Beruflich Dokumente
Kultur Dokumente
Summary: This policy provides the framework to ensure that the Trust
complies with the requirements of the Data Protection Act
1998, Caldicott Principles and NHS Code of Confidentiality.
1
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
Version Control
Change Record
Date Author Version Section Reason for Change
01/04 2011 Lesley Barrington dv0.1 All HPFT and HCHC policies brought together in a new
format
01/11/2011 Lesley Barrington dv0.2 All Reviewed and updated from consultation
15/12/2011 Lesley Barrington dv0.3 All Reviewed and updated from consultation
15/12/2011 Lesley Barrington dv0.3 5.9 Inclusion of specific paragraph relating to the use of
data for research – and reference to DPA approval
application form
07/02/2013 Lesley Barrington V2 Inclusion of reference to Privacy Impact Assessment
Procedure and Template.
24/03/2013 Lesley Barrington V2 Update of SIRO and Caldicott Guardian
10/12/2013 Lesley Barrington V3 All Minor updates and amendments
10/12/2013 Lesley Barrington V3 3.3 Update re. Caldicott Review
10/12/2013 Lesley Barrington V3 5.2 Update re. Caldicott Review – inclusion of new
principle 7. – information sharing
10/12/2013 Lesley Barrington V3 5.3 Update re. newly published HSCIC Guide to
Confidentiality – inclusion of 5 rules
10/12/2013 Lesley Barrington V3 11 Updated references
July 2015 Louise Hartland 3 18 Updated TNA (Appendix 1)
March Lesley Barrington 4 6&7 Updated job titles
2016
4 8 Addition 4.9 – reference to IGG
4 11 inclusion of Health and Social Care (Safety and
Quality) Act 2015
4 17 Updated references and websites
4 17 Included reference to IG SIRI incident reporting
process
4 App 2 Updated Equality IA Screening Tool
Sept 2016 Sharon France 4 5.9 Paragraph 4 Change to HRA process
4 5.9 R&D to Log requests
4 11 Supporting Evidence
4 All Remove reference to withdrawn policy SH IG 19
Reviewers/contributors
Name Position Version Reviewed &
Date
2
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
Contents
Page
1. Introduction 4
2. Scope 5
3. Definitions 5
4. Duties/ responsibilities 5
5. Main policy content 8
5.1 DPA Principles 8
5.2 Caldicott Principles 10
5.3 Confidentiality 11
5.4 Patient confidentiality 12
5.5 Staff confidentiality 13
5.6 Exemptions to the DPA 1998 13
5.7 Disclosing information against subject’s wishes 13
5.8 Non-disclosure of personal information contained in a health 14
record
5.9 Personal identifiable data in medical research 15
5.10 Privacy Impact Assessment Procedure and Template 16
6. Financial impact & resource implications 16
7. Training requirements 16
8. Monitoring compliance 16
9. Policy review 17
10. Associated documents 17
11. Supporting references 17
3
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
Data Protection, Caldicott & Confidentiality Policy
1. Introduction
1.1 This document describes Southern Health NHS Foundation Trust (the Trust) policy
on Data Protection and Caldicott requirements, and employees’ responsibilities for
the safeguarding of confidential information held both manually (non-computer in a
structured filing system) and electronically.
1.2 The Trust holds and manages a great deal of personal and confidential information
relating to patients, service users and carers, the public and employees of the NHS.
1.3 Data protection laws exist to strike a balance between the rights of individuals to
privacy and the ability of organisations to use data for legitimate business
purposes.
1.4 The Data Protection Act 1998 which came into force on 1st March 2000 is
concerned with "personal data" about living, identifiable individuals which is
"automatically processed or manually stored as part of a relevant filing system or
accessible record”. It need not be particularly sensitive information, indeed it can
be as little as name and address.
1.5 The Act works in two ways, giving individuals certain rights whilst requiring those
who record and use personal information certain responsibilities. The Act
incorporates 8 data protection principles which are binding for all organisations
processing data:
2. Personal data shall be obtained only for one or more specified and lawful
purposes
5. Personal data processed for any purpose must not be kept longer than
necessary
6. Personal data shall be processed in accordance with the rights of data subjects
under this Act
4
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
2. Scope
2.1 This policy covers all identifiable information created, processed and stored on
living individuals, patients or staff. Throughout this document the term “patient” is
used to refer to an individual who is receiving a service from the Trust, and this term
includes those people who are also known as “Service Users”, and “Clients”.
Similarly the terms “clinician” and “health professional” are used, but should be
interpreted as encompassing social care staff and NHS practitioners.
3. Definitions
3.1 The Data Protection Act 1998 (DPA 98) provides controls on the handling of
personal identifiable information for all living individuals. Central to the Act is
compliance with the eight data protection principles, designed to protect the rights
of individuals about whom personal data is processed whether an electronic or a
paper record.
3.2 The Access to Health Records Act 1990 provides controls on the management
and disclosure of health records for deceased patients. Thus the personal
representative of the deceased or a person who might have a claim arising from the
patient’s death can apply to request access to the files.
3.3 The Caldicott Report 1997 provides guidance to the NHS on the use and
protection of personal confidential data (PII), and emphasises the need for controls
over the availability of such information and access to it. It makes a series of
recommendations which led to the requirement for all NHS organisations to appoint
a Caldicott Guardian who is responsible for compliance with the 6 (original)
Caldicott confidentiality principles.
A review of the Caldicott Principles took place during 2012, chaired by Dame Fiona
Caldicott. The report “The Information Governance Review – To share or not to
share” was published in April 2013, which included an added Principle. The
recommendations from the report were ratified by the Government in September
2013. See sections 5.2 and 5.3 for detail.
3.4 The Common Law Duty of Confidentiality prohibits use and disclosure of
information, provided in confidence unless there is a statutory requirement or court
order to do so. Such information may be disclosed only for purposes that the
subject has been informed about and has consented to, provided also that there are
no statutory restrictions on disclosure. This duty is not absolute, but should only be
overridden if the holder of the information can justify disclosure as being in the
public interest, for example, to protect the vital interests of the data subjects or
another person, or for the prevention or detection of a serious crime.
4. Duties / Responsibilities
4.1 The Trust has established a structure to deliver information governance, to meet the
requirements of data protection and confidentiality.
5
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
staff are aware of the need to comply with the DPA 98, in particular with the
rights of patients wishing to access personal information and or their health
records.
staff are aware of requirements of the common law duty of confidence as set
out in Confidentiality: NHS Code of Practice.
arrangements with third parties who process personal data on behalf of the
Trust are subject to a written contract which stipulates appropriate security and
confidentiality.
local Research Ethics Committees and researchers are aware of the DPA 98
and how it applies to the use of data for research purposes.
The Trust’s Caldicott Guardian is the Medical Director. The Caldicott Guardian is
responsible for agreeing and reviewing protocols for governing the transfer and
disclosure of personal confidential data across the Trust and supporting agencies.
To assist with the volume and diversity of this task the Caldicott Guardian is
supported by the Head of Information Assurance, Divisional IG Leads and
Information Asset Owners (who act as Data Custodians).
The Data Protection Officer is the Medical Director. The Data Protection Officer has
overall responsibility for managing and effectively implementing all activities
necessary to achieve compliance with the DPA 1998 throughout the Trust.
Main tasks:
To promote awareness of the Act and Procedures contained in this policy
To be responsible for compliance with the DPA 98 and the eight data protection
principles.
To ensure Trust compliance of notification requirements with the Information
Commissioner’s Office
To monitor changes to working practices, and where any such changes are
found to come within the remit of the DPA 98, to take appropriate action
Facilitate all the data protection and Caldicott functions within the Trust to
support the above
Advise and update the Trust in relation to directives/guidance from the
Information Commissioner and the Department of Health
Maintain an up to date Notification under the Data Protection Act 1998.
Via the Information Governance Framework – ensure that the Caldicott
Guardian and Senior Information Risk Owner (SIRO) are informed of relevant
issues and decisions are recorded
Information Asset Owners undertake the role and responsibility of Data Custodians,
as referred to in the DPA 98 and are responsible for ensuring that the Data
Protection and Caldicott principles are fully observed and complied with by staff
within their department. Working with Team/Service Managers, Information Asset
Owners are required to ensure that all data flows and processing of data complies
with all current Data Protection policies, working closely with the Records Manager
and Information Governance Manager as appropriate.
7
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
Ensure that all new permanent staff attend the Organisational Induction session
and receive local induction as soon as they are able.
Ensure all staff have access to current information on Data Protection Act and
Caldicott requirements.
Ensure that all staff are aware of the Information Asset Owner for their area
Ensure that all staff know the procedure for reporting IG and IT security
incidents
Carry out an annual review of the Information Asset Register (that includes a
Data Protection inventory - using the compliance proforma) to enable an
assessment of compliance with the Data Protection and Caldicott principles
within the service or area. [Refer to SH IG 21 Information Risk Management
Policy and Information Asset Management framework.]
Ensure applications for access to systems within the department are processed
following the agreed procedures and with appropriate authorisation.
Have systems in place to enable the above to be managed effectively within
the service.
This policy sets out the framework to ensure that the Trust complies with the law.
5.1 Data Protection Act 1998 - Principles and Practices to ensure compliance
The Trust will put in place procedures to ensure the eight principles in the DPA 98
are met.
8
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
Principle 2 - To obtain personal data only for specified and lawful purposes
and further process it only in a compatible manner.
right of subject access (e.g. to see or have a copy of your medical records or
staff files)
right to prevent processing likely to cause damage or distress
right to prevent processing for the purposes of direct marketing
rights in relation to automated decision taking
right to take action for compensation if the individual suffers damage
right to take action to correct, block, erase or destroy inaccurate data
9
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
right to make a request to the Information Commissioner for an assessment to
be made as to whether any provision of the Act has been contravened.
Compliance will be achieved through the Information Security Policy and associated
procedures – i.e. Safe Haven Procedure.
To ensure compliance protocols must be in place for the transfer of personal data
outside the European Economic Area unless that country can ensure an adequate
level of protection for the rights and freedoms of data subjects in relation to the
processing of personal data.
Personal confidential data items should not be included unless it is essential for the
specified purpose(s) of that flow. The need for patients to be identified should be
considered at each stage of satisfying the purpose(s).
10
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
Only those individuals who need access to personal confidential data should have
access to it, and they should only have access to the data items that they need to
see. This may mean introducing access controls or splitting data flows where one
information flow is used for several purposes. Health care organisations should be
aware of the research conducted within the organisation, and should ensure
research teams are accountable to them (from MRC Executive Summary –
Personal Information in Medical Research).
The organisation must ensure that those handling personal confidential data, both
clinical and non-clinical staff, are made fully aware of their responsibilities and
obligations to respect patient confidentiality.
Every use of personal confidential data must be lawful. The Caldicott Guardian,
Director of Health Technology and Outcomes, is responsible for ensuring that the
organisation complies with legal requirements.
Health and social care professionals should have the confidence to share
information in the best interests of their patients within the framework set out by
these principles. They should be supported by the policies of their employers,
regulators and professional bodies.
The Health and Social Care (Safety and Quality) Act 2015 includes a legal duty
requiring health and adult social care bodies to share information where this will
facilitate care for an individual. [Refer to SH IG 46 Information Sharing Policy for
details]
5.3 Confidentiality
The Code of Practice is a guide to required practice for those who work within or
under contract to NHS organisations concerning confidentiality and patients’
consent to the use of their health records. This document uses the term ‘staff ’ a
convenience to refer to all those to whom this code of practice should apply. Whilst
directed at NHS staff, the Code is also relevant to any one working in and around
health services. This includes local authority staff working in integrated teams and
private and voluntary sector staff.
This document:
A summary of the key confidentiality issues can be gained by reading the main
body of the document (pages 1-12), while the supporting Annexes provide detailed
advice and guidance on the delivery of a confidential service.
Following the publication of the Caldicott Review in March 2013, the Health & Social
Care Information Centre published “A guide to confidentiality in health and social
care” which identified five rules for treating confidential information with respect:
Rule 3: Information that is shared for the benefit of the community should be
anonymised
12
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
In cases where relatives have been heavily involved in patient care, the patient
must be explicitly asked as to what level these relatives can be kept informed. This
is particularly important in cases where relatives are requesting information on the
patient’s condition, perhaps before the patient has been informed.
In the event of the patient being unable to give permission the Mental Capacity Act
2005 must be followed. Staff should refer to the Mental Capacity Act Policy and
procedures for detail.
All staff are required to keep confidential any information regarding patients and
staff, only informing those that have a need to know. In particular, telephone
conversations and electronic communications should be conducted in a confidential
manner.
All staff have a confidentiality clause in their contract of employment. The Trust has
an approved Data Protection and Confidentiality clause in all contracts with 3rd party
contractors and suppliers who process personal information.
Where the subject's life may be in danger, or cases in which s/he may not be
capable of forming an appropriate decision
13
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
Where there is serious danger to other people, where the rights of others may
supersede those of the subject, for example a risk to children or the serious
misuse of drugs
Where there is a serious threat to the healthcare professional or other staff
Where there is a serious threat to the community
In other exceptional circumstances, based on professional consideration and
consultation.
If in doubt, staff should seek guidance, in confidence, from the senior Clinician or
the appropriate Senior Manager or the Information Governance Manager or the
Caldicott Guardian.
The Trust will support any member of staff who, after using careful
consideration, professional judgement, and has sought guidance from their
manager, can satisfactorily justify and has documented any decision to
disclose or withhold information against a patient's wishes.
The Trust is not required to supply copies of health records if the individual
requesting the information has:
14
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
not provided enough supporting information in order for the information to be
located
not supplied the appropriate fee
not supplied the necessary evidence of identity
or
In order to ensure the key principles of Data Protection Act are adhered to, The
Medical Research Council published guidelines on Personal Information in Medical
Research (2000). It clearly states that the law assumes that whenever people give
personal information to health professionals caring for them, it is confidential as
long as it remains personally identifiable.
Since The Data Protection Act (DPA) 1998 (EU Data Protection Directive 95/46/EC)
became law in 2000 researchers must also ensure their work is consistent with the
law. However the law recognises that research which does not directly lead to
decisions about a person should have special freedom to use information in ways
not foreseen when it was collected but these uses must be fair and lawful.
All research within the Trust must comply with the Data Protection & Caldicott
Guardian Principles as set out within this Policy, be registered by the Research and
Development Department and undergo review through the Health Research
Authority (HRA) process.
Research & Development Department will log and retain as appropriate, all relevant
data protection agreements for research studies, as evidence for compliance with
the DPA 1998 and Governance Toolkit.
15
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
5.10 Privacy Impact Assessment Procedure and Template
The Trust will ensure that training courses/presentations support this policy. The
training will ensure general awareness of the Data Protection and Caldicott
principles with more specific training for Data Custodians and/or Information Asset
Owners/Administrators.
All new staff will receive local and organisational induction on Information
Governance which will include confidentiality and records management. This will
be fully explained by their Manager or Data Custodian.
All staff will complete the required Information Governance Toolkit on-line learning
modules:
New staff – beginner or introduction
Annually – refresher module
8. Monitoring Compliance
Compliance with the Data Protection Act is mandatory and the Trust will ensure that
it keeps an up to date register of all purposes for processing personal data and
makes the required notification with the Information Commissioners Office.
The Trust is required to ensure that all permanent staff complete the relevant IG on-
line training module and monthly reports will be provided to operational managers to
ensure compliance, and this will be monitored via the Division Specific Performance
Review process.
Reporting of IG breaches:
All Level 2 IG SIRI (serious incident requiring investigation) will be reported via the
IGTK Incident Reporting Tool – which includes automatic notification to the
Information Commissioner’s Office. Refer to IG Quick Reference Guide to incident
reporting – available on the Trust website:
http://www.southernhealth.nhs.uk/workday/policies/ig/
9. Policy Review
This policy will be subject to regular planned review and, if revised, all staff will be
alerted to the new version. The latest version can be found on the Trust Website.
17
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
Appendix 1
Training Needs Analysis – July 2015
If there are any training implications in your policy, please complete the form below and make an appointment with the LEaD department (Louise
Hartland, Quality, Governance and Compliance Manager or Sharon Gomez, Essential Training Lead on 02380 874091) before the policy goes through
the Trust policy approval process.
Training Recording
Frequency Course Length Delivery Method Facilitators Strategic & Operational Responsibility
Programme Attendance
Information Strategic – Director of Information
Information Face to Face – 1.5 Face to Face and e-
annual Governance LEaD Operational – Head of Information
Governance hours Learning
trainers Assurance
Directorate Service Target Audience
All Staff
Adult Mental Health
All Staff
ISD’s Older Persons Mental Health
18
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
Appendix 2: Equality Impact Assessment
The Equality Analysis is a written record that demonstrates that you have shown
due regard to the need to eliminate unlawful discrimination, advance equality of
opportunity and foster good relations with respect to the characteristics protected
by the Equality Act 2010.
Stage 1: Screening
Please describe the positive and any potential negative impact of the policy
on service users or staff.
19
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016