Information Governance
Staff Handbook
Information Governance Staff Handbook for
:Name: ___________________________________________________________ Address: _________________________________________________________ _________________________________________________________________ Contact Tel No: ____________________________________________________ Mobile No: ________________________________________________________
This handbook has been produced by the NHS Lancashire Cluster Information Governance team for staff information.
Contents
Subject Page No
Introduction 4
Information Governance 4
Improvement Plan and Assessment 5
Data Flow Mapping 5
SIRO 5
Caldicott Guardian 5
Caldicott Principles 5
Why Do You Need to Know about Information Governance 6
Confidentiality 7
An Overview of the Code of Practice 7
Disclosing and Using Confidential Patient Information 8
Patient Consent to Disclosing 8
Obligations on individuals working in the NHS 8
Providing a Confidential Service 9
Confidentiality Model 9
Protect Patient Information 9
NHS Care Record 11
Information Quality Assurance 11
Information Security Management 11
Records Management 12
Security of Information 14
Smartcards 14
Information Sharing with Other Agencies 16
Information Sharing Protocols 16
Compliance with legal Acts 17
Freedom of Information 18
Publication Scheme 18
FOI Exemptions 18
Environmental Information Regulations (EIRs) 19
The Information Commissioner 19
Data Protection 20
Definition of Personal and Sensitive Information 20
Data Protection Act Exemptions 21
Data Subject Access Request 21
Disciplinary 22
Contracts of Employment 22
Training and Awareness 22
Transmission of Personal Information via Fax 23 Transmission of Personal Information via email 23
Disclosure of Information by telephone 24
Communications by Post 25
Communications by Text Message 25
Bulk transfer of Data 25
Removable Media 25
USBs 26
Laptop Computers 26
Cameras and Video Cameras 26
Working Papers and Message Books 27
Good Practice Laptop and USB Security Requirements for Staff 28
Clinical Commissioning Group Policies 29
Introduction
This handbook has been produced to provide Clinical Commissioning Group (CCG) staff with all the necessary information required to abide by information governance legislation and national and local guidance. All CCG Information Governance policies and procedures and information leaflets can be obtained from your local Information Governance team, based in the NHS Lancashire Commissioning Support Unit.
Information Governance
Information Governance is a framework of standards for handling information in a confidential, secure and efficient manner, in order to deliver the best possible care. It brings together all of the requirements, standards and best practice that apply to the handling of personal information.
Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in clinical governance, service planning and performance management. Better care for patients and improved healthcare for everyone depends on the availability of good information, accessible, when and where it is needed. The CCG’s commitment to maintaining a high standard of information governance is outlined in the Information Governance Policy. The policy states that the organisation will establish and implement policies and procedures to ensure that information is effectively managed on the basis of
HORUS categorisation:
H
eld safely and confidentiallyO
btained fairly and effectivelyR
ecorded accurately and reliablyU
sed effectively and ethicallyS
hared appropriately and lawfullyNHS Lancashire North recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. The organisation fully supports the principles of corporate governance and recognises its public accountability, but equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal information about patients and staff and commercially sensitive information.
NHS Lancashire North also recognises the need to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest.
NHS Lancashire North believes that accurate, timely and relevant information is essential to deliver the highest quality health care. As such it is the responsibility of all clinicians and managers to ensure and promote the quality of information and to actively use information in decision-making processes.
The Information Governance Policy defines the NHS Lancashire North approach to: Openness
Legal compliance Information security Quality assurance
The legal and operational framework for information governance encompasses: The Data Protection Act 1998
Freedom of Information Act 2000 NHS Code of Practice: Confidentiality
NHS Code of Practice – Records Management Information Quality Assurance
Caldicott Guidelines
Improvement Plan and Assessment
Information governance is the framework that integrates the various standards of practice relating to the safe and effective processing of information. It currently encompasses requirements from the Information Governance toolkit in relation to the following work areas:
Information Governance Management
Corporate Information Assurance (including Freedom of Information)
Clinical Information Assurance (including Information Quality Assurance and Records Management) Confidentiality and Data Protection Act Assurance
Secondary Uses Assurance (including PBR governance issues) Information Security Assurance
An assessment of compliance with the requirements in the Information Governance Toolkit (IGT) is now to be undertaken annually by NHS Lancashire North
Data Flow Information Mapping
As part of the Information Governance Toolkit assessment, The NHS Lancashire CSU IG Team undertake a data flow information mapping exercise, particularly looking at inbound and outbound flows of personal and sensitive personal information on behalf of CCGs within Lancashire & Cumbria.
Senior Information Risk Owner (SIRO)
Kevin Parkinson, the Chief Financial Officer is the Senior Information Risk Owner (SIRO) and is a CCG governing body member who takes overall ownership of the organisation’s Information Risk Policy, acting as champion for information risk on the Board and provides written advice on the content of the organisation’s Statement of Internal Control in regard to information risk. The SIRO provides the focus for the assessment and management of information risk at Board level, providing briefings and reports on matters of performance, assurance and cultural impact.
Each CCG must have a locality appointed SIRO to deal with day to day issues within individual organisations. The SIRO must produce an annual report which outlines the entire information incidents which has occurred in the previous year.
The deputy SIRO is The Head of Information Governance based in the NHS Lancashire CSU to support the SIRO.
Caldicott Guardian
Caldicott Guardians were introduced in 1999 following a report commissioned for the Government by Dame Fiona Caldicott to review patient identifiable information in the NHS. The report outlined the weaknesses in the way the NHS handled confidential data and made a number of recommendations including the appointment of Caldicott Guardians.
Each CCG must have a locality appointed Caldicott Guardian to deal with day to day issues within individual organisations. Dr. David Knapper, the Chief Clinical Officer and the Caldicott Guardian for NHS Lancashire North CCG. It is their duty to ensure that patient data is kept secure and that all data flows internal and external are periodically checked against the Caldicott principles;
The Caldicott Principles:
Justify the purpose(s) - Every proposed use or transfer of patient-identifiable information within or from an organisation should be clearly defined and scrutinised
Don’t use patient-identifiable information unless it is absolutely necessary Use the minimum necessary patient-identifiable information
Access to patient-identifiable information should be on a strict need to know basis Everyone should be aware of their responsibilities
Understand and comply with the law
The Caldicott Guardian makes decisions for the organisation on how, what, when and why patient identifiable information will be used by the organisation and how it will be received / sent by the organisation.
Why Do
YOU
Need To Know About Information Governance?Everyone who works in health or social care must be aware of the following:- How important the information we hold is
What legislation, guidelines and best practice there is for looking after such important information
Why you must take responsibility for how you obtain, record, use, keep and share information
All staff, whether permanent, temporary or contracted are responsible for ensuring that they are aware of the requirements incumbent upon them and for ensuring that they comply with these on a day to day basis. Managers are also responsible for promoting information governance standards and ensuring compliance by the team members.
As a result of this patient care will improve as confidently trained NHS employees:- Follow best practice
Manage personal information for the benefit of the patient/client
Patient/clients will appreciate that we treat their information with the utmost respect, this will: Build trust in NHS working practices
Encourage more open sharing of important medical information Provide a better quality care
Confidentiality
We all know what confidentiality means, but do you know that anyone working for or with NHS Lancashire North has a duty of confidence?
All Managers must ensure that their staff are aware of and understand their obligations to conform to standards of confidentiality, outlined within the NHS Code of Practice for Confidentiality. They are also responsible for ensuring their staff are notified of any changes.
All staff including contractors, volunteers and non-executive directors are obliged to sign annually and adhere to this code of conduct
A failure to sign and adhere to this code of conduct and associated CCG procedures may result in disciplinary action.
A copy of the Confidentiality Code of Practice can be found at
http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH _4069253
An Overview of the Code of Practice What is confidential patient information?
1. A duty of confidence arises when one person discloses information to another (e.g. patient to clinician) in circumstances where it is reasonable to expect that the information will be held in confidence. It:
is a legal obligation that is derived from case law;
is a requirement established within professional codes of conduct; and
must be included within NHS employment contracts as a specific requirement linked to disciplinary procedures.
2. Patients entrust us with, or allow us to gather, sensitive information relating to their health and other matters as part of their seeking treatment. They do so in confidence and they have the legitimate expectation that staff will respect their privacy and act appropriately. In some circumstances patients may lack the competence to extend this trust, or may be unconscious, but this does not diminish the duty of confidence. It is essential, if the legal requirements are to be met and the trust of patients is to be retained, that the NHS provides, and is seen to provide, a confidential service. What this entails is described in more detail in subsequent sections of this document, but a key guiding principle is that a patient’s health records are made by the health service to support that patient’s healthcare.
3. One consequence of this is that information that can identify individual patients must not be used or disclosed for purposes other than healthcare without the individual’s explicit consent, some other legal basis, or where there is a robust public interest or legal justification to do so. In contrast, anonymised information is not confidential and may be used with relatively few constraints.
Patient information is generally held under legal and ethical obligations of confidentiality.
Information provided in confidence should not be used or disclosed in a form that might identify a patient without his or her consent. There are a number of important exceptions to this rule,
described later in this document, but non-disclosure in an identifiable form, applies in most circumstances.
Disclosing and using confidential patient information
4. It is extremely important that patients are made aware of information disclosures that must take place in order to provide them with high quality care. In particular, clinical governance and clinical audits, which are wholly proper components of healthcare provision, might not be obvious to patients and should be drawn to their attention. Similarly, whilst patients may understand that information needs to be shared between members of care teams and between different organisations involved in healthcare provision, this may not be the case and the efforts made to inform them should reflect the breadth of the required disclosure. This is particularly important where disclosure extends to non-NHS bodies.
5. Many current uses of confidential patient information do not contribute to or support the healthcare that a patient receives. Very often, these other uses are extremely important and provide benefits to society – e.g. medical research, protecting the health of the public, health service management and financial audit. However, they are not directly associated with the healthcare that patients receive and we cannot assume that patients who seek healthcare are content for their information to be used in these ways.
Patient consent to disclosing
6. Patients generally have the right to object to the use and disclosure of confidential information that identifies them, and need to be made aware of this right. Sometimes, if patients choose to prohibit information being disclosed to other health professionals involved in providing care, it might mean that the care that can be provided is limited and, in extremely rare circumstances, that it is not possible to offer certain treatment options. Patients must be informed if their decisions about disclosure have implications for the provision of care or treatment. Clinicians cannot usually treat patients safely, nor provide continuity of care, without having relevant information about a patient’s condition and medical history.
7. Where patients have been informed of:
the use and disclosure of their information associated with their healthcare; and
the choices that they have and the implications of choosing to limit how information may be used or shared; then explicit consent is not usually required for information disclosures needed to provide that healthcare. Even so, opportunities to check that patients understand what may happen and are content, should be taken. Special attention should be paid to the issues around child consent.
8. Where the purpose is not directly concerned with the healthcare of a patient however, it would be wrong to assume consent. Additional efforts to gain consent are required or alternative approaches that do not rely on identifiable information will need to be developed.
9. There are situations where consent cannot be obtained for the use or disclosure of patient identifiable information, yet the public good of this use outweighs issues of privacy. Section 251 of NHS Act 2006 currently provides an interim power to ensure that patient identifiable information, needed to support a range of important work such as clinical audit, record validation and research, can be used without the consent of patients.
Obligations on individuals working in the NHS
10.All staff should meet the standards outlined in this document, as well as their terms of employment (or other engagement agreements). Much of what is required builds on existing
best practice. What is needed is to make this explicit and to ensure that everyone strives to meet these standards and improves practice.
11.Clearly staff are constrained from meeting these standards where appropriate organisational systems and processes are not yet in place. In these circumstances the test must be whether they are working within the spirit of this code of practice and are making every reasonable effort to comply.
12.The need for change may apply to many existing systems and processes and it is important that staff know that the Caldicott Guardian or NHS Lancashire CSU Head of Information Governance – should be informed of any specific problems or barriers to change that are noted. Providing a Confidential Service
The Confidentiality Model
13.The model outlines the requirements that must be met in order to provide patients with a confidential service. Record holders must inform patients/clients of the intended use of their information, give them the choice to give or withhold their consent as well as protecting their identifiable information from unwarranted disclosures. These processes are inter-linked and should be on going to aid the improvement of a confidential service. The four main requirements are:
PROTECT – look after the patient’s information;
INFORM – ensure that patients are aware of how their information is used;
PROVIDE CHOICE – allow patients to decide whether their information can be disclosed or used in particular ways.
To support these three requirements, there is a fourth:
IMPROVE – always look for better ways to protect, inform, and provide choice. Protect Patient Information
14.Patients’ health information and their interests must be protected through a number of measures:
Procedures to ensure that all staff, contractors and volunteers are at all times fully aware of their responsibilities regarding confidentiality;
Recording patient information accurately and consistently; Keeping patient information private;
Keeping patient information physically secure;
Disclosing and using information with appropriate care. Inform Patients Effectively – No Surprises
15.Patients must be made aware that the information they give may be recorded, may be shared in order to provide them with care, and may be used to support clinical audit and other work to monitor the quality of care provided. Consider whether patients would be surprised to learn that their information was being used in a particular way – if so, then they are not being effectively informed.
check where practicable that information leaflets on patient confidentiality and information disclosure have been read and understood. These should be available within each NHS organisation;
make clear to patients when information is recorded or health records are accessed; make clear to patients when they are or will be disclosing information with others;
check that patients are aware of the choices available to them in respect of how their information may be disclosed and used;
check that patients have no concerns or queries about how their information is disclosed and used;
answer any queries personally or direct the patient to others who can answer their questions or other sources of information;
respect the rights of patients and facilitate them in exercising their right to have access to their health records.
Provide Choice to Patients
17.Patients have different needs and values – this must be reflected in the way they are treated, both in terms of their medical condition and the handling of their personal information. What is very sensitive to one person may be casually discussed in public by another – just because something does not appear to be sensitive does not mean that it is not important to an individual patient in his or her particular circumstances.
18.Staff must:
ask patients before using their personal information in ways that do not directly contribute to, or support the delivery of, their care;
respect patients’ decisions to restrict the disclosure or use of information, except where exceptional circumstances apply;
communicate effectively with patients to ensure they understand what the implications may be if they choose to agree to or restrict the disclosure of information.
Improve Wherever Possible
19.It is not possible to achieve best practice overnight. Staff must:
be aware of the issues surrounding confidentiality, and seek training or support where uncertain in order to deal with them appropriately.
NHS Care Record
As part of the NHS Care Record Service patients will be able to seal away sensitive information in the patient “sealed envelope” on the system. When the envelope is opened an automatic alert will be sent to the Caldicott Guardian/ Privacy officer. Action will be taken if records are deliberately looked at without authority. This can include disciplinary action, dismissal or bringing criminal charges.
Staff should to be aware of the NHS Care Record Guarantee and their responsibilities e.g. access to records, sharing information, consent issues. This can be found at http://www.nigb.nhs.uk/guarantee to download.
See Department of Health (DoH) Code of Practice which gives guidance for those who work within or under contract to NHS organisations on; confidentiality, patient consent, use of health records, sharing information.
Information Quality Assurance
Good quality information underpins sound decision making at every level in the NHS. Most importantly it contributes to the improvement of the service provided.
Why does quality matter?
The entire consultation process revolves around information. Its accuracy is paramount for health professionals, aiding better diagnoses and prescribing and alerting them to issues such as;
Drug allergy
Medical conditions i.e. diabetes, asthma, heart conditions Mental condition
Constant reliable data is essential for improving health care by means of: Medical research
Disease monitoring Health care management
Quality assurance is defined as a programme for the systematic monitoring and evaluation of the various aspects of a project or service to ensure that standards of quality are being met. The pledge is to guarantee and assure the quality of the information produced.
Think CARROT!
C
ompletenessA
ccuracyR
elevanceR
eliabilityO
utputT
imeliness(Detailed in training from Virtual College)
Information Security Management
The purpose of information security management is to preserve:
Confidentiality: data and information can only be seen by those authorised to see it and can only be changed by those allowed to change it.
Integrity: the data is complete, accurate, up to date and relevant and the system is operating as per the specification.
Availability: information and services are delivered to the right person when they are needed.
Accountability: all system activity can be traced back to the originator.
Good information security enables the correct information to be viewed and processed by the right people, at the right time, when they need it. ISO27001 (formerly known as BS17799) is the international standard for information security that has been adopted by the NHS.
Records Management
Any information held by the CCG is only of use if it can be retrieved easily and effectively with the assurance that the data is accurate and current. In the case of personal information, it is also a legal requirement. You must feel confident that you know how to access and store information in a consistent manner to enable you to perform your job to the best of your ability.
Laws that apply to the handling and use of health records are:- Public Records Act 1958
Access to Health Records 1990 Computer Misuse Act 1990 Data Protection Act 1998
Common Law Duty of Confidentiality
Code of Practice on the Management of Records – Section 46 of the FOI Act Further guidance can be obtained from: Department of Health Code of Practice
Remember - Everyone working in healthcare, who records, handles, stores or deals with information has a PERSONAL COMMON LAW DUTY OF CONFIDENTIALITY.
Manual Records
Manual records when in use should be stored securely in locked rooms or cabinets. Confidential information such as patients’ records or employees records must not be left lying around in accessible areas such as on desks where they may be viewed by members of the public or unauthorised staff. When a record has become dormant then consideration should be given to using the remote storage facility referred to in the Records Management Policy.
Electronic Records
Access to any PC must be password protected and this must not be shared:-
Computer screens must not be left on view so members of the public or staff who do not have a justified need to view the information can see personal data.
PCs or laptops not in use should be switched off or have a secure screen saver device in use.
Laptops and hand held devices must be kept secure in locked rooms or cabinets or in a safe environment (where members of staff are present at all times).
USB data sticks must not be used for confidential information unless they are individually password protected and encrypted.
Ensure that person identifiable information is not sent to a recipient outside of the NHS e.g. this type of communication via email must be between NHSmail accounts only. In the subject line of an email do not include person / patient identifiable information.
Digital Signatures
The use and practice of digital authentication (digital signatures) has not been quantified within NHS Lancashire. The following text is general guidance to provide an awareness of this process.
What is a digital signature?
Written signatures are normally personalized versions of a name or nickname (depending on the nature of the document), or, at least, a unique mark of some kind. A personalized signature is more difficult to forge than writing your name neatly, or even typing it.
However, the use of the term ‘signature’ has wider meaning than a stylised version on one’s own name. It can be used as a term to attribute ‘ownership’ to actions linked to methods of electronic access and sign-off.
Type 1
The simplest example of a digital signature is a scanned copy of one’s own handwritten signature that can be embedded into an electronic document. There are however risks to electronically embedded signatures as they can be copied and pasted into other documents. To limit risks, steps should be taken to ensure that no one has access to scanned signatures but those permitted to use them. Documents generally should be saved without the signature. Where it is necessary to save a signature in a document, it must be password protected. If a document is to be sent by email then any signature should be erased before sending. Unauthorised use of signatures will be treated as a breach of the employee’s contract of employment and may be the subject of disciplinary proceedings.
Type 2
A ‘proper’ digital signature is a particular type of electronic signature that enables staff to be formally identified as ‘themselves’ and to either gain access to IT systems or, perhaps, make digital approvals or ‘sign-offs’ . Digital signatures rely on a form of encryption (known as asymmetric cryptography) to authenticate messages. In this type of encryption two 'keys' are used: (i) the private key, which is known only to the signatory and is used to create the digital signature and change the message into encrypted form; and (ii) the public key, which is used by a relying party to verify the digital signature and decrypt the message.
For example, logging on to an IT network illustrates the two factor requirement of a user name (public key – something you are) and unique password (private key – something you know). Once logged on, anything done within the system will be identified back to the user, i.e. a true ‘digital signature’.
Many of the more confidential systems have a second line of protection - for example, to log on to financial systems or Social Care systems you have to present extra credentials specific to that system. Some very secure systems may also require a special pass token or card (private key – something you have) to make absolutely sure you are who you say you are. Once you're into any of these systems, everything you do is authorised by your digital signature, and duly recorded.
Since actions are automatically attributed to the user by the digital signature, it is essential that staff do not share passwords or ‘SmartCards’ to prevent any adverse actions being attributed to the wrong person.
Retention and Destruction of Records
Records containing personal information should not be kept longer than necessary. Guidance is given in The Records Management NHS Code of Practice 2006.
Destruction of confidential records must ensure that their confidentiality is fully maintained. Normally destruction should be by incineration or shredding.
Records that need to be destroyed should be shredded on site but where this is not possible they need to be identified and stored in a secure location – for eventual destruction. The destruction of the records must be witnessed by a CCG employee or a certificate of destruction must be provided to the NHS Lancashire CSU Information Governance team..
For further guidance please see the CCG Records Management Policy. Security of Information
All records containing personal information whether they are kept in files or stored on PCs, Laptops or any other form of electronic capture device must be secure. This can be achieved by following the guidance in the CCG Information Security Policy, Transfer of Confidential Patient Information (Safe Haven) Policy and E-mail and Internet Policy. Below are some basic rules on maintaining the confidentiality of personal information.
SMARTCARDS
Security and Confidentiality
All staff have a duty to keep patient information secure and confidential.
Your smartcard provides you with the level of access to healthcare information you require as part of your healthcare role. You must therefore always keep your smartcard safe and use it appropriately.
You must:
Treat your smartcard like your credit or debit card and keep it in a safe locked place, separate from your passcode when not in use.
Never allow anyone else to use your smartcard or use your PC whilst your smartcard is logged on to that PC.
Do not write down your passcode anywhere or share it with anyone.
Never leave your smartcard unattended or in the smartcard reader when you are not actively using it.
Report the loss, theft or damage of your smartcard immediately to your Sponsor and local Registration Authority so they can cancel your card and replace it as soon as possible. Complete an incident report form.
Read, understand and sign the declaration on the RA01 form to agree your responsibility Access through clinical systems to patient identifiable information is on a need to know basis and accessing records unless the user has a legitimate reason will be viewed as a breach of confidentiality.
If smartcard misuse by a CCG General Practice staff member is discovered, the smartcard will be cancelled centrally and disciplinary action will be taken. This would be dealt with under the CCG’s
Disciplinary Policy and for other users disciplinary action will be recommended to the employer of those users.
Passwords
Password access is the main security method for protecting confidential information. NEVER SHARE YOUR PASSWORD
Take some care to construct a password i.e. Something you can easily remember Something not obvious for others to guess It should be between 4 and 8 digits
If you need a memory jogger, write down a trigger word, not the password itself Never keep your password with or near your laptop/USB/PC
Printing and Photocopying
Keep the number of copies to a minimum
Regularly check / update your distribution list to ensure copies are not sent to staff who have left or moved to another service
Disposal of Waste Paper
Make sure that you dispose of confidential information appropriately All personal information is confidential and must be shredded Your Work Environment
Ensure that filing cabinets containing confidential information are always kept locked when not in immediate use
Ensure filing cabinets are not sited in areas that are accessible to members of the public / visitors
Ensure regular housekeeping of your files
When destroying information ensure you comply with NHS retention guidelines
Remember to lock and secure the office when it is unattended and at the end of the day Whenever possible escort visitors at all times on site
Remember to wear your identity badge
Consider a clear desk policy, especially when hot desking or working in an open plan office Clear Desk Policy- This a legal requirement of the data Protection Act 1998, do not leave confidential information unattended or out overnight – particularly important when hot desking or working in an open plan office
Overheard Conversations
Where conversations are conducted by staff relating to organisation business either over the telephone, face to face or in the close proximity of public/reception areas, care must be taken that personal information is not overheard by persons who do not have a right or need to hear such information. This can also apply where recorded messages are re-played. Where departments or practices feel there is a definite problem, procedures should be implemented to improve the situation.
Sharing Your Outlook Calendar
To allow access to / share your outlook calendar, in a safe and secure way, with other colleagues, you must use the Share Calendar option within your own Calendar.
Laptop
Confidential information should not be taken off site
Laptops should be locked away in the building when not in use
Where it is necessary to take confidential information off site, remember :
Do not leave the laptop unattended when out of the office (see guidance on laptops at the rear of this document. Remove confidential information as soon as possible Password protect files containing confidential information
Ensure regular housekeeping of laptop files Staff must also refer to any local Mobile Media Policy Information Sharing with Other Agencies
It may be necessary for essential personal information to pass between the NHS, Local Authority, Social Services and other services. This may happen for example where one of these services is contributing towards a programme of care. Where information sharing takes place, a protocol arrangement should be in place, which gives the organisation necessary guarantees on the security of the data.
All personal information that is used in the protocol sharing arrangement must meet the conditions for processing as laid down in the Data Protection Act 1998. If that personal information has been given in confidence by an individual it should not be disclosed further or used for another purpose unless:
The individual has given their consent
The disclosure is a requirement of a statute of law
There is an overriding public interest in making the disclosure
At the start of any information gathering arrangement, procedures should ensure that an individual should be fully aware and in agreement that their personal information is to be shared for the purpose specified in that arrangement.
It must be appreciated, however, there may be occasions where confidentiality is not absolute and it could be essential that it be breached. This may be appropriate where it becomes necessary to protect an individual from harm such as in a child protection case or personal information is required for a serious crime investigation. In addition, a statute of law might allow a disclosure without consent for example – Public Health legislation stipulates that designated NHS staff need to notify the relevant authority where a person is suspected of contracting a notifiable disease.
Where information would be disclosed without or against the consent of the individual for example because the information is required under a court order/statute or there is an overriding public interest for doing so, the decision to release information should be referred to the nominated senior individual. This nominated person shall be specified in the procedures of each Partner Agency and will make a judgement on a case-by-case basis. It may be appropriate for this person to seek additional legal or specialist advice if information is to be disclosed without the individual’s consent. A formal record must be kept by the relevant agency as to the reason why a disclosure of personal information was made. Where public interest is the reason, the grounds for doing so should be documented.
Each case should be judged on its merits whether a disclosure without consent is justified. Decisions must be made by those with delegated powers within the CCG such as the Caldicott Guardian.
Information, which has been aggregated or anonymised, can generally be shared for justified purposes. Care should be taken to ensure that individuals cannot be identified from this type of information, as it is frequently possible to identify individuals from limited data. If individuals can be
identified by the data, normal legislative requirements would then apply. In all cases only the minimum identifiable information necessary to satisfy the purpose should be made available. An individual has a right to request that information about them be withheld from someone or some agency, which might otherwise have received it. The individual’s wishes should be respected unless there are exceptional circumstances.
Information Sharing Protocols
It is important to use your judgement to strike a balance between the harm that could be done to a patient’s health if information isn’t used and shared and the risk of breaching confidentiality if information is shared. If you feel sharing information is necessary, to avoid or reduce harm or distress to anyone, then the legal framework will generally support it.
An Overarching Standard for Information Sharing has been designed to be used in conjunction with a set of documents within a Tiered Structure and there are three main tiers to the structure. The CCG has an overarching Information Sharing Policy. If you have any queries around information sharing please contact the NHS Lancashire CSU Information Governance team. For further information about all three documents see below:
Tier Zero
Tier Zero is the Lancashire and Cumbria Health, Health and Social Care Information Sharing Protocol incorporating The North West Strategic Information Sharing Protocol.
This is a simple two page document signed by a Chief Executive/Lead Partner of an organisation agreeing in principle to share information. Organisations that have signed this protocol recognise a collective responsibility to minimise the burdens of data collection, and ensure that data collected is used effectively to support the overall aims of public sectors organisations within the Lancashire & Cumbria area along with other organisations which boundary this area in the North West.
We are committed to the principles that:
Data should be collected once, shared appropriately and used many times Collection and sharing of data should be fully automated wherever achievable The value of any data collected should demonstrably outweigh the costs Personal data on individuals should be properly protected
There is a legal justification for sharing the data Tier One
This is an overarching standard outlining the agreed procedures for sharing information
This document outlines the agreed procedures for sharing information. It also includes the supporting legislation, guidelines and documents which govern information sharing between partner organisations.
Tier Two
This document gives guidance to operational practitioners on the production of a protocol for the safe sharing of information. These protocols should show what information should be shared and how and under what circumstances and by whom, and should be tailored to individual partnerships. This document will require authorisation of the participating partnership organisations. There is guide available on how to complete a Tier two agreement. It recommended that you send a copy to your local Information Governance Team for approval before signing is completed.
The CCG is bound by the provisions of a number of items of legislations affecting the stewardship and control of information. This includes:
Data Protection Act 1998
Freedom of Information Act 2000
Environmental Information Regulations 2004 Human Rights Act 1998
Regulation of Investigatory Powers Act 2000 (& Lawful Business Practice Regulations 2000) Crime & Disorder Act 1998
Criminal Justice Act 2003 Computer Misuse Act 1990
Access to Health Records Act 1990 (for access to deceased records)
Copyright, Designs and Patents Act 1988 (as amended by the Copyright (Computer Programs Regulations 1992)
Electronic Communications Act 2000 Children Act 1989
Mental Health Act 1983 & 2007 Health & Social Care Act 2001& 2008 Mental Capacity Act 2005
In addition to the above, the following additional legislation could also impact upon the way in which information is used:
Public Interest Disclosure Act 1998 Audit & Internal Control Act 1987
NHS Sexually Transmitted Disease Regulations 2000 National Health Service Act 1977
Human Fertilisation & Embryology Act 1990 Abortion Regulations 1991
Prevention of Terrorism (Temporary Provisions) Act 1989 & Terrorism Act 2000 Road Traffic Act 1988
Regulations under Health & Safety at Work Act 1974 Carers (Recognition & Service) Act 1995
Service Users Access to Records Act 1987 & Regulations 1989 Adoption and Children Act 2002
Health Act 1999 (Section 31) NHS & Community Care Act 1990 Freedom of Information
The Freedom of Information Act (FOI)
http://www.opsi.gov.uk/acts/acts2000/ukpga_20000036_en_1 is an Act of Law that came fully into force from the 1st January 2005. The Act gives the general right to anyone to access information
held by public authorities. The Lord Chancellors office has produced a Code of Practice as to how this Act should be applied.
The main purpose of the Act is to give right to anyone from anywhere in the world, to request information, http://www.ico.gov.uk/ Requests must be made in writing (email is acceptable) stating what information they require. The applicant does not have to state it is a Freedom of Information request and they do not have to state why they want the information.
The request could be for any information the CCG holds. It can include hand written notes, PowerPoint presentations or word processed documents - minutes / reports / consultation documents, letters, emails, spreadsheets, photos/ images. Anything that substantiates how decisions were made and by whom, how monies were spent or apportioned.
Every public authority and organisation that receives government funding has produced a Publication Scheme. The schemes have been approved by each organisations Board. Publication schemes list information that is readily available (i.e. Annual reports, Board minutes, public meeting minutes, local publications). Any fees charged for providing information requested under FOI will be displayed on the Publication Scheme. The CCG must provide easy access to its Publication Scheme. They are usually displayed on an internet site under a Freedom of Information section but must be also available in other formats for citizens/patients who are not computer literate.
FOI Exemptions
As with the Data Protection Act there are exemptions from the duty to provide information.
If YOU receive an FOI request you must forward it to the FOI lead as promptly as possible, where it will be logged and will follow a set procedure. Equally if you receive a request from the FOI lead for information you hold or may hold, you must respond as quickly as possible. All FOI requests must be dealt with within 20 working days unless the FOI lead has been informed otherwise. FOI requests are dealt with by the local FOI manager/officer.
FOI requests are not for personal data, personal data can only be released in compliance with the Data Protection Act 1998.
Another area of information not covered by FOI is environmental information. This is dealt with under separate legislation known as Environmental Information Regulations (EIRs).
Environmental Information Regulations (EIRs)
Unlike the FOI and Data Protection Act requests for information, information requests under EIR can be verbal or written. EIRs cover a wide variety of environmental information including;
Raw data on subjects such as air and water quality levels, industrial discharge rates, soil quality and biodiversity.
Regulatory measures affecting the environment, including policies, plans, programmes and agreements.
Reports on the implementation of environmental legislation.
Economic analysis, including cost benefit analysis on regulatory measures.
Health & safety information, on subjects such as food and land contamination and quality of life.
There are no geographical restrictions or any historical restrictions as like FOI, the regulations are fully retrospective.
In keeping with FOI, you have a duty to provide advice and assistance to people who wish to make or have made a request for information.
The Information Commissioner
It is the Information Commissioner’s function to ensure compliance with the Freedom of Information Act, the Data Protection Act and Environmental Regulations. The Information Commissioner’s Office has the power to issue enforcement notices, financial penalties and if needs be, initiate court proceedings to ensure compliance.
The Acts and regulations support each other allowing the public access to information held by the public sector.
Destroying requested information outside of your normal policies is unlawful and may be a criminal offence if done to prevent disclosure.
Water Lane Wilmslow
Cheshire SK9 5AF
Tel: 08456 30 60 60 or 01625 54 57 45 Fax: 01625 524510
Press and media enquiries
Call 020 7025 7580
Helpline
Call 08456 30 60 60 or 01625 54 57 45. The helpline is open from 9am to 5pm, Monday to Friday.
Data Protection
Personal data must be collected lawfully and correctly. Each NHS organisation must comply with the Data Protection Act 1998 (DPA)
Data Protection 8 Principles with a Brief Definition:
P1. Processed fairly and lawfully – There should be no surprises and you should always inform
data subjects why you are collecting their personal information and what you intending doing with it and sharing it with.
P2. Obtained/ processed for specific lawful purposes – Only use the personal information for the purpose for which you obtained it.
P3. Adequate, relevant and not excessive – Only collect and keep the information that you require. Do not collect information ‘just in case’.
P4. Accurate and kept up to date – Always take care when inputting the information to ensure accuracy. Check that information is up to date.
P5. Not be kept for longer than necessary – Follow retention guidelines and ensure regular housekeeping of your information. Check organisation’s disposal policy and dispose of information correctly.
P6. Processed in line with the rights of data subjects – subject access, not for direct marketing, compensation.
P7. Must be kept secure. There are 2 components for this principle:-
Practical - Safehaven faxes, clear desk policy, lock confidential papers away, keep password secret, transport confidential information securely.
Organisational – CCG should have: good information management practices, guidelines on IT security, staff training, confidentiality clause in all contracts, procedure for access to personal data, disposal policy.
P8. Not transferred outside European Economic Area (EEA) without adequate protection –
Ensure consent is obtained and information is in tamper evident envelope if sending outside EEA. Always gain consent when putting personal information on websites.
Definition of Personal and Sensitive Personal Information
Personal data is information held by an organisation that can identify a person (the data subject). It could be a patient, a member of personnel (past, present and prospective) or a supplier or
contractor. It can be recorded on paper manually, computerised, electronic or digitally (CCTV & identifiable voice recordings are also included).
• Personal Information: Name, DOB, address, postcode, NHS No., NI No., next of kin details, carers details and bank details.
• Sensitive Personal Information: Health or physical condition, occupation, Trade Union membership, sexual orientation and sexual life, ethnic origin, religious beliefs political views, criminal convictions.
Please note that for sensitive information even more stringent measures must be employed to ensure that the data remains secure.
Data Protection Act Exemptions Examples most relevant to the NHS are:- Crime and Taxation (Section 29)
Where the CCG receives a request for personal information from the police, certain information can be released if a statute of law dictates the need for disclosure e.g.:
The Police have produced a court order
The information is required under the Road Traffic Act The police have consent from the patient/member of staff.
Where there is no legal compulsion to disclose and the consent of the individual has not been obtained to release their information, the organisation can consider whether to disclose but must justify that decision if they decide to do so.
If the failure to disclose is likely to:
Prejudice the purpose - (that is, significantly harm) any attempt by the police to prevent a crime or catch a suspect then you can disclose this information.
Prevent the detection of crime and /or the apprehension or prosecution of offenders.
Under (Section 29) requests should be made in writing to the Caldicott Guardian and can be received from:
Department of Social Security War Pensions Agency
Criminal Investigation Compensation Authority
Police, signed by a senior officer minimum rank of Chief Inspector Health, Education and Social Work (Section 30)
Health Records:
Patient access to their personal records can be withheld, if in the opinion of a health care professional, disclosure might result in physical or mental harm to the patient or to another person, or where disclosure would involve personal data about another patient or person Other legislation, the NHS by law must disclose certain personal data
Births are notified to the Registrar of Births, Death and Marriages Public Health consultations must notify any communicable diseases Subject Access Request (SAR)
The Act allows certain rights to subjects, (the person whose data has been collected). The most common request in the NHS is the right of subject access, the right to know what personal information is on a computer or in manual records held by the organisation. More often than not this is a request to view or have a copy of their medical record.
All CCG staff should know the details of the appropriate person who deals with these requests, as they must be dealt with in a specific manner. To comply with the Act the organisation has 40 days from the receipt of the request, to verify the identity of the applicant, locate information (often from various sources) and collect any fees due for admin i.e. photocopying.
Requests must be made in writing. Every request is logged and challenged to ensure that only the correct person (the data subject or their designated representative) views or receives the requested personal information. NHS Lancashire North has both a Subject Access Policy and Procedures for dealing with these requests and they are both available on the website.
Disciplinary
A breach of confidentiality e.g. looking at records without authority, or a data loss e.g. transferring personal information electronically without encryption, could result in a member of staff facing disciplinary action resulting in dismissal and/or criminal charges.
Any breach is considered serious and should be reported immediately to the CCG Caldicott Guardian and the NHS Lancashire CSU Head of Information Governance.
Contracts of Employment
Staff contracts of employment are produced and monitored by the Human Resources function within NHS Lancashire CSU. All contracts of employment include a data protection and general confidentiality clause. Agency and contract staff are subject to the same rules.
All employees will be made aware of their responsibilities in connection with the Acts mentioned in this guidance through their Statement of Terms and Conditions, and targeted training sessions carried out by the Information Governance team.
Induction
All new starters to the CCG will be given Information Governance training as part of the induction process. This training will be undertaken by completing an e-learning training module(s) on the Connecting for Health website or by completing an Information Governance workbook. Extra training in areas that are a requirement for specific posts will be given to those who require it due to the nature of their job. A record of completion will be maintained for all staff.
Training and Awareness
Fundamental to the success of delivering the Information Governance Strategy is developing an Information Governance culture within the CCG.
On-going awareness and training is provided to all CCG staff that utilise personal identifiable information in their day to day work to promote this culture. The Information Governance Training Policy outlines the requirements and the mandatory modules which are dependant on your role. Please check the policy. In order to achieve this, the CCG:
Request staff to self-register on the Information Governance Training Tool (IGTT) provided by Connecting for Health. Staff will need to complete all mandatory training modules and any recommended modules highlighted to fit their job role.
Ensure that any staff induction programme includes Data Protection and Caldicott awareness.
Establish staff awareness raising campaigns
Have in place Information Governance policies, procedures and guidelines Regularly contribute to weekly briefings
Post Information Governance information on the CCG intranet
Carry out spot checks on key Information Governance issues a regular basis.
Transmission of Personal Information
Transmission of Personal Information via Fax
Only use fax as a last resort if there is other possible way of sending the message. The majority of fines by the Information Commissioners Office (ICO) have been for miss-sent faxes.
Safe Haven fax machines must be placed in a secure location which ideally should be lockable when unattended.
Fax machines in non-secure locations should ideally require the inputting of a pin number before they will print out a stored fax. If this is not possible and you are receiving confidential information at a fax machine that isn’t designated as ‘Safe Haven’ then you must wait for delivery of the transmission at the machine.
If the fax is not immediately collected by the recipient, it should be placed in a sealed envelope with their name and marked ‘Confidential’.
If you are unsure whether the fax machine you are sending a fax to is in a Safe Haven environment, always:
o Telephone the recipient of the fax (or their representative) to let them know you are sending them person identifiable information by fax.
o Ask them to wait by the fax machine whilst you send your message through to them.
o Ask the recipient to let you know when they receive the fax.
Always double check the fax number before you hit the ‘send’ button, whether the fax is Safe Haven or not. Use pre – installed numbers wherever possible to minimise the risk of dialling a wrong number.
Use the CCG’s corporate fax cover sheet to enforce the confidentiality of the message and request a report sheet that confirms the transmission.
When using confidential patient information it should be anonymised by using the patient’s NHS number. The universal use of a patient’s NHS Number on all clinical records and correspondence is an absolute requirement of the Department of Health and is included in The NHS Number is the unique identifier for each patient and should be used on all letters, forms and other correspondence relating to the patient, as well as on each page in the clinical records.
Never leave the information unattended whilst the information is being transmitted.
Do not send a fax to a destination where you know they are not going to be seen for some time or outside office opening times (whenever possible).
SHARING PERSON IDENTIFIABLE
I
N BY SAFEHAVEN FAX
Transmission of Personal Information Via Email
Staff must be careful when sending emails containing personal identifiable information or commercially sensitive information. The minimum necessary information only should be sent (following Caldicott recommendations) and it should only be sent in the following circumstances: -
For individual CCG networks – check with the NHS Lancashire CSU Information Governance team.
To any recipient of another NHS organisation or business partner via NHSmail accounts only. These addresses all end in ‘@nhs.net’. Both sender and recipient must use an NHSmail account. Staff who require a new NHSmail account should contact the local IT team.
From an NHSmail account (e.g. @nhs.net) to any of the following email type accounts: - .x.gsi.gov.uk .gsi.gov.uk .gsx.gov.uk .gse.gov.uk .gcsx.gov.uk .scn.gov.uk .pnn.police.uk .police.uk .cjsm.net .mod.uk .pnn.gov.uk .eu-admin.net .gsisup.co.uk .psops.net .mod.uk
Personal information of a more sensitive nature, i.e. clinical patient data, must be sent over NHSmail with appropriate safeguards:
- Care is taken to ensure emails are sent to the correct recipient
- Care is taken to ensure emails are not inadvertently copied or forwarded to incorrect recipients - Browsers are safely set up so that for example, passwords are not saved and temporary internet files are deleted on exit
- Agreements, possibly written, ensure that information sent by email will be safely stored and archived as well as being incorporated into patient records where appropriate
- There is an audit trail to show who did what and when - There are adequate fall back and fail-safe arrangements
- Information is not saved or copied into any PC or media that is “outside the NHS” - Include an appropriate disclaimer
For more detailed guidance on sending person based information electronically please also read the CCG Information Security Policy, Email and Internet policy.
When telephone enquiries are received asking for disclosure of personal information, the caller should be asked to put their requests in writing where applicable. Where requests have to be dealt with more quickly, the following rules must be adhered to:
The disclosure is legally justified and the caller has a legal right to access that information. You are certain the caller is who they say they are, you can confirm this by carrying the following checks:
Verify personal details
Obtain and record enquiries telephone number
If the caller is part of an organisation/company, you should obtain the main switchboard number of that organisation (via phone book or directory enquiries) and ring back
Any suspect bogus enquiries should be referred immediately to the NHS Lancashire CSU information Governance team.
Only provide the minimum amount of information that is necessary
If in doubt, tell the caller you will ring back, where necessary consult a senior manager or the designated authority for confidentiality issues within the CCG
If you need to phone the individual back to verify their identity, try to use a phone number obtained from an independent source.
Where confirmation of patient details is necessary in an area where you may be overheard, ask the caller to repeat the details / spell them out to you rather than you to them.
All press enquiries for example should be directed to the organisations Chief Executive’s office.
Communications by Post
Confirm the name, department and address of the recipient
Seal the information in a robust envelope, ensure it is correctly addressed and mark private and confidential.
Where necessary ask the recipient to confirm receipt.
Normal post can be used for non sensitive items and single items of correspondence that may contain appointment information and general clinical correspondence.
If the information is a clinical record not held on removable media, the information should be in a tamper evident envelope and correctly addressed. i.e, it must be in a secure, tamper evident envelope, clearly marked “Confidential”, “Addressee only”. The envelope must be robust enough to withstand transit through the postal system and be sealed in such a way that it cannot be opened without it being obvious that it has been opened. If the Information is not bulk (50 plus records), the information should be sent using Special/Recorded Delivery. The addressee must be a named individual, not a department or organisation name. There must be a return address clearly given on the outside of the envelope, with the individual’s name who sent the records, so that the postal authorities do not have to open the envelope in the event of non-delivery.
If the Information is on removable media, it should be encrypted by NHS Connecting for Health recommended standards and sent by Registered Post (non bulk) or secure courier for bulk transfers.
All sensitive records must be stored face down in public areas and not left unsupervised at any time.
Incoming mail should be opened away from public areas. Ensure that incoming confidential post is handled appropriately
Communications by Text Message
Although it may be desirable to communicate with patient groups in this way and NHSmail provides an appointment reminder facility, there are potential information security risks that should be
considered before you do so. This must only be done with the express permission of the phone holder and should be revalidated regularly – ICO requirement.
For example:
Are you confident that the person using the recipient mobile is the person to whom the message is intended?
Can you be sure that you are using the correct phone number? Can you be sure that the patient has received the message?
Text messages are normally stored on SIM cards and are typically only cleared when overwritten (not necessarily when erased) – as mobile phones are easy to misplace or may get stolen there is a danger of a breach of confidentiality occurring that the patient may find embarrassing or damaging.
Mobile phone networks may be open to additional risks of eavesdropping or interception. If you decide to go ahead with this method of communication, you should ensure you send the minimum amount of confidential data possible. For example, appointment reminders would comprise of the date and the hospital/surgery name, not the name of the patient or specific clinic. Bulk Transfer of Data
Contact the NHS Lancashire CSU Information Governance team for advice.
Removable Media
Staff and contractors are not permitted to introduce or use any removable media other than those provided or explicitly approved for use by NHS Lancashire North.
Removable media includes tapes, floppy disks, removable or external hard disc drives, optical discs, DVD and CD-Rom, cameras, video cameras, solid state memory devices including memory cards and pen drives.
Staff must be authorised to use removable media for the purposes of their job roles by an appropriate manager and are responsible for the secure use of the removable media and must ensure that it is physically protected against loss, damage, abuse or misuse when used, stored and whilst in transit.
None of these devices are authorised for use by staff of the CCG or external contractors who have access to NHS systems, to store personal identifiable data.
USBs
These devices fall under the local Information Security Policy in that they must be password protected and encrypted. Staff must not use non-NHS USBs for work purposes under any circumstances and are strongly advised not to bring these devices into the workplace. For further information, please reference to the Information Security Policy and Mobile Media Policy.
All staff using a NHS Lancashire North USB must complete the appropriate licences and declaration documents and have them signed-off by their respective Line manager and head of service. Failure to comply with this directive will invoke the disciplinary process. The licence document and declaration forms are available from Information Governance.
The NHS Lancashire North is responsible for identifying and implementing any device configuration requirements that the organisation may require in order to comply with NHS Information Governance and Information Security Policy and standards. This includes data encryption capabilities.
All newly issued laptops must be encrypted for safe use by staff. There must be an asset register of all devices issued.
Cameras and Video Cameras
These have very limited specialist use which is already the subject of policy and guidance. A log of cameras and video cameras should be maintained by the respective service and their use audited. Other Electronic Media
Dictation machines and tapes can contain extremely sensitive information and should always be kept in a locked area when not in use; they should be cleared of all dictation when the communication has been completed.
Answer phones receiving personal information must have the volume lowered so that the information is not being un-necessarily overheard. You must only leave a message on a patient or individuals answer phone if it is urgent and/or you have prior permission from the patient or individual. If this is the case, leave your name and number only – do not say it is the CCG/surgery calling.
Photocopying machines should be sited in areas where the general public does not have physical access. No papers should be left on the glass after copying, Always Check.
Thermal Ribbon Cartridges from certain fax machines must be disposed of by formal confidential waste disposal means for confidentiality and security reasons because of the imprint left by the fax machine.
Working Papers and Message Books
When not in use, paper-based information should always be kept in folders, envelopes or other containers which prevent sight of the paper, and be locked securely away. It must not be left in an in tray or on the desk.
When using a Message Book it should be kept away from public view in an environment with no public access in order to maintain confidentiality and at the end of each session must be stored in a secure location. Sensitive patient identifiable information should not be recorded in message books.
