SH IG 18

Data Protection, Caldicott & Confidentiality

Policy
Version 4
Associated guidance/procedures:

 SH IG 12 Access to Personal/Clinical Records Procedure

 SH IG 29 Privacy Impact Assessment Procedure and Template
 SH IG 46 Information Sharing Policy & Guidance

Summary: This policy provides the framework to ensure that the Trust
complies with the requirements of the Data Protection Act
1998, Caldicott Principles and NHS Code of Confidentiality.

Keywords (minimum of 5): Data Protection Act; Caldicott Guardian; principles;

(To assist policy search confidentiality; information governance; information security;
engine) Data Custodians; Information Asset Owners; Information
Asset Administrators.

Target Audience: All staff employed by Southern Health NHS Foundation

Trust, Contractors, Volunteers, Governors and Non-
Executive Directors who have access to confidential
personal information.

Next Review Date: March 2018

Approved and Ratified by: Information Governance Group. Date of meeting:

12/09/2016

Date issued: September 2016

Author: Lesley Barrington, Head of Information Assurance

Sponsor: Lisa Franklin; Director of Information & Technology

Dr Lesley Stevens, Medical Director/Caldicott Guardian

1
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
 Version Control
Change Record
Date Author Version Section Reason for Change
01/04 2011 Lesley Barrington dv0.1 All HPFT and HCHC policies brought together in a new
format
01/11/2011 Lesley Barrington dv0.2 All Reviewed and updated from consultation
15/12/2011 Lesley Barrington dv0.3 All Reviewed and updated from consultation
15/12/2011 Lesley Barrington dv0.3 5.9 Inclusion of specific paragraph relating to the use of
data for research – and reference to DPA approval
application form
07/02/2013 Lesley Barrington V2 Inclusion of reference to Privacy Impact Assessment
Procedure and Template.
24/03/2013 Lesley Barrington V2 Update of SIRO and Caldicott Guardian
10/12/2013 Lesley Barrington V3 All Minor updates and amendments
10/12/2013 Lesley Barrington V3 3.3 Update re. Caldicott Review
10/12/2013 Lesley Barrington V3 5.2 Update re. Caldicott Review – inclusion of new
principle 7. – information sharing
10/12/2013 Lesley Barrington V3 5.3 Update re. newly published HSCIC Guide to
Confidentiality – inclusion of 5 rules
10/12/2013 Lesley Barrington V3 11 Updated references
July 2015 Louise Hartland 3 18 Updated TNA (Appendix 1)
March Lesley Barrington 4 6&7 Updated job titles
2016
4 8 Addition 4.9 – reference to IGG
4 11 inclusion of Health and Social Care (Safety and
Quality) Act 2015
4 17 Updated references and websites
4 17 Included reference to IG SIRI incident reporting
process
4 App 2 Updated Equality IA Screening Tool
Sept 2016 Sharon France 4 5.9 Paragraph 4 Change to HRA process
4 5.9 R&D to Log requests
4 11 Supporting Evidence
4 All Remove reference to withdrawn policy SH IG 19

Reviewers/contributors
Name Position Version Reviewed &
Date

Information Governance Group Membership dV0.1 – 22/08/2011

Chris Tite IPHIS dv0.1 – 23/08/2011
Paul Warner ICS Manager dv0.1 - 09/09/2011
Alida Towns AMH IG Lead dv0.1 – 02/09/2011
Zita Barham Research Facilitator dv01 – 01/11/2011
Information Governance Group Membership Dv02 – 09/01/2012
Information Governance Group Membership / IG Leads V3 – 12/12/2013
Clinical and Area Directors V3 - 12/12/2013
Helen McCormack Caldicott Guardian V3 – 13/12/2013
Jennifer Dolman Clinical Director V3 – 13/12/2013
Information Governance Group Membership V4 – 14/03/2016
Information Governance Group Membership V4 12/09/2016

2
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
 Contents

Page

1. Introduction 4
2. Scope 5
3. Definitions 5
4. Duties/ responsibilities 5
5. Main policy content 8
5.1 DPA Principles 8
5.2 Caldicott Principles 10
5.3 Confidentiality 11
5.4 Patient confidentiality 12
5.5 Staff confidentiality 13
5.6 Exemptions to the DPA 1998 13
5.7 Disclosing information against subject’s wishes 13
5.8 Non-disclosure of personal information contained in a health 14
record
5.9 Personal identifiable data in medical research 15
5.10 Privacy Impact Assessment Procedure and Template 16
6. Financial impact & resource implications 16
7. Training requirements 16
8. Monitoring compliance 16
9. Policy review 17
10. Associated documents 17
11. Supporting references 17

A1 Training Needs Analysis (TNA) 18

A2 Equality Impact Assessment (EqIA) 19

3
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
 Data Protection, Caldicott & Confidentiality Policy

1. Introduction

1.1 This document describes Southern Health NHS Foundation Trust (the Trust) policy
on Data Protection and Caldicott requirements, and employees’ responsibilities for
the safeguarding of confidential information held both manually (non-computer in a
structured filing system) and electronically.

1.2 The Trust holds and manages a great deal of personal and confidential information
relating to patients, service users and carers, the public and employees of the NHS.

1.3 Data protection laws exist to strike a balance between the rights of individuals to
privacy and the ability of organisations to use data for legitimate business
purposes.

1.4 The Data Protection Act 1998 which came into force on 1st March 2000 is
concerned with "personal data" about living, identifiable individuals which is
"automatically processed or manually stored as part of a relevant filing system or
accessible record”. It need not be particularly sensitive information, indeed it can
be as little as name and address.

1.5 The Act works in two ways, giving individuals certain rights whilst requiring those
who record and use personal information certain responsibilities. The Act
incorporates 8 data protection principles which are binding for all organisations
processing data:

1. Personal data shall be processed fairly and lawfully

2. Personal data shall be obtained only for one or more specified and lawful
purposes

3. Personal data shall be adequate, relevant and not excessive

4. Personal data shall be accurate and kept up to date

5. Personal data processed for any purpose must not be kept longer than
necessary

6. Personal data shall be processed in accordance with the rights of data subjects
under this Act

7. Appropriate technical and organisational measures shall be taken to prevent

the unauthorised or unlawful processing of personal data and against
accidental loss or destruction

8. Personal data shall not be transferred to a country outside the European

Economic Area unless that country can ensure adequate level of protection.

ALL STAFF HAVE A LEGAL DUTY TO PROTECT THE PRIVACY OF

INFORMATION ABOUT INDIVIDUALS

4
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
 2. Scope

2.1 This policy covers all identifiable information created, processed and stored on
living individuals, patients or staff. Throughout this document the term “patient” is
used to refer to an individual who is receiving a service from the Trust, and this term
includes those people who are also known as “Service Users”, and “Clients”.
Similarly the terms “clinician” and “health professional” are used, but should be
interpreted as encompassing social care staff and NHS practitioners.

3. Definitions

3.1 The Data Protection Act 1998 (DPA 98) provides controls on the handling of
personal identifiable information for all living individuals. Central to the Act is
compliance with the eight data protection principles, designed to protect the rights
of individuals about whom personal data is processed whether an electronic or a
paper record.

3.2 The Access to Health Records Act 1990 provides controls on the management
and disclosure of health records for deceased patients. Thus the personal
representative of the deceased or a person who might have a claim arising from the
patient’s death can apply to request access to the files.

3.3 The Caldicott Report 1997 provides guidance to the NHS on the use and
protection of personal confidential data (PII), and emphasises the need for controls
over the availability of such information and access to it. It makes a series of
recommendations which led to the requirement for all NHS organisations to appoint
a Caldicott Guardian who is responsible for compliance with the 6 (original)
Caldicott confidentiality principles.

A review of the Caldicott Principles took place during 2012, chaired by Dame Fiona
Caldicott. The report “The Information Governance Review – To share or not to
share” was published in April 2013, which included an added Principle. The
recommendations from the report were ratified by the Government in September
2013. See sections 5.2 and 5.3 for detail.

3.4 The Common Law Duty of Confidentiality prohibits use and disclosure of
information, provided in confidence unless there is a statutory requirement or court
order to do so. Such information may be disclosed only for purposes that the
subject has been informed about and has consented to, provided also that there are
no statutory restrictions on disclosure. This duty is not absolute, but should only be
overridden if the holder of the information can justify disclosure as being in the
public interest, for example, to protect the vital interests of the data subjects or
another person, or for the prevention or detection of a serious crime.

4. Duties / Responsibilities

4.1 The Trust has established a structure to deliver information governance, to meet the
requirements of data protection and confidentiality.

4.2 The Chief Executive:

The Chief Executive has a duty to ensure that:

5
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
  staff are aware of the need to comply with the DPA 98, in particular with the
rights of patients wishing to access personal information and or their health
records.
 staff are aware of requirements of the common law duty of confidence as set
out in Confidentiality: NHS Code of Practice.
 arrangements with third parties who process personal data on behalf of the
Trust are subject to a written contract which stipulates appropriate security and
confidentiality.
 local Research Ethics Committees and researchers are aware of the DPA 98
and how it applies to the use of data for research purposes.

4.3 Caldicott Guardian:

The Trust’s Caldicott Guardian is the Medical Director. The Caldicott Guardian is
responsible for agreeing and reviewing protocols for governing the transfer and
disclosure of personal confidential data across the Trust and supporting agencies.
To assist with the volume and diversity of this task the Caldicott Guardian is
supported by the Head of Information Assurance, Divisional IG Leads and
Information Asset Owners (who act as Data Custodians).

4.4 Data Protection Officer:

The Data Protection Officer is the Medical Director. The Data Protection Officer has
overall responsibility for managing and effectively implementing all activities
necessary to achieve compliance with the DPA 1998 throughout the Trust.

Main tasks:
 To promote awareness of the Act and Procedures contained in this policy
 To be responsible for compliance with the DPA 98 and the eight data protection
principles.
 To ensure Trust compliance of notification requirements with the Information
Commissioner’s Office
 To monitor changes to working practices, and where any such changes are
found to come within the remit of the DPA 98, to take appropriate action

4.5 Head of Information Assurance:

 Facilitate all the data protection and Caldicott functions within the Trust to
support the above
 Advise and update the Trust in relation to directives/guidance from the
Information Commissioner and the Department of Health
 Maintain an up to date Notification under the Data Protection Act 1998.
 Via the Information Governance Framework – ensure that the Caldicott
Guardian and Senior Information Risk Owner (SIRO) are informed of relevant
issues and decisions are recorded

4.5 Information Governance Manager:

 Responsible for co-ordinating the return of the annual Information Governance

Toolkit assessment on behalf of the Head of Information Assurance; SIRO and
Caldicott Guardian
 Be the first point of contact within the Trust for data protection and Caldicott
issues
 Provide effective training for all staff in the requirements of Data Protection
legislation and Caldicott principles
6
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
  Carry out Data Protection and Caldicott compliance checks in the Trust’s
departments as required.
 Liaise with the Information Commissioner’s Office
 To check and approve Data Protection and Caldicott principle applications in
relation to research studies
 Working with the Records Manager, develop and support the Subject Access
Request process, including training of Subject Access Designated Officers (see
Access to Records Procedure)
 Working with the Records Manager, provide training in records management –
including compliance with the DPA and Caldicott principles
 Working with the Records Manager, develop and maintain the records
inventory in line with the NHS Code of Practice – Records Management
 Work with the Head of Information Assurance to support Information Asset
Owners and Administrators

4.6 ICT Security Specialist:

 Provide an advisory service to the Information Governance Group and team

 Monitor and report on the state of Information Management & Technology
(IM&T) security within the organisation
 Ensure that the Information Security Policy is maintained, up to date and
implemented throughout the organisation
 Develop and enforce detailed procedures to maintain information security
 Ensure compliance with relevant legislation
 Ensure that the organisation’s personnel are aware of their responsibilities and
accountability for information security
 Monitor for actual or potential information security breaches
 Lead on issues with regard to Cyber Security issues

4.7 Operational/Service Managers:

Operational/Service Managers are responsible for ensuring compliance with

policies that staff attend and pass the annual mandatory IG training, and breaches
and issues raised by staff are acted upon. Managers are also responsible for
ensuring that Information Asset Owners and Administrators are appointed.

4.8 Information Asset Owners:

Information Asset Owners undertake the role and responsibility of Data Custodians,
as referred to in the DPA 98 and are responsible for ensuring that the Data
Protection and Caldicott principles are fully observed and complied with by staff
within their department. Working with Team/Service Managers, Information Asset
Owners are required to ensure that all data flows and processing of data complies
with all current Data Protection policies, working closely with the Records Manager
and Information Governance Manager as appropriate.

 Promote Data Protection & Caldicott Principles on an on-going basis, including

posters, articles and local briefings.
 Promote local induction and ensure that all permanent new starters, before
they access any information system, are given instruction on the Data
Protection Act and Caldicott, as part of their first day/week induction
programme. Any temporary staff must also receive a local induction and
ensure that they are aware of their duties and responsibilities

7
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
  Ensure that all new permanent staff attend the Organisational Induction session
and receive local induction as soon as they are able.
 Ensure all staff have access to current information on Data Protection Act and
Caldicott requirements.
 Ensure that all staff are aware of the Information Asset Owner for their area
 Ensure that all staff know the procedure for reporting IG and IT security
incidents
 Carry out an annual review of the Information Asset Register (that includes a
Data Protection inventory - using the compliance proforma) to enable an
assessment of compliance with the Data Protection and Caldicott principles
within the service or area. [Refer to SH IG 21 Information Risk Management
Policy and Information Asset Management framework.]
 Ensure applications for access to systems within the department are processed
following the agreed procedures and with appropriate authorisation.
 Have systems in place to enable the above to be managed effectively within
the service.

4.9 Information Governance Group

The Information Governance Group, chaired by the Delegated SIRO (Director of

Information & Technology) is the forum responsible for ensuring that the Trust
complies with the DPA 1998. It meets bi-monthly – and reports to the Informatics
Forum, and Audit Assurance & Risk Committee.

5. Main policy content

This policy sets out the framework to ensure that the Trust complies with the law.

5.1 Data Protection Act 1998 - Principles and Practices to ensure compliance

The Trust will put in place procedures to ensure the eight principles in the DPA 98
are met.

Principle 1 - Personal data shall be processed fairly and lawfully

Compliance will be achieved by implementing the following measures:

 Ensuring the Trust’s Data Protection Notification is kept up to date.
 Complying with the common law duty of confidentiality; that any personal
information given or received in confidence for one purpose may not be used
for a different purpose or passed on to anyone else without the consent of the
individual. However the law recognises that research which does not directly
lead to decisions about a person should have special freedom to use
information in ways not foreseen when it was collected but these uses must be
fair and lawful. (Taken directly from MRC Executive Summary – Personal
Information in Medical Research)
 Ensuring that certain conditions in Schedules 2 and 3 of the Act are met (see
Appendix 2 for detail of the Data Protection Act 1998 - First Principle).
 Informing the individual how the data will be processed. This means fully
describing how the data will be used i.e. what will be done to the data; for what
purposes it will be used, who it will be passed onto, how it will be processed,
stored and destroyed. [Refer to the Fair Processing Notice on the Trust
website]

8
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
 Principle 2 - To obtain personal data only for specified and lawful purposes
and further process it only in a compatible manner.

The following must be adhered to:

 Personal data must only be processed for the purposes for which it was
originally obtained.
 Protocols should be in place to ensure that personal data that is passed on is
used only for the purposes for which it was originally obtained.
 Hospitals and practices involved in research must develop procedures for
making patients aware that their information may sometimes be used for
research, and explaining the reasons and safeguards. Any objections from
patients must be respected. (from MRC Executive Summary – Personal
Information in Medical Research)

Principle 3 - Personal data must be adequate, relevant and not excessive.

This will be achieved by:

 Conducting routine audits as part of good data management practice.
 Ensuring that relevant records policies and professional guidelines, i.e.
information lifecycle, are adhered to

Principle 4 - Personal data must be accurate and up to date.

This will be achieved by:

 Data users recording information accurately and taking reasonable steps to

check the accuracy of information they receive from data subjects or anyone
else.
 Data users regularly checking all systems to destroy out-of-date information
and correcting inaccurate information.

Principle 5 - Personal data must be kept no longer than necessary.

This will be achieved by:

 Adherence to Information Management Policies (i.e. information lifecycle)

 Staff working in joint team situations using the maximum retention period.
 Compliance with the Department of Health’s Records Management: NHS Code
of Practice. Part 2 provides a comprehensive retention schedule, which is
reflected in the information lifecycle policy

Principle 6 - Personal data must be processed in accordance with the rights

of the Individual.

The Act gives seven rights to individuals, they are a:

 right of subject access (e.g. to see or have a copy of your medical records or
staff files)
 right to prevent processing likely to cause damage or distress
 right to prevent processing for the purposes of direct marketing
 rights in relation to automated decision taking
 right to take action for compensation if the individual suffers damage
 right to take action to correct, block, erase or destroy inaccurate data
9
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
  right to make a request to the Information Commissioner for an assessment to
be made as to whether any provision of the Act has been contravened.

SH IG 12 Access to Personal Records Procedure – details the process to be

followed to manage a Subject Access Request.

Should an individual make a request to prevent processing then depending on the

individual circumstances, the Trust would have to make a judgement based on the
risk to the individual or others whether it was right to provide a service. This
decision can only be made by the Caldicott Guardian.

Principle 7 - Personal data must be kept secure.

Appropriate technical and organisational measures shall be taken to prevent the

unauthorised or unlawful processing of personal data and against accidental loss
or destruction.

Compliance will be achieved through the Information Security Policy and associated
procedures – i.e. Safe Haven Procedure.

Principle 8 - Personal data shall not be transferred to a country outside the

European Economic Area unless that country can ensure adequate level of
protection.

To ensure compliance protocols must be in place for the transfer of personal data
outside the European Economic Area unless that country can ensure an adequate
level of protection for the rights and freedoms of data subjects in relation to the
processing of personal data.

5.2 Caldicott Principles for handling personal confidential data:

1. Justify the purpose(s)

Every proposed use or transfer of personal confidential data within or from an

organisation should be clearly defined and scrutinised, with continuing uses
regularly reviewed, by an appropriate Guardian.

2. Don't use personal confidential data unless it is absolutely necessary

Personal confidential data items should not be included unless it is essential for the
specified purpose(s) of that flow. The need for patients to be identified should be
considered at each stage of satisfying the purpose(s).

3. Use the minimum necessary personal confidential data

Where the use of personal confidential data is considered to be essential, the

inclusion of each individual item of information should be considered and justified so
that the minimum amount of identifiable information is transferred or accessible as
is necessary for a given function to be carried out.

4. Access to personal confidential data should be on a strict need-to-know

basis

10
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
 Only those individuals who need access to personal confidential data should have
access to it, and they should only have access to the data items that they need to
see. This may mean introducing access controls or splitting data flows where one
information flow is used for several purposes. Health care organisations should be
aware of the research conducted within the organisation, and should ensure
research teams are accountable to them (from MRC Executive Summary –
Personal Information in Medical Research).

5. Everyone with access to personal confidential data should be aware of

their responsibilities

The organisation must ensure that those handling personal confidential data, both
clinical and non-clinical staff, are made fully aware of their responsibilities and
obligations to respect patient confidentiality.

6. Understand and comply with the law

Every use of personal confidential data must be lawful. The Caldicott Guardian,
Director of Health Technology and Outcomes, is responsible for ensuring that the
organisation complies with legal requirements.

7. The duty to share information can be as important as the duty to protect

patient confidentiality

Health and social care professionals should have the confidence to share
information in the best interests of their patients within the framework set out by
these principles. They should be supported by the policies of their employers,
regulators and professional bodies.

The Health and Social Care (Safety and Quality) Act 2015 includes a legal duty
requiring health and adult social care bodies to share information where this will
facilitate care for an individual. [Refer to SH IG 46 Information Sharing Policy for
details]

5.3 Confidentiality

The 'Confidentiality: NHS Code of Practice' was published by the Department of

Health following major consultation in 2002/2003. The consultation included
patients, carers and citizens; the NHS; other health care providers; professional
bodies and regulators. The guidance was drafted and delivered by a working group
made up of key representatives from these areas.

The Code of Practice is a guide to required practice for those who work within or
under contract to NHS organisations concerning confidentiality and patients’
consent to the use of their health records. This document uses the term ‘staff ’ a
convenience to refer to all those to whom this code of practice should apply. Whilst
directed at NHS staff, the Code is also relevant to any one working in and around
health services. This includes local authority staff working in integrated teams and
private and voluntary sector staff.

This document:

a. introduces the concept of confidentiality;

b. describes what a confidential service should look like;
c. provides a high level description of the main legal requirements;
11
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
 d. recommends a generic decision support tool for sharing/disclosing information;
e. lists examples of particular information disclosure scenarios.

A summary of the key confidentiality issues can be gained by reading the main
body of the document (pages 1-12), while the supporting Annexes provide detailed
advice and guidance on the delivery of a confidential service.

The full document CONFIDENTIALITY: NHS CODE OF PRACTICE can be

accessed from
http://www.dh.gov.uk/PublicationsAndStatistics/Publications/PublicationsPolicyAnd
Guidance/PublicationsPolicyAndGuidanceArticle/fs/en?CONTENT_ID=4069253&ch
k=jftKB%2B

Also available is the Supplementary Guidance: Public Interest Disclosures –

published in November 2010 which provides guidance to NHS staff in making what
are often difficult decisions on whether a breach of patient confidentiality can be
justified in the public interest.

Following the publication of the Caldicott Review in March 2013, the Health & Social
Care Information Centre published “A guide to confidentiality in health and social
care” which identified five rules for treating confidential information with respect:

Rule 1: Confidential information about service users or patients should be

treated confidentially and respectfully

Rule 2: Member of a care team should share confidential information when it

is needed for the safe and effective care of an individual

Rule 3: Information that is shared for the benefit of the community should be
anonymised

Rule 4: An individual’s right to object to the sharing of confidential information

about them should be respected

Rule 5: Organisations should put policies, procedures and systems in place to

ensure the confidentiality rules are followed

For the full document, which contains helpful guidance – go to:

http://www.hscic.gov.uk/confguideorg

5.4 Patient Confidentiality

Health information is collected from patients in confidence and attracts a common

law duty of confidence until it has been effectively anonymised. This legal duty
prohibits information use and disclosure without consent – effectively providing
individuals with a degree of control over who sees information they provide in
confidence. This duty can only be overridden if there is a statutory requirement, a
court order, or if there is a robust public interest justification.
On admission and/or on first contact with the service for a particular matter, all
patients should be asked which relatives, friends or carers they wish to receive
information regarding treatment and progress, and those they specifically do not
give permission to receive information. This information must be recorded in the
clinical records – i.e. via RiO where deployed, other electronic patient system, or in
the paper records.

12
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
 In cases where relatives have been heavily involved in patient care, the patient
must be explicitly asked as to what level these relatives can be kept informed. This
is particularly important in cases where relatives are requesting information on the
patient’s condition, perhaps before the patient has been informed.

For further guidance – refer to SH IG 46 Information Sharing Policy.

As a research active Organisation staff might screen patients’ records to identify

any potential research participants with the Consultants permission. Patients may
also be approached by staff regarding participation in a particular research study in
order to obtain consent.

In the event of the patient being unable to give permission the Mental Capacity Act
2005 must be followed. Staff should refer to the Mental Capacity Act Policy and
procedures for detail.

In all cases, the wishes expressed must be appropriately documented in the

patient’s clinical records.

5.5 Staff Confidentiality

All staff are required to keep confidential any information regarding patients and
staff, only informing those that have a need to know. In particular, telephone
conversations and electronic communications should be conducted in a confidential
manner.

Confidential information must not be disclosed to unauthorised parties without prior

discussion and confirmation with a senior manager in the Trust. Staff must not
process any personal information in contravention of the Data Protection Act 1998.

Any breaches of these requirements will potentially be regarded as serious

misconduct and as such may result in disciplinary action.

All staff have a confidentiality clause in their contract of employment. The Trust has
an approved Data Protection and Confidentiality clause in all contracts with 3rd party
contractors and suppliers who process personal information.

5.6 Exemptions to the Data Protection Act 1998

In certain circumstances personal information may be disclosed and guidance is

below. However it is vital in each case that staff make an assessment of the need
to disclose the information and document that the information has been released to
whom and for what reason.

5.7 Disclosing Information against the Subject's wishes

The responsibility to withhold or disclose information without the subject's consent

lies with the senior manager or senior clinician involved at the time and cannot be
delegated.

Circumstances where the subject's right to confidentiality may be overridden are

rare. Examples of these situations are:

 Where the subject's life may be in danger, or cases in which s/he may not be
capable of forming an appropriate decision

13
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
  Where there is serious danger to other people, where the rights of others may
supersede those of the subject, for example a risk to children or the serious
misuse of drugs
 Where there is a serious threat to the healthcare professional or other staff
 Where there is a serious threat to the community
 In other exceptional circumstances, based on professional consideration and
consultation.

The following are examples where disclosure without consent is required:

 Births and deaths - National Health Service Act 1977
 Notifiable communicable diseases - Public Health (Control of Diseases) Act
1984
 Poisonings and serious accidents at the work place - Health & Safety at Work
Act 1974
 Terminations - Abortion Regulations 1991
 Child abuse - Children’s Act 1989 and The Protection of Children Act 1999
 Drug Addicts - Drugs (Notification of Supply to Addicts) Regulations 1973
 Road traffic accidents - Road Traffic Act 1988
 Prevention/detection of a serious crime e.g. terrorism, murder - The Crime and
Disorder Act 1998

If in doubt, staff should seek guidance, in confidence, from the senior Clinician or
the appropriate Senior Manager or the Information Governance Manager or the
Caldicott Guardian.

The Trust will support any member of staff who, after using careful
consideration, professional judgement, and has sought guidance from their
manager, can satisfactorily justify and has documented any decision to
disclose or withhold information against a patient's wishes.

5.8 Non–Disclosure of personal information contained in a health record

An individual requesting access to their health records may be refused access to

parts of the information if an appropriate clinician deems exposure to that
information could cause physical or mental harm to the data subject or a third party.
Clinicians should be prepared to justify their reasons in a court of law if necessary.
In all cases reasons for non-disclosure must be documented.

Where access would disclose information relating to or provided by a third party,

consent for release must be sought from the third party concerned, unless that third
party is a health professional who had provided the information as part of their duty
of care. Where the third party does not consent, the information may be disclosed
provided the identity of the third party is not revealed. The DPA 98 suggests that
this might be done by omitting names and identifying particulars from the records.
Care should be taken to ensure that the information if released is genuinely
anonymous.

Further guidance is available from the Information Assurance Team – email:

hp-tr.informationassuranceteam@nhs.net.

The Trust is not required to supply copies of health records if the individual
requesting the information has:

14
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
  not provided enough supporting information in order for the information to be
located
 not supplied the appropriate fee
 not supplied the necessary evidence of identity

or

 the retrieval of the health records requires disproportionate effort

The Information Commissioner has released guidance on issues of law concerning

the right of access to personal data. See Durant v Financial Services Authority
[2003] EWCA Civ 1746, Court of Appeal (Civil Division), decision of Lord
Justices Auld, Mummery and Buxton dated 8th December 2003
(http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist
_guides/the_durant_case_and_its_impact_on_the_interpretation_of_the_data_prot
ection_act.pdf ) which gives guidance on

 what makes “data” “personal” within the meaning of “personal data”

 what is meant by a “relevant filing system”
 upon what basis should a data controller consider it “reasonable in all the
circumstances” to comply with the request even though the personal data
includes information about another and that other has not consented to
disclosure

5.9 Personal Identifiable Data in Medical Research

In order to ensure the key principles of Data Protection Act are adhered to, The
Medical Research Council published guidelines on Personal Information in Medical
Research (2000). It clearly states that the law assumes that whenever people give
personal information to health professionals caring for them, it is confidential as
long as it remains personally identifiable.

Frequently during medical research personal information is obtained from surveys,

medical records, scientific tests and interviews. This information is confidential and
any failure to control the ways in which it is used could be potentially harmful to a
person’s sense of security and self-confidence, the doctor-patient relationship or
lead to unfair discrimination.

Since The Data Protection Act (DPA) 1998 (EU Data Protection Directive 95/46/EC)
became law in 2000 researchers must also ensure their work is consistent with the
law. However the law recognises that research which does not directly lead to
decisions about a person should have special freedom to use information in ways
not foreseen when it was collected but these uses must be fair and lawful.

All research within the Trust must comply with the Data Protection & Caldicott
Guardian Principles as set out within this Policy, be registered by the Research and
Development Department and undergo review through the Health Research
Authority (HRA) process.

Research & Development Department will log and retain as appropriate, all relevant
data protection agreements for research studies, as evidence for compliance with
the DPA 1998 and Governance Toolkit.

15
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
 5.10 Privacy Impact Assessment Procedure and Template

All projects and processes that involve personal information or intrusive

technologies give rise to privacy issues and concerns. To enable the Trust to
address the privacy concerns and risks a technique referred to a Privacy Impact
Assessment (PIA) must be used. This process ensures that the Trust complies with
the Data Protection Act: Principle 1 – “Personal Data shall be processed fairly and
lawfully” and Principle 2 – “Personal Data shall be processed for a specified
purpose”. Refer to SH IG 29 Privacy Impact Assessment Procedure and Template
for details.

6. Financial Impact & Resource Implications

As a Foundation Trust, and as stipulated in the Operating Framework, the Trust is

required to be compliant with the Information Governance Toolkit at Level 2.
Failure to maintain this would mean that the Trust would be unable to tender for
new business.

Additionally, the Information Commissioners Office monitors all serious breaches of

personal information and/or confidentiality, and could impose a fine of up to
£500,000.

7. Training Requirements (refer to Appendix 1 – TNA)

The Trust will ensure that training courses/presentations support this policy. The
training will ensure general awareness of the Data Protection and Caldicott
principles with more specific training for Data Custodians and/or Information Asset
Owners/Administrators.

All new staff will receive local and organisational induction on Information
Governance which will include confidentiality and records management. This will
be fully explained by their Manager or Data Custodian.

All staff will complete the required Information Governance Toolkit on-line learning
modules:
 New staff – beginner or introduction
 Annually – refresher module

8. Monitoring Compliance

Data Protection Act 1998 Compliance:

Compliance with the Data Protection Act is mandatory and the Trust will ensure that
it keeps an up to date register of all purposes for processing personal data and
makes the required notification with the Information Commissioners Office.

Information Governance Toolkit

The Trust is required to complete an annual review of Information Governance

compliance by completing the on-line Connecting for Health IG Toolkit. The toolkit
is comprises the following indicators:

 Information Governance Management

 Confidentiality and Data Protection Assurance
 Information Security Assurance
16
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
  Clinical Information Assurance
 Secondary Use Assurance
 Corporate Information Assurance

The Trust is required to ensure that all permanent staff complete the relevant IG on-
line training module and monthly reports will be provided to operational managers to
ensure compliance, and this will be monitored via the Division Specific Performance
Review process.

Reporting of IG breaches:

All Level 2 IG SIRI (serious incident requiring investigation) will be reported via the
IGTK Incident Reporting Tool – which includes automatic notification to the
Information Commissioner’s Office. Refer to IG Quick Reference Guide to incident
reporting – available on the Trust website:
http://www.southernhealth.nhs.uk/workday/policies/ig/

9. Policy Review

This policy will be subject to regular planned review and, if revised, all staff will be
alerted to the new version. The latest version can be found on the Trust Website.

10. Associated Documents

 SH IG 12 Access to Personal/Clinical Records Procedure

 SH IG 29 Privacy Impact Assessment Procedure and Template
 SH IG 46 Information Sharing Policy & Guidance

11. Supporting References and websites

 The Caldicott Manual – NHS Executive http://www.nationalhealthexecutive.com/
 UK Information Commissioners Office website https://ico.org.uk/
 Medical Research Council - Personal Information in Medical Research
(Executive Summary)
 Medical Research Council – Good Research Practice
 Information: To share or not to share? The Information Governance Review
(known as the Caldicott 2 Review); Department of Health; March 2013
 Information: To Share or not to Share – Government Response to the Caldicott
Review; Department of Health; September 2013
https://www.gov.uk/government/organisations/department-of-health
 A guide to confidentiality in health and social care – treating confidential
information with respect; Health & Social Care Information Centre; V1.1
September 2013 http://www.hscic.gov.uk/
 Information Governance Alliance - http://systems.hscic.gov.uk/infogov/iga
 Health Research Authority: http://www.hra.nhs.uk/about-the-hra/our-plans-and-
projects/assessment-approval/
 Confidentiality, Privacy and Data Protection e-learning resource available:
http://www.hra.nhs.uk/resources/data-legislation-and-information-
governance/confidentiality-privacy-and-data-protection/
 Southern Health Research and Development website:
http://www.southernhealth.nhs.uk/research/

17
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
 Appendix 1
Training Needs Analysis – July 2015
If there are any training implications in your policy, please complete the form below and make an appointment with the LEaD department (Louise
Hartland, Quality, Governance and Compliance Manager or Sharon Gomez, Essential Training Lead on 02380 874091) before the policy goes through
the Trust policy approval process.
Training Recording
Frequency Course Length Delivery Method Facilitators Strategic & Operational Responsibility
Programme Attendance
Information Strategic – Director of Information
Information Face to Face – 1.5 Face to Face and e-
annual Governance LEaD Operational – Head of Information
Governance hours Learning
trainers Assurance
Directorate Service Target Audience
All Staff
Adult Mental Health

Specialised Services All Staff

MH/LD/TQ21
Learning Disabilities All Staff

TQtwentyone All Staff

All Staff
ISD’s Older Persons Mental Health

ISD’s Adults All Staff

ISD’s Childrens Services All Staff

Corporate All All Staff

18
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016
 Appendix 2: Equality Impact Assessment

The Equality Analysis is a written record that demonstrates that you have shown
due regard to the need to eliminate unlawful discrimination, advance equality of
opportunity and foster good relations with respect to the characteristics protected
by the Equality Act 2010.

Stage 1: Screening

Date of assessment: 01/03/2016

Name of person completing the Lesley Barrington
assessment:
Job title: Head of Information Assurance
Responsible department: Information Assurance
Intended equality outcomes:

Who was involved in the Information Governance Group

consultation of this document? membership

Please describe the positive and any potential negative impact of the policy
on service users or staff.

In the case of negative impact, please indicate any measures planned to

mitigate against this by completing stage 2. Supporting Information can be found
be following the link: www.legislation.gov.uk/ukpga/2010/15/contents

Protected Positive impact Negative impact

Characteristic
Age Compliance with Data
Disability Protection Act and
Gender reassignment Caldicott Principles.
Marriage & civil
partnership
Pregnancy & maternity
Race
Religion
Sex
Sexual orientation

Stage 2: Full impact assessment

What is the impact? Mitigating actions Monitoring of actions

19
Data Protection, Caldicott & Confidentiality Policy
Version 4
September 2016