, agency workers are also required to abide by NHS Doncaster CCG

(12)

12 policies and procedures, as appropriate, to ensure their health, safety and welfare whilst undertaking work for NHS Doncaster CCG.

4. Accountability and Responsibilities

4.1. Overall accountability for ensuring that there are systems and

processes to effectively manage information governance lies with the Chief Officer. Responsibility is also delegated to the following

individuals. Chief of Corporate Services (or equivalent)

Has delegated responsibility for:

• Providing the necessary leadership, management, specialist, technical and legal advice to Information Governance across the organisation, ensuring

Information Governance requirements, compliance and standards are met.

• Acting as the organisational Senior Information Risk Owner (SIRO), ensuring the identification and

mitigation of corporate and operational risks relating to all aspects of Information Security Management.

• Acting as the nominated Data Protection Officer for the organisation and ensuring the continued registration of the organisation in line with the Data Protection Act 1998.

• Ensuring that the organisation meets the requirements of the Information Governance Standards under the Information Governance Toolkit (IGT) and associated assurance frameworks to ensure that a high level of compliance is reached and maintained by the

organisation.

• Initiating and managing confidentiality and governance-related audits and working with Internal Audit to assess progress, developing action plans as required.

• Oversight of the impact of organisational changes on information assets. Ensuring a privacy impact

assessment procedure is in place.

• Monitoring and taking action on all Information Governance related incidents, ensuring the

development of action plans and external reporting where appropriate.

• Strategically leading the organisation’s approach to the creation, storage, sharing, management and disposal of both corporate and clinical records, ensuring compliance with relevant legislation and guidance.

Chief Nurse

(13)

13

equivalent) • Acting as the Caldicott Guardian for the organisation

with responsibility for Clinical Information Assurance and Clinical Governance.

Governance Manager

(or equivalent)

Has delegated responsibility for:

• Overseeing, coordinating and issuing information governance information, maintaining appropriate records regarding information governance, and monitoring developments in information governance. • Ensuring maintenance of the information asset

registers including portable IT equipment, information flows, Database of Databases and liaising with all teams to ensure this is regularly updated.

• Supporting the SIRO in Information Security Management.

• Providing information for patients in relation to how their information is held, used and shared and answering queries in relation to this.

• Operationally managing the organisation’s approach to the creation, storage, sharing, management and

disposal of both corporate and clinical records, ensuring compliance with relevant legislation and guidance.

• Dealing with subject access requests.

• Overseeing Information Governance training compliance.

• Operationally managing the organisation’s response to the requirements of the Information Governance

Standards under the Information Governance Toolkit (IGT).

• Contributing to governance-related audits and working with Internal Audit to assess progress, developing action plans as required.

• Administering Information Governance related incidents, ensuring the development of action plans and external reporting where appropriate.

Information Asset Owners

Information Asset Owners are responsible for providing regular reports to the Senior Information Risk Owner (SIRO), a minimum of annually on the assurance and usage of their assets.

The Information Asset Owners have delegated responsibility for:

• Maintaining professional standards according to best practice in liaison with staff working in the area. • Ensuring local application of guidelines including

(14)

14 retention and disposal schedules and advising on disposal.

• Determining the most effective ways of promoting the guidelines in their area e.g. training, induction, team meetings etc.

• Providing support and advice to staff in the area of Records Management with the assistance of the Caldicott Guardian and Corporate Services.

• Monitoring performance through quality control/periodic audits.

• Ensuring compliance with the standards, legislation, policies and procedures relating to the management of records.

• Identifying areas where improvements could be made. • Ensuring that staff complete relevant training on

records management, confidentiality and data protection.

• Reviewing/adopting tracking and registration systems for appropriate records in all areas.

• Ensuring appropriate records are archived.

• Ensuring that there is a mechanism for identifying records which must be kept for permanent

preservation.

• Ensuring the confidentiality, integrity, and availability of all information that their system processes and protect against any anticipated threats or hazards to the security or integrity of such information.

• Undertaking information risk assessments on all information assets where they have been assigned ‘ownership’, following guidance from the SIRO on assessment method, format, content, and frequency – which is provided through the annual Data Assets & Flows update exercise.

• Reporting security incidents and ensure that the reports are fully documented, including type of incident, and ensure that countermeasures put in place.

• Reporting to the SIRO and ensure countermeasures are discussed and implemented in conjunction with security incidents.

• Initiating the necessary disciplinary action through the HR Team if a member of staff is found to be

disregarding procedures which could result in a security incident.

Information Asset Administrator

The IAO can assign day to day responsibility for each Information Asset to an IAA or other manager.

(15)

15

All Staff

Responsibilities of Staff (including all employees, whether full/part time, agency, bank or volunteers) are:

• Complying with this policy and procedures.

• Identifying any gaps in the policy to the responsible officers.

4.2. The Audit Committee of the Governing Body has been delegated responsibility for overseeing information governance management by the Governing Body. The Corporate Governance Management Group has been established by the Audit Committee to ensure that a sound system of corporate governance, risk management and internal control is in place which supports the achievement of the CCG’s objectives and provides the Audit Committee and ultimately the Governing Body with assurance both as an employer and as a statutory body. The Audit Committee will monitor compliance with Information Governance requirements through the quarterly Corporate Assurance Report containing assurance to enable the Committee to:

• Review the systems in place to develop and implement the Information Governance Policy and all other related procedures. • Review information incident reporting procedures, monitoring and

assuring systems to investigate all reported instances of actual or potential breaches of confidentiality and security.

• Review Information Governance requirements in line with changes on at least on an annual basis in order to update contracts, policy and training accordingly.

• Review systems in line with national directives.

• Work with Internal Audit to facilitate effective audits against nationally and locally agreed criteria.

• Support the provision of high quality care by promoting the effective and appropriate use of information.

• Receive assurance of assessments undertaken using the

Information Governance Toolkit, overseeing work plans to address gaps identified and ensuring they are monitored and performance managed.

• Assure the Governing Body that Information Governance policies and procedures remain up-to-date, reflect national guidance and are in operational use throughout the organisation.

• Monitor the CCG’s information handling activities to ensure compliance with the law and guidance e.g. reviewing results of audits.

• Provide a focal point for the resolution and/or discussion of Information Governance issues.

• Receive assurance that mandatory information governance training is completed annually by all staff and additional information

governance training is completed which is necessary to support their role.

(16)

16 • Receive assurance that relevant information governance

experience, evidence, research, information and data is readily available to all staff.

NHS Doncaster CCG’s Information Governance Framework is used in conjunction with the policy and will act as an overarching framework for the local delivery of Information Governance.

5. Dissemination, Training and Review 5.1. Dissemination

5.1.1. The effective implementation of this policy will support openness and transparency. NHS Doncaster CCG will:

• Ensure all staff and stakeholders have access to a copy of this policy via the organisation’s website and shared drive.

• Communicate to staff any relevant action to be taken

• Ensure that relevant information governance training raises and sustains awareness of the importance of effective information governance management.

5.1.2. This policy is located on the Shared Drive. All procedural documents are available via the organisation’s website. Staff are notified by email of new or updated procedural documents.

5.2. Training

5.2.1. All staff are required to complete basic information governance training annually and will also be asked to complete other training

commensurate with their duties and responsibilities. Staff requiring support should speak to their line manager in the first instance. Managers should contact the Corporate Services Team if there are specific training needs.

5.3. Review

5.3.1. The policy will be reviewed every three years, and in accordance with the following on an as and when required basis:

• Legislatives changes • Good practice guidelines • Case Law

• Significant incidents reported • New vulnerabilities identified

(17)

17 • Changes in practice

5.3.2. This policy will be performance monitored to ensure that it is in-date and relevant to the core business of the NHS Doncaster CCG. The results will be published in the regular Corporate Assurance Reports.

(18)

18

SECTION B – INFORMATION GOVERNANCE STRATEGY &

MANAGEMENT FRAMEWORK

1. Introduction

1.1. This document sets out the approach to be taken within the

organisation to provide a robust Information Governance framework for the management of information. It supports the Information

Governance policy and procedures by addressing key areas for

Information Governance development across the organisation and with our partners and cannot be seen in isolation as information plays a key part in governance, strategic risk, knowledge management, service planning, procurement and performance management. The Information Governance Policy, Framework and procedures will be made available to staff via the website and shared drive to improve staff awareness of the organisation’s approach to future Information Governance

developments.

1.2. Key Related Procedures

A. INFORMATION SHARING PROCEDURE B. RECORDS MANAGEMENT PROCEDURE

C. ACCESS PERSONAL DATA UNDER THE DATA PROTECTION ACT 1998 AND ACCESS TO HEALTH RECORDS ACT 1990 D. CONFIDENTIALITY CODE OF CONDUCT AND DATA

PROTECTION PROCEDURE E. DATA QUALITY PROCEDURE

F. LAPTOPS, OTHER PORTABLE DEVICES OFFSITE USERS PROCEDURE

G. MOBILE TELEPHONE PROCEDURE

H. PROCEDURE FOR REGISTERING AND AUTHORISING COMPUTERISED DATABASES FOR THE STORING AND PROCESSING OF PERSONAL DATA

I. PASSWORD MANAGEMENT PROCEDURE

J. INTERNET, EMAIL & SOCIAL NETWORKING POLICY K. PRIVACY IMPACT ASSESSMENT PROCEDURE

1.3. The Audit Committee oversees the Information Governance agenda, with operational delegation to the Corporate Governance Management Group.

1.4. The following organisational resources are available to the agenda: • Chief of Corporate Services

• Governance Manager • Information Asset Owners

(19)

19

2. Strategic Aims

Aim Detail Outcome

Aim 1 -Training & Staff Awareness

Fundamental to the success of delivering the Information Governance Framework is

developing an Information Governance culture within the organisation. Awareness and Information Governance training is mandatory for all NHS Doncaster CCG staff through an e-learning programme. A training needs analysis will identify staff roles where additional

Information Governance training is indicated and this will be made available through a variety of sources including e-learning and specialist sessions as required.

All staff should have access to up-to-date legislation and guidance relating to their roles. This is facilitated by providing access to the internet, as well as suitable training.

All staff are required to read and sign the Confidentiality Code of Conduct on appointment, which describes the

organisation’s expectations regarding staff compliance with statutory requirements such as the Data Protection Act 1998 and the Human Rights Act 1998. This requirement extends to all agency and temporary staff and, where appropriate, to contractors working on site.

Adequate training must be available to all staff to support the development and

implementation of new technologies and working practices.

An information governance staff survey will be sent out annually to all staff to check their awareness of a range of Information Governance areas. A summary will then submitted as part of the Corporate Assurance Report. Where it is deemed appropriate to raise staff awareness further or to advise of recent changes, additional information is included in Team Meetings or via group e-mails to all staff.

All staff are aware of Information Governance legal and national requirements thus reducing the risk of a breach which could result in distress to patients or colleagues or an incident, complaint, claim or adverse publicity for NHS Doncaster CCG.

(20)

20

Aim Detail Outcome

Aim 2 – Staff and Patients are informed of how

their information is

used

The Organisation must ensure that staff and patients are made aware of how their

information is used and of the importance of checking accuracy of data.

In order to make sure that all are aware of their rights regarding data, there is a leaflet and Fair Processing Notice published on the CCG website. All staff should be aware of these documents and offer them if queried about these issues.

Staff should be encouraged to check data accuracy to reduce the likelihood of mistakes being made e.g. incorrect identification of similarly named people.

Staff and patients will be informed about the uses of information held about them. Effective and timely communication should enable the organisation to move forward with technological advances. Aim 3 – Information Governance Toolkit Continual progress against the Information Governance Toolkit with a minimum score level 2 against all standards

Continual progress and improvement against the Information Governance Toolkit is a key target for the organisation. In this way,

Information Governance processes will be built into the culture and based on best practice. A score of level 2 or above for the Information Governance Toolkit is also required for performance management purposes.

The organisation will reassess compliance on an ongoing basis to reflect changes in the toolkit requirements, to re-evaluate the robustness of evidence and to comply with NHS requirements for continuous rather than annual assessments. The organisation will ensure a proactive Information Governance culture and meet required performance targets.

(21)

21

Aim Detail Outcome

Aim 4 - Risk Management

Incidents and potential incidents involving information, data and personal or sensitive records are reported, analysed and lessons learned (see Risk Management Policy and Procedures)

Any unforeseen occurrences involving staff or patient personal information or breaches of confidential business information (in whatever format) should be reported via the incident reporting system. Information Governance incidents may include Information

Management Technology and Security, unauthorised access, Caldicott/Data Protection/Freedom of Information or all aspects of records management from creation to disposal. Staff should be encouraged to report these types of incidents promptly and should receive feedback to enable them to improve practice.

Information Governance Incidents are reviewed as part of the overall risk

management process and included where appropriate in the risk register.

The Senior Information Risk Owner (SIRO) is responsible for ensuring the safe management all information related risks.

The organisation has developed arrangements to report and manage serious incidents in line with the Information Governance Assurance Programme Guidance including reporting to NHS England and Information Commissioner as required. This also includes a requirement to incorporate such issues in the Annual Governance Statement. Improved incident reporting and hence, better understanding of real and potential risks requiring action.

(22)

22

Aim Detail Outcome

Aim 5 - Data Quality

The organisation will ensure that the data it uses is as accurate and up-to-date as possible. The organisation has data validation

procedures to ensure agreed timescales for correction of errors and omissions.

Corrections should be made within a maximum of two months. The procedure should also include a requirement to keep staff informed of these issues.

The organisation needs to support data quality across our providers to ensure the provision of accurate data to support management and procurement of patient services.

The organisation must ensure robust data quality checks are built in to the introduction and ongoing development of technological solutions to improve and manage records.

Clear procedures around validation checks carried out and improved accuracy of information. Aim 6 – NHS Number (Records Management / Information Lifecycle Strategic Aims)

The organisation will work towards the use of the NHS number in all patient records and documentation related to the direct care of the patient, or where there is consent or a legal gateway.

NHS Number compliance

(23)

23

Aim Detail Outcome

Aim 7 - Rationalising Records (Records Management / Information Lifecycle Strategic Aims)

All staff will work towards rationalising record collections through sharing records and the information they contain (subject to the requirements of the Caldicott Principles, the Data Protection Act 1998, Environmental Information Regulations 2004 and Freedom of Information Act 2000) by merging or ensuring effective cross-referencing.

The organisation will carry out regular Data Audits which look at the records ‘owned’ by the organisation and how they are stored and transferred. Following each audit, it is possible to identify records (manual and electronic) held by members of staff within NHS Doncaster CCG. At this point, the Lead in Records Management will be able to determine if any of these records could be subject to record sharing. If it is decided that different systems with common sets of data need to continue, documented procedures should be developed to ensure that any differences between the records are reconciled. Consideration will also be given to whether records could be merged or cross-referenced. The Information Asset Owners will ensure that all records held by their teams are included and assessed as part of the ongoing audits.

All teams across the organisation are responsible for ensuring that they have a manageable and accessible filing system which reduces duplication and avoids retention of files beyond the recommended limits or operational need. Record collections assessed for rationalisation potential which will in turn reduce duplication and possible errors and effective progress towards integrated records.

(24)

24

Aim Detail Outcome

Aim 8 - Records Storage & Maintenance (Records Management / Information Lifecycle Strategic Aims)

All manual and electronic records in NHS Doncaster CCG will be appropriately stored and maintained in accordance with guidance and legislation (see Records Management Procedure).

Manual Records: Storage facilities for current

paper records are very restricted requiring ongoing review processes to support disposal or long term retention off site. Records should only be kept long term where there is a specific requirement to do so. Any records containing personal data may only be retained in line with the Data Protection Act 1998 and cannot be legally kept for any longer periods without express consent of the identifiable individuals.

Non-Paper Records: There should be

ongoing review of electronically held data to include retention periods and general

housekeeping. General housekeeping issues include deleting duplicates and unnecessary information (whilst following the correct

retention periods) from the server or any stand-alone systems. It should also be ensured that all confidential information is stored in the correct sections of the server.

The review of records forms part of the Information Governance Toolkit Assessment Process and there will be checks across the organisation. Streamlined approach to paper record retention according to guidelines. Streamlined recording of electronic data according to guidelines and a reduced risk of information data breaches and ensuring compliance with retention guidelines.

(25)

25

Aim Detail Outcome

Aim 9 - Records Disposal (Records Management / Information Lifecycle Strategic Aims)

Records will be reviewed under the retention periods stated and those no longer required by the services of the organisation will be

considered for disposal e.g. permanent preservation, long term archiving, transfer, destruction or any other use as agreed by the relevant Line Manager / Caldicott Guardian. There are occasions when records may need to be passed onto other NHS organisations thus disposing of the record. Detailed audits of such movement of records must be

maintained. The principles of Caldicott, Data Protection and the IG Assurance programme must be adhered to.

A record or brief description must be kept about any record that has been destroyed if it is deemed to be a document that was relevant to the business of the organisation. Further guidance should be sought from Corporate Services if required.

Methods of disposal of records must meet confidentiality and security guidelines. For records disposed of by a contractor, the contractor will be required to sign

confidentiality agreements and produce written certification as proof of destruction. Action that will be taken in the event of confidence being breached (e.g. termination of contract) will be specified. This will be managed as part of the organisations waste management policies and procedures giving due account to WEEE regulations for electronic equipment and best practice guidance on disposing of computer hardware. Streamlined, standardised record storage system according to guidelines and tighter confidentiality controls with contractors.

(26)

26

Aim Detail Outcome

Aim 10 – Documentation (Records Management / Information Lifecycle Strategic Aims)

Standards will be applied to the production of documentation (manual and electronic) to ensure good record keeping principles are adhered to.

The organisation has professional record keeping standards, staff training and a plan of audits to ensure high standards are

maintained.

Corporate standards have been reviewed across the organisation to ensure consistency and a policy and procedure has been

developed to inform staff of the model formats for policies, strategies and procedures (Policy on Procedural Documents). Other guidance will be available from the Corporate Services Team. Templates will be available on the shared drive. Improved quality control and consistency of records. Improved corporate image and clarity for staff

concerning publications/do cumentation. Increased understanding of documentation by the general public.

3. Openness & Information Sharing

3.1. NHS Doncaster CCG will ensure that the principles of Caldicott and the regulations outlined in the Data Protection Act 1998 and the

organisation’s Data Protection Procedure underpin the management of confidential information at all times.

3.2. The organisation recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. NHS Doncaster CCG needs to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest. Detailed guidance can be found in the organisation’s Information Sharing Procedure.

3.3. Non-confidential information about NHS Doncaster CCG and its services will be made available to the public through a variety of means, in compliance with the Freedom of Information Act 2000 and Environmental Information Regulations 2004. The organisation’s Publication Scheme will continue to meet the requirements of the Information Commissioner’s Office Model Scheme for health bodies. 3.4. Patients will have access to information relating to their own health

care, options for treatment and their rights as patients. There are clear procedures and arrangements for handling requests for personal information or medical records from patients and the public detailed in

(27)

27 the organisation’s Access to Records Procedure and Records

Management Procedure.

3.5. NHS Doncaster CCG has an obligation as a Data Controller to notify the Information Commissioner of the purposes for which it processes personal data. Notification monitoring within the organisation is carried out by the Chief of Corporate Services. Before the annual review of NHS Doncaster CCG’s Notification, the Chief of Corporate Services will review the types of processing being carried out within the organisation (e.g. from the Data Flow Audit and Database of Databases) to ensure that the processing complies with the seventh principle of the Data Protection Act. Individual data subjects can obtain full details of the organisation’s data protection registration / notification with the Information Commissioner from the Information Commissioner's website (www.ico.gov.uk).

3.6. We will publish a Fair Processing Notice on our website.

4. Information Security

4.1. Information security risk is inherent in all administrative and business activities and everyone working for or on behalf of NHS Doncaster CCG continuously manages information security risk. The aim of

information security risk management is not to eliminate risk, but rather to provide the structural means to identify, prioritise and manage the risks involved in all our organisational activities. It requires a balance between the cost of managing and treating information security risks with the anticipated benefits that will be derived.

4.2. The principles of information security require that all reasonable care is taken to prevent inappropriate access, modification or manipulation of data from taking place. In the case of the NHS, the most sensitive of our data is patient record information. In practice, this is applied through three cornerstones - confidentiality, integrity and availability • Information must be secured against unauthorised access -

confidentiality

• Information must be safeguarded against unauthorised modification - integrity

• Information must be accessible to authorised users at times when they require it - availability

4.3. Further information can be found in the organisation’s Information Security Management Statement and Assurance Plan.

4.4. The organisation will undertake audits or commission assessments of its information and IT security arrangements. Risk assessments will be undertaken to determine appropriate, effective and affordable

information security controls are in place in NHS Doncaster CCG locations.

(28)

28 4.5. NHS Doncaster CCG will promote effective confidentiality and security

practices to its employees through policies, procedures and training. 4.6. The organisation will establish and maintain incident reporting

procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security.

4.7. Breaches of Information Security will be investigated in line with guidance and reported as appropriate via the Chief of Corporate Services.

4.8. Information Asset Owners will liaise with the SIRO on all issues relating to information security risks within their area of responsibility.

4.9. An agreement describes the responsibilities of contractors and their sub contractors under the NHS Confidentiality Code of Practice 2003 and the Data Protection Act 1998 when undertaking work for or with NHS Doncaster Clinical Commissioning Group. It should be signed by all contractors prior to entering the CCG’s site. This is the responsibility of leads managing those contractors, whether they are management associates or facilities contractors.

4.10. A procedure is in place for secure IT asset disposal.

4.11. Staff are reminded that the intentional disclosure of information to a third party where a gain is made for themselves or another, or results in the risk of, or actual loss to NHS Doncaster CCG is a potential criminal offence under Section 4 of the Fraud Act 2006. Suspicion of any such breaches should be reported without delay in accordance with NHS Doncaster CCG’s Fraud Policy and Response Plan, or a confidential report can be made to the NHS Fraud & Corruption Reporting Line, by calling 0800 028 40 60.

5. Information Quality Assurance / Data Quality

5.1. NHS Doncaster CCG will establish and maintain procedures for information quality assurance and the effective management of records. Refer to the organisation’s Data Quality Procedure and Records Management Procedure for more details.

5.2. Audits will be undertaken or commissioned of the organisation’s quality of data and records management arrangements.

5.3. Wherever possible, information quality will be assured at the point of collection. Integrity of information will be developed, monitored and maintained to ensure that it is appropriate for the purposes intended. Managers are expected to take ownership of, and seek to improve, the quality of information within their services.

(29)

29

6. Data Protection

6.1. NHS Doncaster CCG holds and processes information about its employees, patients and other individuals for various purposes (for example, the effective provision of healthcare services or to operate the payroll and to enable correspondence and communications). To comply with the Data Protection Act 1998, information must be collected and used fairly, stored safely and not disclosed to any unauthorised person. The Data Protection Act 1998 applies to both manual and electronically held data for living persons.

6.2. The lawful and correct treatment of personal information is vital to successful operations, and to maintaining confidence within the organisation and the individuals with whom it deals. NHS Doncaster CCG will comply with the 8 principles of Data Protection:

1. Personal data shall be processed fairly and lawfully by observing fully conditions regarding the fair and lawful collection and use of information.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4. Personal data shall be accurate and, where necessary, kept up to

date through our data quality procedures.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes by applying strict checks to determine the length of time information is held.

6. Personal data shall be processed in accordance with the rights of data subjects under this Act, ensuring that the rights of people about whom information is held can be fully exercised under the Act. (These include: the right to be informed that processing is being undertaken; the right of access to one's personal information; the right to prevent processing in certain circumstances; the right to correct, information which is regarded as incorrect information). 7. Appropriate technical and organisational measures shall be taken

against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

(30)

30 8. Personal data shall not be transferred to a country or territory

outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. 6.3. Further details can be found in the Confidentiality Code of Conduct &

Data Protection Procedure.

7. Records Management / Information Lifecycle Management

7.1. NHS Doncaster CCG recognises the need to ensure a structured and integrated approach to Records Management throughout the

organisation which supports the overall Information Governance arrangements within the organisation.

7.2. NHS Doncaster CCG is committed to a systematic and planned approach to the Management of Records, from their creation to their ultimate disposal in accordance with relevant legislation. This will ensure that the NHS Doncaster CCG can control both the quality and quantity of the information that it generates, it can maintain that information in an effective manner, and it can dispose of the

information efficiently when it is no longer required. Detailed Records Management guidance can be found in the organisation’s Records Management Procedure / Information Lifecycle Procedure.

8. Freedom of Information and Environmental Information Regulations

8.1. The Freedom of Information Act 2000 is part of the Government’s commitment to greater openness in the public sector.

8.2. The main features of the Freedom of Information Act are: • A general right of access from 1st January 2005 to recorded

information held by public authorities, subject to certain conditions and exemptions;

• In cases where information is exempt from disclosure, except where an absolute exemption applies, a duty on public authorities to: (i) Inform the applicant whether they hold the information

requested, and

(ii) Communicate the information to him or her, unless the public interest in maintaining the exemption in question outweighs the public interest in disclosure;

• A duty on every public authority to adopt and maintain a Publication Scheme, specifically applicable to the NHS from 31st October 2003; • The office of the Information Commissioner with wide powers to

enforce the rights created by the Freedom of Information Act and to promote good practice;

(31)

31 • A duty on the Lord Chancellor to disseminate Codes of Practice for

guidance on specific issues.

8.3. The Environmental Information Regulations 2004 give rights of public access to environmental information held by public authorities. These regulations have been introduced in line with European Directive 2003/4/EC and the Aarhus Convention on Access to Information, Public Participation in Decision Making and Access to Justice in Environmental Matters 1998.

8.4. The Environmental Impact Regulations 2004 permit exceptions rather than exemptions and the emphasis is in favour of disclosure. It is important for the organisation to make the distinction between Freedom of Information and Environmental Information Regulations and to

respond accordingly.

8.5. NHS Doncaster CCG believes that public authorities should be allowed to discharge their functions effectively. This means that the

organisation will use the exemptions contained in the Freedom of Information Act 2000 where an absolute exemption applies or where a qualified exemption or exception can reasonably be applied in terms of the public interest of disclosure. Detailed information can be found in the organisation’s Freedom of Information and Environmental

Information Regulations Policy.

9. Confidentiality Code of Conduct / Caldicott

9.1. The principle behind the organisation’s Confidentiality Code of Conduct is that no employee shall breach their legal duty of confidentiality, allow others to do so, or attempt to breach any of NHS Doncaster CCG’s security systems or controls in order to do so. The organisation’s Confidentiality Code of Conduct can be found in appended to this policy. Each new employee is required as part of their contract of employment to sign the Confidentiality Code of Conduct / their contract which is then retained in their personal file.

9.2. The Caldicott Guardian oversees the Caldicott function and is primarily concerned with upholding and supporting patient confidentiality. This function is based within the broader remit of the Information

Governance Assurance Framework as outlined by the Department of Health’s guidelines. Under the Data Protection Act 1998 and other relevant legislation, the role of the Caldicott Guardian is vital in the assurance and safety of patient identifiable information. A national Register of Caldicott Guardians is held and the NHS Doncaster Clinical Commissioning Group (CCG) Caldicott Guardian is registered.

9.3. NHS Doncaster CCG has appointed a Caldicott Guardian who has responsibility to ensure the protection of patient confidentiality throughout the organisation in accordance with legal rights. NHS

(32)

32 Doncaster CCG’s Caldicott Guardian is the Chief Nurse. The Caldicott Guardian is supported by the Chief of Corporate Services as Senior Information Risk Owner. An annual Caldicott Plan is developed and it is approved by the Quality & Safety Committee.

9.4. In any case where confidential information has been requested for non-medical purposes, the Caldicott Guardian will assess whether the information request is supported by the following six Caldicott principles:

Principle 1 – Justify the purpose(s) for using confidential information.

Every proposed use or transfer of patient identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed, by an appropriate guardian.

Principle 2 – Only use it when absolutely necessary.

Personal confidential data should not be included unless it is essential for the specified purpose(s) of that flow.

Principle 3 – Use the minimum that is required.

Where use of personal confidential data is considered to be essential, the inclusion of each individual item of information should be

considered and justified so that the minimum amount of identifiable information is transferred or accessible as is necessary for a given function to be carried out.

Principle 4 – Access should be on a strict need-to-know basis.

Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the information items that they need to see. This may mean introducing access controls or splitting information flows where one information flow is used for several purposes.

Principle 5 – Everyone must understand his or her responsibilities.

Action should be taken to ensure that those handling personal confidential data are made fully aware of their responsibilities and obligations to respect patient confidentiality.

Principle 6 – Understand and comply with the law.

Every use of personal confidential data must be lawful.

Principle 7 – The duty to share information can be as important as the

duty to protect patient confidentiality. Health and social care

professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their

(33)

33

10. Information Risk Management & Lessons Learned

10.1. Information Risk is inherent in NHS Doncaster CCG activities and an information risk assurance process is set out as a requirement of the Information Governance Toolkit. Information risk management is the ongoing process of identifying information risks and implementing plans to address them. The responsibilities, definitions, processes and templates as contained in the Risk Management Policy & Procedure also apply to information risk management.

10.2. NHS Doncaster CCG maintains an Assurance Framework which covers strategic risks, and a Risk Register which covers operational risks. All risks are reviewed regularly by the risk lead in line with the organisation’s Risk Management strategy, policy and procedure. As part of this risk management programme of activity, NHS Doncaster CCG’s Information Governance risks are routinely reviewed.

10.3. The Senior Information Risk Owner (SIRO) acts as an advocate for information risk on the Governing Body. The SIRO is the Chief of Corporate Services. Information Asset Owners (IAOs) liaise with the SIRO in relation to any risks associated with the assets for which they are accountable.

10.4. The following objective within our Risk Management Strategy underpins our strategic aim for risk management and the second column details our methods for delivery against the stated objective.

Objective Delivery

To ensure information risk management is integrated into the organisation’s Information Governance Framework to assist in safeguarding the organisation’s information assets, people finance, property & reputation.

We will deliver this through: • Collation and review of risk

assessments

• Information Security threats to be followed up by and managed by appropriate action plans. • Regular reporting and

review of information risks by the SIRO

10.5. Information Risk Management aims to:

• Protect NHS Doncaster CCG from those information risks of significant negative likelihood and consequence in the pursuit of NHS Doncaster CCG's stated strategic goals and objectives. • Meet legal, statutory, and NHS Policy requirements.

• Assist in safeguarding NHS Doncaster CCG's information assets - people, finance, property and reputation.

10.6. Information risk assessments will be performed on a regular basis for all information systems and critical information assets. Information Risk assessments will also occur at the following times:

(34)

34 • At the inception of new systems, applications and facilities that may

impact the assurance of NHS Doncaster CCG Information or Information Systems.

• Before enhancements, upgrades, and conversions associated with critical systems or applications.

• When NHS policy or legislation requires risk determination. • When the NHS Doncaster CCG Management team requires it. 10.7. An Information Governance Incident is an event which may result in:

• Degraded system integrity e.g. causing a virus to enter the system. • Loss of system availability e.g. email not working.

• Disclosure of confidential information e.g. password sharing (accidentally or on purpose).

• Disruption of activity e.g. inappropriately deleting files from S-drive. • Loss e.g. theft of laptop.

• Legal action e.g. inappropriate disclosure of patient information. • Unauthorised access to applications e.g. unauthorised access to

payroll system.

10.8. All Information Governance incidents will be formally logged, categorised by severity and analysed in accordance with the organisation's Incident Management Policy.

10.9. One or more of the following individuals should also be advised according to the severity and type of incident as appropriate: • Caldicott Guardian if the incident involves patient identifiable

information.

• Chief of Corporate Services for information governance incidents. • Human Resources Manager for incidents relating to Smart Cards. 10.10. Major breaches of confidentiality, including theft or loss of medical

records and electronic equipment containing patient/personal data should be reported to the Chief of Corporate Services or their Deputy as soon as possible and within a maximum of 24 hours in line with Serious Incident (SI) reporting requirements.

10.11. All serious Information Governance incidents and results of incident investigations / root cause analyses will be discussed by the Audit Committee at the earliest subsequent meeting and the SIRO will keep the Governing Body informed as appropriate. Relevant reporting will be made externally in line with Information Governance requirements. 10.12. Learning from risks, incidents and other such events is key to

developing a culture in the organisation that welcomes knowledge of such events as an opportunity to improve patient care, the services offered within NHS Doncaster CCG, and the working environment and safety of employees.

(35)

35

11. Information Asset Lists & Database List

11.1. IT assets worth over £5,000 are included within the Asset List which is maintained by the Finance Team.

11.2. Information Asset Lists have been compiled for all teams and the maintenance of these is the responsibility of the Chief of Corporate Services who is the SIRO.

11.3. The Chief of Corporate Services maintains a list of databases held by the organisation which contain patient or employees information and have been approved by the Caldicott Guardian. It is the responsibility of all staff to ensure that authorisation is obtained to create and hold databases and spreadsheets which contain person identifiable

information. This information can only be stored where there is consent or a legal gateway or it if held for the purposes of direct patient care.

12. Improvement Plan and Assessment

12.1. Assessments of compliance with each requirement within the

Information Governance Toolkit (IGT) will be undertaken throughout each year. Annual reports and proposed action / development plans will be presented to the Audit Committee for approval prior to

submission annually in March. The requirements are grouped into the following initiatives:

• Information Governance Management • Confidentiality and Data Assurance • Information Security Assurance • Clinical Information Assurance

(36)

36

SECTION - C

INFORMATION GOVERNANCE PROCEDURES

A. INFORMATION SHARING PROCEDURE B. RECORDS MANAGEMENT PROCEDURE C. ACCESS PERSONAL DATA UNDER THE DATA

PROTECTION ACT 1998 AND ACCESS TO HEALTH RECORDS ACT 1990

D. CONFIDENTIALITY CODE OF CONDUCT AND DATA PROTECTION PROCEDURE

E. DATA QUALITY PROCEDURE

F. LAPTOPS, OTHER PORTABLE DEVICES OFFSITE USERS PROCEDURE

G. MOBILE TELEPHONE PROCEDURE

H. PROCEDURE FOR REGISTERING AND AUTHORISING COMPUTERISED DATABASES FOR THE STORING AND PROCESSING OF PERSONAL DATA

I. PASSWORD MANAGEMENT PROCEDURE J. INTERNET, EMAIL & SOCIAL NETWORKING

PROCEDURE

(37)

37

INFORMATION

(38)

38

A - INFORMATION SHARING PROCEDURE 1. Introduction

1.1. An information sharing procedure is crucial to the provision of comprehensive and continually improving health and social care through partnership working and embracing new technologies. It is also a major factor in joint working to protect the most vulnerable and in providing accessible services across the whole population.

1.2. It is equally important that our patients, clients and their families are confident that NHS Doncaster CCG and its partners will still keep their personal information safe and secure and that it will only be shared in agreed and appropriate circumstances.

1.3. The purpose of this document is to provide guidance to staff on the development of information sharing agreements to reflect the needs of their service, a proposed development, partnership group or in line with a statutory requirement.

1.4. In certain circumstances there may be a legal or statutory requirement to share data or information but this should still be considered in line with the Data Protection Act and Caldicott principles and it should be proportionate and appropriate.

• No Secrets: Guidance on developing and implementing multi-agency policies and procedures to protect vulnerable adults from abuse.

• Data Protection and Sharing – Guidance for Emergency Planners and Responders (HMG 2007).

• Data Sharing Review Report (Thomas and Walport 2008). • Health and Social Care Act (2012).

• Caldicott Report (1997) • Caldicott Review (2013).

• Common Law Duty of Confidentiality.

2. Data Protection Act 1998

2.1. The Data Protection Act 1998 and the common law duty of

confidentiality should underpin the development of any information sharing decision. As data controllers, NHS Doncaster CCG and its partners have a duty to comply with the 8 Data Protection Principles: 1. Personal data shall be processed fairly and lawfully.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any matter incompatible with that purpose or those purposes.

(39)

39 4. Personal data shall be accurate, and where necessary, kept up to

date.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes. 6. Personal data shall be processed in accordance with the rights of

data subjects under the Data Protection Act.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

8. Personal data shall not be transferred to a country or territory

outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data

2.2. In addition, health and social care data is subject to the Caldicott principles and the professional codes of practice. The Data Protection Act should not be seen as a barrier to information sharing but as a framework to support good information sharing in practice.

3. Key prior considerations for information sharing

3.1. There must always be a clear and justifiable purpose for sharing the information:

• • •

• Supporting the delivery of care

• •

• Improving quality standards

• •

• Effective partnership working

• •

• Monitoring public health

• •

• Audit and research

• •

• Managing incidents, risks and complaints

• •

• Contracting and service planning

• •

• Education and training

• •

• Protecting the vulnerable

• •

• Investigating serious crime and fraud

3.2. Information is provided in confidence when it appears reasonable to assume that the provider of the information believed that this would be the case, or where a person receiving the information knows, or ought to know, that the information is being given in confidence. It is generally accepted that most (if not all) information provided by service users is confidential in nature.

3.3. Consent should be obtained wherever it is possible or appropriate: •

• •

• Always ask for informed consent where possible and appropriate.

• •

• Be open about what information will be used for and who our partners are.

References

Download now ( PDF - 125 Page - 609.99 KB )

Outline

Understand and comply with the law Record Creation 1. General Points Records Retention and Disposal 1. General points Right of Access to personal data AND DATA PROTECTION DATA QUALITY PROCEDURE Use of Portable Devices SOCIAL MEDIA PROCEDURE PRIVACY IMPACT ASSESSMENT

Related documents

Medicine Shelf Stuff

○ If BP elevated, think primary aldosteronism, Cushing’s, renal artery stenosis, ○ If BP normal, think hypomagnesemia, severe hypoK, Bartter’s, NaHCO3,

NETWORK SECURITY POLICY

2.2 The CCG will establish, implement and maintain procedures linked to this policy to ensure compliance with the requirements of Data Protection Act 1998, Records

Subject Access Request Policy

This policy will provide a framework for the Trust to ensure compliance with the Data Protection Act 1998 and the Access to Health records Act 1990.. This policy is supported

INFORMATION GOVERNANCE POLICY & FRAMEWORK

2.2 The CCG will establish and maintain policies and procedures linked to this policy to ensure compliance with the requirements of Data Protection Act 1998, Records Management

ADTTFFATATDFFTFTAATADTAFTAFDFTDDTAFDFFADFFDDAATFFDATDDFTAAAAAFAFT

As you may recall, last year Evanston voters approved a referendum question for electric aggregation and authorized the city to negotiate electricity supply rates for its residents

Claims Handling Policy and Procedure for Clinical Negligence; Liabilities to Third Parties; and Property Expenses Scheme Claims

a) In conjunction with the Information Governance Manager, provide a copy of medical records under the Data Protection Act 1998 (DPA), the Access to Health Records Act 1990

Incentiver som fører til målkongruens i Offentlig-Privat Samarbeid

Læring – privat aktør ønsker å lære modellen og vil få best utbytte dersom dette prosjektet blir en suksess. De vil dermed jobbe mot offentlig aktørs mål ettersom disse

[PDF] La Riabilitazione in Ortopedia - S. B. BROTZMAN, K. E. WILK

• Dare inizio al rinforzo dei rotatori della cuffia e agli stabilizzatori della scapola per le lacerazioni piccole con buon potenziale di guarigione – come descritto in seguito in