NHS WEST NORFOLK CLINICAL COMMISSIONING GROUP SAFEHAVEN POLICY

Transcription

1 NHS WEST NORFOLK CLINICAL COMMISSIONING GROUP SAFEHAVEN POLICY 1

2 DOCUMENT CONTROL SHEET Name f Dcument: Safehaven Plicy Versin: 1 File Lcatin / Dcument Name: Held by Senir Infrmatin Risk Owner (SIRO): NHS West Nrflk CCG Safehaven Plicy Date Of This Versin: February 2014 Prduced By: Graham Cpsey, Head f Crprate Affairs Reviewed By: Jhn Ingham, SIRO Synpsis And Outcmes Of Equality N adverse impact identified and Diversity Impact Assessment: Ratified By (Cmmittee): Audit Cmmittee Date Ratified: Distribute T: WNCCG Staff, Gverning Bdy Date Due Fr Review: March 2016 Enquiries T: Head f Crprate Affairs Revisin Histry Revisin Date Summary f changes Authr(s) Versin Number Apprvals This dcument requires the fllwing apprvals either individual(s), grup(s) r Gverning Bdy. Name Title Date f Issue Versin Number 2

3 Cntents Page 1 Purpse 2 Scpe 3 Legislatin and Guidance 4 Definitins 5 Identifying when a Safe Haven is required 6 Requirements fr Safe Havens 7 Rules fr different kinds f Safe Haven 8 Use f Cmputers 9 Safe Haven Printers 10 Sharing infrmatin with nn NHS rganisatins 11 Develpment prcess 12 Rles and respnsibilities 13 Disseminatin and implementatin Disseminatin and implementatin 15 Overall Respnsibility fr Dcument 16 Endrsement 17 Review 3

4 1. Purpse 1.1. All NHS rganisatins require safe haven prcedures t maintain the privacy and cnfidentiality f persn identifiable infrmatin held. The implementatin f these prcedures facilitates cmpliance with the legal requirements placed upn the rganisatin, especially cncerning sensitive infrmatin e.g. a persn s medical cnditin Where Trusts and external partner agencies want t send persn identifiable infrmatin t NHS West Nrflk CCG (the CCG ), they shuld be cnfident that they are being sent t a lcatin which maintains the security cntrls ver data. 2. Scpe This plicy prvides: The legislatin and guidance which dictates the need fr a safe haven. A definitin f the term safe haven. When a safe haven is required. The necessary prcedures and requirements that are needed t implement a safe haven. Rules fr different kinds f safe haven. Wh can have access and wh yu can disclse infrmatin t. 3. Legislatin and guidance A number f Acts and guidance dictate the need fr safe haven arrangements t be set in place, they include: Data Prtectin Act 1998 (Principle 7) Apprpriate technical and rganisatinal measures shall be taken t make persn identifiable infrmatin secure. NHS Cde f Practice: Cnfidentiality Annex 1 Prtect patient infrmatin, Care must be taken, particularly with cnfidential clinical infrmatin, t ensure that the means f transferring frm ne lcatin t anther are secure as they can be. NHS Infrmatin Gvernance Tlkit requires the rganisatin t have a dcumented plan t ensure that transfers f persn identifiable and sensitive infrmatin are adequately secure. Caldictt Principles: Principle 1 Principle 2 Principle 3 Principle 4 Principle 5 Principle 6 Justify the purpse. Wh is asking fr the infrmatin? Why d they want it? Only use persn identifiable infrmatin when it is abslutely necessary Use the minimum persn identifiable infrmatin required Access shuld be n a strict need t knw basis Everyne must understand their respnsibilities Understand and cmply with the law. In 2013 the gvernment-cmmissined the Caldictt 2 review. Dame Fina Caldictt was charged with reviewing the whle prcess f sharing infrmatin and t cnsider the balance between prtecting and sharing infrmatin bth in the NHS and with 4

5 private prviders. Dame Fina has made a series f recmmendatins which are currently under cnsideratin by the Health Secretary wh will frmally respnd later in Definitins 4.1. Safe haven The term safe haven is recgnised thrughut the NHS t describe the administrative arrangements t safeguard the cnfidential transfer f persn identifiable infrmatin between rganisatins r sites. This term was initially meant t describe the transfer f facsimile messages, but shuld nw cver the data held and used within: Fax machines Pst Telephnes/answer phnes Manual recrds and bks White bards/ntice bards s Bulk data transfers 4.2. Persn Identifiable infrmatin This is ne r mre items f infrmatin which culd identify an individual (staff r service user) and reasnably be cnsidered private eg name and private address, name and hme telephne number, full pst cde, NHS number etc Sensitive Persn Identifiable infrmatin This is infrmatin that cntains details f an individual s: Health r physical cnditin Sexual life Ethnic rigin Religius beliefs Plitical views Criminal cnvictins Fr this type f infrmatin even mre stringent measures shuld be emplyed t ensure that the data remains secure Business Sensitive infrmatin This is infrmatin that if disclsed culd harm r damage the reputatin r image f an rganisatin. 5

6 5. Identifying when safe haven prcedures shuld be in place 5.1. Safe haven prcedures shuld be in place in any lcatin where persn identifiable infrmatin is received, held, r cmmunicated, especially where the persn identifiable infrmatin is f a sensitive nature. There shuld be at least ne area designated as a safe haven. 6. Requirements fr safe havens Lcatin / security arrangements: It shuld be in a rm that is lcked r accessible via a cded key pad knwn nly t authrised staff, OR The ffice r wrkspace shuld be sited in such a way that nly authrised staff can enter that lcatin, ie it is nt an area which is readily accessible t any member f staff wh wrk in the same building r ffice, r any visitrs. If sited n the grund flr any windws shuld have lcks n them and be secured. The rm shuld cnfrm t health and safety requirements in terms f fire, safety frm fld, theft r envirnmental damage. Manual paper recrds cntaining persn identifiable infrmatin shuld be stred in lcked cabinets. Desks shuld be kept clear and all persn identifiable data lcked away at the end f the day. Cmputers shuld nt be left n view r accessible t unauthrised staff and shuld have a secure screen saver functin and be switched ff when nt in use. When installing fax machines in the safe haven cnsideratin shuld be given t any security tls available n the machine, such as passwrd prtected memry. If the rm cntaining the machine cannt be lcked vernight, machines shuld be turned ff ut f ffice hurs. 7. Rules fr different kinds f safe haven All pints f receipt f infrmatin shuld be given safe haven cnsideratin by staff: phne messages, fax in-trays, electrnic mailbxes, pigen hles and in-trays fr paper infrmatin, ntice bards etc. All staff shuld be alert t the need t prtect cnfidential infrmatin shuld it cme their way. Fr guidance n what can be shared and hw, staff shuld refer t the IG Staff Guide, the Infrmatin Gvernance & Data Prtectin Plicy and the Nrflk Overarching Infrmatin Sharing Agreement r cntact the Crprate Affairs team, CCG Caldictt Guardian, r CSU IG team. 6

7 7.1 By Telephne Fr incming calls where the caller is unknwn and persn identifiable infrmatin is requested the fllwing practice must be adhered: Cnfirm the name, jb title, department and rganisatin f the persn requesting infrmatin Cnfirm the reasn fr request, if apprpriate Take a cntact telephne number, eg main switchbard number Check whether the infrmatin can be prvided. If in dubt tell the enquirer yu will call them back Prvide the infrmatin nly t the persn wh has requested it (d nt leave messages) Ensure that yu recrd yur name, the date and time f disclsure, the reasn fr it and wh authrised sharing. Als recrd the recipient s named, jb title, rganisatin and telephne number. Staff are expected t apply cmmn sense with regard t the pen plan ffice and use an available private rm fr telephne cnversatins that are highly cnfidential. 7.2 By NHS mail is currently the nly NHS apprved methd fr exchanging persn identifiable r sensitive data, but nly if bth the sender and recipient use an NHS mail accunt r if sending t anther gvernment secure dmain as fllws. Central Gv.gsi.gv.uk.ges.gv.uk gsx.gv.uk.md.uk.pnn.plice.uk.scn.gv.uk Lcal Gv.gcsx.gv.uk s shuld be stred apprpriately n receipt. Fr example, they shuld be saved t the Restricted drive r details shuld be incrprated int the relevant database r health recrd and the riginal shuld be deleted Fax machines Fax machines must nly be used t transfer persnal infrmatin where it is abslutely necessary t d s. Outside f nrmal wrking hurs, fax machines shuld either be turned ff r be lcated in a lcked ffice r cupbard. The fllwing rules must apply: The fax is sent t a safe lcatin where nly staff that have a legitimate right t view the infrmatin can access it. The sender is certain that the crrect persn will receive it and that the fax number is crrect. 7

8 Telephne the recipient f the fax (r their representative) t let them knw yu are ging t send cnfidential infrmatin Ask the recipient t acknwledge receipt f the fax. Care is taken in dialling the crrect number and the number is checked befre hitting the send buttn Cnfidential faxes must nt be left lying arund fr unauthrised staff t see. Only the minimum amunt f persnal infrmatin shuld be sent, where pssible the data shuld be annymised r a unique identifier used. Faxes sent must include a cver sheet, which cntains a suitable cnfidentiality clause and is marked Private and Cnfidential. If apprpriate request a reprt sheet t cnfirm that transmissin was cmplete. If yu find a cnfidential dcument has been faxed t yur machine, it is yur respnsibility t ensure that it is given t the named recipient and/r the sender has been ntified f the errr. Fax guidance is available n the website and displayed by the fax machines 7.4 By Pst All sensitive dcuments must be stred face dwn in public areas and nt left unsupervised at any time. Recipients f frequent r significant numbers f cnfidential mail are advised t keep a lg t recrd receipt and transfer within the rganisatin. Incming mail shuld be pened away frm public areas. Cnfirm the name, department and address fr the recipient. D nt use acrnyms as they can be easily cnfused. Outging mail (bth internal and external) must be sealed securely and the envelpe marked Private and Cnfidential, Addressee nly. When sending hardcpy cnfidential dcuments internally secure tamper prf envelpes shuld be used and sealed and a recrd f the transfer kept by the sender. Fr highly sensitive infrmatin a curier r recrded delivery shuld be used and signed cnfirmatin f receipt btained. In general cnsideratin shuld be given t transit methd and distance when chsing suitable secure packaging material. In all cases the addressee r recipient shuld acknwledge receipt f the infrmatin. Cnfirm receipt. 8

9 7.5 Transfer f cnfidential hardcpy infrmatin Lckable crates must be used t mve bulk cnfidential hard cpy infrmatin frm ne place t anther. Hardcpy infrmatin must be stred in a lcked cupbard r cabinet. Obtain a receipt fr hand delivered cnfidential infrmatin. Persn identifiable infrmatin shuld nly be taken ff site when abslutely necessary, r in accrdance with lcal plicy. Recrd what infrmatin yu are taking ff site and why, and if applicable, where and t whm yu are taking it. Infrmatin must be transprted in a sealed cntainer. Never leave persn identifiable infrmatin unattended. Ensure the infrmatin is returned as sn as pssible. Recrd that the infrmatin has been returned. 7.6 Use f Curiers and Taxis t transprt cnfidential infrmatin Only cmpanies that hld an existing service level agreement with the rganisatin with an apprpriate cnfidentiality clause can be used t transprt patient, staff, infrmatin advice shuld be sught frm the IG Manager if the name and cntact details f the cmpany are nt knwn. Any items fr transprt in this way shuld be signed in and ut apprpriately and cpy evidence f sending/receipt retained. 7.7 Transferring cnfidential infrmatin by remvable media Please refer t NHS Anglia CSU IT & Infrmatin Security plicy. 8. Use f Cmputers Access t any cmputer must be passwrd prtected in line with current IT access rules, this must nt be shared. Cmputer screens must nt be left n view s members f the general public r staff wh d nt have a justified need t view the infrmatin can see persn identifiable data. Press cntrl, alt, delete t secure yur cmputer when away frm yur desk. Cmputers r laptps nt in use shuld be switched ff r have a secure screen saver device in use. Infrmatin shuld be held n the rganisatin s netwrk servers, and nt stred n lcal hard drives. Departments shuld be aware f the high risk f string infrmatin lcally and take apprpriate security measures. Infrmatin shuld nt be saved r cpied int any PC r media that is utside the NHS. 9

10 Persnal infrmatin shuld be sent ver NHS mail with apprpriate safeguards: Clinical infrmatin is clearly marked; s are sent t the right peple; Brwsers are safely set up s that fr example, passwrds are nt saved and temprary internet files are deleted n exit; The receiver is ready t handle the infrmatin in the right way; Infrmatin sent by will be safely stred and archived as well as being incrprated int patient recrds; There is an audit trail t shw wh did what and when; There are adequate fall back and fail-safe arrangements. 9. Safe haven printers There are n designated safe haven printers, hwever, printers that have a secure print functin shuld use this t print cnfidential dcuments e.g. Multi-Functinal Devices. Where this is nt pssible, staff must ensure cnfidential printing is cllected immediately. Cnfidential printing that is left lying arund shuld be reprted t the CCG Caldictt Guardian r t the Crprate Affairs team. 10. Sharing infrmatin with nn NHS rganisatins 10.1 Staff authrised t disclse infrmatin t ther rganisatins utside the NHS must seek an assurance that these rganisatins have a designated safe haven pint fr receiving persn identifiable infrmatin The CCG must be assured that these rganisatins are able t cmply with the safe haven eths and meet certain legislative and related guidance requirements: Data Prtectin Act 1998 Cmmn law duty f cnfidence NHS Cde f Practice: Cnfidentiality Staff sharing persn identifiable infrmatin with ther agencies shuld d s in cmpliance with the plicies listed n the staff intranet 11. Develpment prcess The CCG has develped this plicy in partnership with NHS Anglia Cmmissining Supprt Unit. The plicy has been apprved by the Audit Cmmittee. 12. Rles & respnsibilities It is recgnised that all staff in the rganisatin have respnsibility fr ensuring the safe receipt, maintenance and disclsure f persn identifiable infrmatin and that it is dne in line with this plicy and that gd practice is maintained thrughut the rganisatin. Failure t cmply with the requirements f this plicy culd lead t disciplinary prcedures. Caldictt Guardian is respnsible fr ensuring persn identifiable infrmatin is received, stred and used in line with the CCG bligatins t the Data Prtectin Act 1998 and the NHS Health & Scial Care Infrmatin Centre Infrmatin Gvernance Tlkit. 10

11 SIRO (Senir Infrmatin Risk Owner) is respnsible fr prtecting data and managing infrmatin risks. Senir Managers are respnsible fr ensuring safe haven prcedures are knwn and fllwed in their areas. All CCG staff and Gverning Bdy members wrking fr the CCG in whatever capacity (including but nt limited vlunteers and researchers) wh prcess persn identifiable infrmatin are respnsible fr ensuring safe haven guidance is adhered t. Cnfidentiality breaches shuld be reprted immediately t the line manager fllwing the incident reprting prcesses 13. Disseminatin and Implementatin 13.1 The respnsibility fr disseminatin and implementatin f this plicy fllws the plicy fr prcedural dcuments and the prcess detailed within The plicy will be implemented immediately n receipt 14. Accessibility Cpies f this dcument will be available n the CCG website and as part f the IG pages n the staff intranet. 15. Overall respnsibility fr the dcument The Audit Cmmittee will take respnsibility fr crdinating the develpment, implementatin, review and up-keep f this dcument. The SIRO is the dcument wner. 16. Endrsement This dcument will be endrsed thrugh the Audit Cmmittee. 17. Review 17.1 This plicy will be reviewed every tw years In additin t 17.3 this plicy will be amended fllwing changes in legislatin r apprved guidance The Audit Cmmittee will be respnsible fr ensuring that reviews are undertaken. 11