INFORMATION GOVERNANCE POLICY

Transcription

1 INFORMATION GOVERNANCE POLICY Including the Information Governance Strategy Framework and associated Information Governance Procedures Last Review Date Approving Body N/A Governing Body Date of Approval 20 th September 2013 Date of Implementation 1 st October 2013 Next Review Date October 2016 Review Responsibility Chief of Corporate Services Version 1.0 1

2 REVISIONS/AMENDMENTS SINCE LAST VERSION Date of Review August 2013 Amendment Details New policy developed from a range of previous PCT Information Governance policies, frameworks and related procedures. December 2014 Policy updated on PIA Procedure, Caldicott Principle 7, Roles and Accountabilities, additional definitions, application forms for access to records, further clarity on information sharing principles. 2

3 CONTENTS Page Definitions 5 Section A Policy 9 1. Policy Statement, Aims & Objectives 9 2. Legislation & Guidance Scope Accountabilities & Responsibilities Dissemination, Training & Review 16 Section B Information Governance Strategy & Management Framework Introduction Strategic Aims Openness & Information Sharing Information Security Information Quality Assurance / Data Quality Data Protection Records Management / Information Lifecycle Management Freedom of Information and Environmental Information Regulations Confidentiality Code of Conduct / Caldicott Information Risk Management & Lessons Learned Information Asset Lists & Database List Improvement Plan and Assessment 35 3

4 Section C Information Governance Procedures 36 A INFORMATION SHARING PROCEDURE 37 B RECORDS MANAGEMENT PROCEDURE 47 C ACCESS PERSONAL DATA UNDER THE DATA PROTECTION ACT 1998 AND ACCESS TO HEALTH RECORDS ACT D CONFIDENTIALITY CODE OF CONDUCT AND DATA PROTECTION PROCEDURE 78 E DATA QUALITY PROCEDURE 86 F LAPTOPS, OTHER PORTABLE DEVICES OFFSITE USERS PROCEDURE 90 G MOBILE TELEPHONE PROCEDURE 96 H PROCEDURE FOR REGISTERING AND AUTHORISING COMPUTERISED DATABASES FOR THE STORING AND PROCESSING OF PERSONAL DATA 103 I PASSWORD MANAGEMENT PROCEDURE 108 J INTERNET, & SOCIAL NETWORKING POLICY 111 K PRIVACY IMPACT ASSESSMENT PROCEDURE 117 4

5 DEFINITIONS Term Access Control Accountability Anonymised information Caldicott Confidentially Consent Definition The prevention of unauthorised use of a resource, including the prevention of use of a resource in an unauthorised manner. The property that will enable the originator of any action to be identified (whether the originator is a human being or a system. Information from which no individual can be identified. Maintaining the legal right to patient confidentiality. Data access is confined to those with specified authority to view the data. Explicit Consent means articulated agreement and relates to a clear and voluntary indication of preference of choice, usually given orally or in writing and freely given in circumstances where the available options and the consequences have been made clear. Implied Consent This means agreement that has been signalled by the behaviour of an individual with whom a discussion has been held about the issues and who therefore understands the implications of the disclosure of information. Informed Consent An informed consent can be said to have been given based upon a clear appreciation and understanding of the facts, implications, and future consequences of an action. In order to give informed consent, the individual concerned must have adequate reasoning faculties and be in possession of all relevant facts at the time consent is given. Data controller A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. 5

6 Term Data processor Information Asset Administrator (IAA) Information Asset Owner (IAO) Information Governance Information Lifecycle Management Definition Any person (other than an employee of the data controller) who processes the data on behalf of the data controller. The IAO can assign day to day responsibility for each Information Asset to an IAA or other manager. This should be formalised in job descriptions. Guidance for standard 307 of the Information Governance Toolkit Version 11 defines an owner as a member of staff senior enough to make decisions concerning the asset at the highest level. The IAO should understand what information is held, what is added and removed, how information is moved, who has access and why. As a result they should be able to understand and address risks to the information and to ensure that information is fully used within the law for the public good. The IAO will also be responsible for providing regular reports to the Senior Information Risk Owner (SIRO), a minimum of annually on the assurance and usage of their assets. The good practice guidelines necessary to ensure that organisations and individuals deal with information legally, securely, efficiently and effectively in order to deliver the best possible care. The main principles of Information Lifecycle Management are that it applies to information in paper and other physical forms e.g. electronic, microfilm, negatives, photographs, audio or video recordings and other assets, and that it relates to the 5 distinct phases in the life of information; creation, retention, maintenance, use and disposal. Information Risk Information Risk is inherent in all activities and an information risk assurance process is set out as a requirement of the Information Governance Toolkit. Information risk management seeks to identify and control information risks in relation to business processes and functions and is led by the Senior Information Risk Owner (SIRO). NHS Doncaster CCG NHS Doncaster Clinical Commissioning Group. 6

7 Term Password Personal Confidential Data Processing of data Risk Risk assessment Risk Management Safe Haven Security breach Definition Confidential authentication information composed of a string of characters. Data consisting of information which relates to a living individual who can be identified from that information (or from that and other information in the possession of the Data User), including any expression of opinion about the individual but not any indication of the intentions of the Data User in respect of that individual. Obtaining, recording or holding information or data or carrying out any operation or set of operations on the information or data, including a) organisation, adaptation or alteration of the information or data, b) retrieval, consultation or use of the information or data, c) disclosure of the information or data by transmission, dissemination or otherwise making available, or d) alignment, combination, blocking, erasure or destruction of the information or data. The chance that something will happen that will have an impact on achievement of the organisation s aims and objectives. It is measured in terms of likelihood (probability of the risk occurring) and consequence (impact or magnitude of the effect of the risk occurring). A process of identifying the hazards in a workplace so as to effectively eliminate or adequately control the risks. A process that enables organisations to identify, analyse, control and monitor risks. By doing this we can protect our patients, visitors, contractors and employees. The term Safe Haven refers to a location (or in some cases a piece of equipment) situated on NHS Doncaster CCG premises where arrangements and procedures are in place to ensure person-identifiable information can be held, received and communicated securely Any event that has, or could have resulted in, loss or damage to NHS assets, or an action that is in breach of NHS security procedures. 7

8 Term Senior Information Risk Owner Sensitive Personal Data Definition The SIRO understands how the strategic business goals of the organisation may be impacted by information risks. The SIRO acts as an advocate for information risk on the NHS Doncaster CCG Board and in internal discussions and will provide written advice to the Chief Officer on the content of their Annual Governance Statement in regard to information risk. Data relating to individuals which is classified as sensitive as defined by the Information Commissioner and for which a greater degree of confidentiality is owed. This includes records relating to health and social care, personal financial circumstances, sexuality, ethnicity etc. 8

9 SECTION A 1. Policy Statement, Aims & Objectives 1.1. NHS Doncaster Clinical Commissioning Group (CCG) fully supports the principles of information governance, recognising its public accountability, but equally placing importance on the confidentiality of, and the security arrangements to safeguard personal information about patients, employees and commercially sensitive information and for implementing risk management and embedding risk management into the culture of the organisation This document sets out the NHS Doncaster CCG s policy for Information Governance within the organisation. This policy includes the Information Governance Framework and all associated procedures The organisation recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. Equal importance is placed on the confidentiality of, and the security arrangements to safeguard personal information about patients and employees, and commercially sensitive information. The organisation also recognises the need to safely share patient information with other health organisations and other partner care organisations, with the explicit consent of the patient or where there is a legal gateway to share. In certain circumstances information may be shared with other agencies in the public interest in line with agreed protocols Information Governance plays a key part in supporting clinical and corporate governance. The organisation recognises the importance of reliable information, both in terms of the clinical management of individual patients and the efficient management of services and resources. It also gives assurance to the organisations and to individuals that personal information is dealt with legally, securely, efficiently and effectively There are 4 principle areas which form the scope of Information Governance: Information Governance Management Confidentiality and Data Assurance Information Security Assurance Clinical Information Assurance 9

10 1.6. The aims of this policy are to: Provide employees with a framework through which all the elements of Information Governance will be met. Ensure a proactive use of information within the organisation both for patient care and service management as determined by law, statute and best practice. Ensure NHS Doncaster CCG complies with the requirements contained in the Information Governance Toolkit. Ensure Information Governance Training is completed by all employees and agency workers on an annual basis. Describe the management and accountability arrangements for Information Governance within NHS Doncaster CCG. Ensure a proactive use of information between the organisation and other NHS and partner organisations to support patient care as determined by law, statute and best practice. Ensure non-confidential information is made widely available in line with responsibilities under the Freedom of Information Act (2000) and Environmental Information Regulations (2004). Ensure there are effective arrangements to support confidentiality, security and the integrity of personal and other sensitive information. Ensure the organisation s information is of the highest quality in terms of accuracy, timeliness and relevance To ensure continuous improvement in information governance the organisation has a range of key performance indicators (KPIs) which it uses for monitoring purposes: No Key Performance Indicator Method of Assessment 1 Minimum of Level 2 compliance with the Information Governance Toolkit. Self-assessment completed as required by the Health & Social Care Information Centre and annual audit. 2 Mandatory Information Governance training completed by all staff. 3 Production of quarterly Corporate Assurance reports. Reports through the Corporate Assurance quarterly report and Information Governance Training Tool. Audit Committee & Governing Body minutes. 10

11 2. Legislation and Guidance 2.1. The following legislation and guidance has been taken into consideration in the development of this policy: The Data Protection Act (1998) The Freedom of Information Act (2000) Environmental Information Regulations (2004) Access to Health Records Act (1990) Human Rights Act (1998) European Directive 95/46C (Data Protection Directive) Crime and Disorder Act (1998) Criminal Procedures and Investigations Act (1996) Regulatory and Investigatory Powers Act (2000) ICO Framework Code of Practice for Sharing Personal Information (2007) NHS Act (2006) and as updated 2012 Information Sharing Guidance for Practitioners and Managers (2008) Confidentiality NHS Code of Practice (2003) Health and Social Care Act (2012) Caldicott Guidance (2010) Information: To Share or Not to Share: Government Response to Caldicott Review (2013) Computer Misuse Act 1990 Fraud Act 2006 Information Governance Toolkit Ensuring Security & Confidentiality in NHS Organisations (E5498) Copyrights, Designs & Patents Act 1990 HSC 2000/09 Protection & Use of Patient Information Department of Health: Records Management: Code of Practice June 2009 Information Governance Assurance Programme Guidance 2008/09 Public Records Acts 1958 and 1967 Common Law Duty of Confidentiality Public Interest Disclosure Act Scope 3.1. This policy applies to those members of staff that are directly employed by NHS Doncaster CCG and for whom NHS Doncaster CCG has legal responsibility. For those staff covered by a letter of authority / honorary contract or work experience this policy is also applicable whilst undertaking duties on behalf of NHS Doncaster CCG or working on NHS Doncaster CCG premises and forms part of their arrangements with NHS Doncaster CCG. As part of good employment practice, agency workers are also required to abide by NHS Doncaster CCG 11

12 policies and procedures, as appropriate, to ensure their health, safety and welfare whilst undertaking work for NHS Doncaster CCG. 4. Accountability and Responsibilities 4.1. Overall accountability for ensuring that there are systems and processes to effectively manage information governance lies with the Chief Officer. Responsibility is also delegated to the following individuals. Chief of Corporate Services (or equivalent) Chief Nurse (or Has delegated responsibility for: Providing the necessary leadership, management, specialist, technical and legal advice to Information Governance across the organisation, ensuring Information Governance requirements, compliance and standards are met. Acting as the organisational Senior Information Risk Owner (SIRO), ensuring the identification and mitigation of corporate and operational risks relating to all aspects of Information Security Management. Acting as the nominated Data Protection Officer for the organisation and ensuring the continued registration of the organisation in line with the Data Protection Act Ensuring that the organisation meets the requirements of the Information Governance Standards under the Information Governance Toolkit (IGT) and associated assurance frameworks to ensure that a high level of compliance is reached and maintained by the organisation. Initiating and managing confidentiality and governancerelated audits and working with Internal Audit to assess progress, developing action plans as required. Oversight of the impact of organisational changes on information assets. Ensuring a privacy impact assessment procedure is in place. Monitoring and taking action on all Information Governance related incidents, ensuring the development of action plans and external reporting where appropriate. Strategically leading the organisation s approach to the creation, storage, sharing, management and disposal of both corporate and clinical records, ensuring compliance with relevant legislation and guidance. Has delegated responsibility for: 12

13 equivalent) Acting as the Caldicott Guardian for the organisation with responsibility for Clinical Information Assurance and Clinical Governance. Governance Manager (or equivalent) Has delegated responsibility for: Overseeing, coordinating and issuing information governance information, maintaining appropriate records regarding information governance, and monitoring developments in information governance. Ensuring maintenance of the information asset registers including portable IT equipment, information flows, Database of Databases and liaising with all teams to ensure this is regularly updated. Supporting the SIRO in Information Security Management. Providing information for patients in relation to how their information is held, used and shared and answering queries in relation to this. Operationally managing the organisation s approach to the creation, storage, sharing, management and disposal of both corporate and clinical records, ensuring compliance with relevant legislation and guidance. Dealing with subject access requests. Overseeing Information Governance training compliance. Operationally managing the organisation s response to the requirements of the Information Governance Standards under the Information Governance Toolkit (IGT). Contributing to governance-related audits and working with Internal Audit to assess progress, developing action plans as required. Administering Information Governance related incidents, ensuring the development of action plans and external reporting where appropriate. Information Asset Owners Information Asset Owners are responsible for providing regular reports to the Senior Information Risk Owner (SIRO), a minimum of annually on the assurance and usage of their assets. The Information Asset Owners have delegated responsibility for: Maintaining professional standards according to best practice in liaison with staff working in the area. Ensuring local application of guidelines including 13

14 retention and disposal schedules and advising on disposal. Determining the most effective ways of promoting the guidelines in their area e.g. training, induction, team meetings etc. Providing support and advice to staff in the area of Records Management with the assistance of the Caldicott Guardian and Corporate Services. Monitoring performance through quality control/periodic audits. Ensuring compliance with the standards, legislation, policies and procedures relating to the management of records. Identifying areas where improvements could be made. Ensuring that staff complete relevant training on records management, confidentiality and data protection. Reviewing/adopting tracking and registration systems for appropriate records in all areas. Ensuring appropriate records are archived. Ensuring that there is a mechanism for identifying records which must be kept for permanent preservation. Ensuring the confidentiality, integrity, and availability of all information that their system processes and protect against any anticipated threats or hazards to the security or integrity of such information. Undertaking information risk assessments on all information assets where they have been assigned ownership, following guidance from the SIRO on assessment method, format, content, and frequency which is provided through the annual Data Assets & Flows update exercise. Reporting security incidents and ensure that the reports are fully documented, including type of incident, and ensure that countermeasures put in place. Reporting to the SIRO and ensure countermeasures are discussed and implemented in conjunction with security incidents. Initiating the necessary disciplinary action through the HR Team if a member of staff is found to be disregarding procedures which could result in a security incident. Information Asset Administrator The IAO can assign day to day responsibility for each Information Asset to an IAA or other manager. 14

15 All Staff Responsibilities of Staff (including all employees, whether full/part time, agency, bank or volunteers) are: Complying with this policy and procedures. Identifying any gaps in the policy to the responsible officers The Audit Committee of the Governing Body has been delegated responsibility for overseeing information governance management by the Governing Body. The Corporate Governance Management Group has been established by the Audit Committee to ensure that a sound system of corporate governance, risk management and internal control is in place which supports the achievement of the CCG s objectives and provides the Audit Committee and ultimately the Governing Body with assurance both as an employer and as a statutory body. The Audit Committee will monitor compliance with Information Governance requirements through the quarterly Corporate Assurance Report containing assurance to enable the Committee to: Review the systems in place to develop and implement the Information Governance Policy and all other related procedures. Review information incident reporting procedures, monitoring and assuring systems to investigate all reported instances of actual or potential breaches of confidentiality and security. Review Information Governance requirements in line with changes on at least on an annual basis in order to update contracts, policy and training accordingly. Review systems in line with national directives. Work with Internal Audit to facilitate effective audits against nationally and locally agreed criteria. Support the provision of high quality care by promoting the effective and appropriate use of information. Receive assurance of assessments undertaken using the Information Governance Toolkit, overseeing work plans to address gaps identified and ensuring they are monitored and performance managed. Assure the Governing Body that Information Governance policies and procedures remain up-to-date, reflect national guidance and are in operational use throughout the organisation. Monitor the CCG s information handling activities to ensure compliance with the law and guidance e.g. reviewing results of audits. Provide a focal point for the resolution and/or discussion of Information Governance issues. Receive assurance that mandatory information governance training is completed annually by all staff and additional information governance training is completed which is necessary to support their role. 15

16 Receive assurance that relevant information governance experience, evidence, research, information and data is readily available to all staff. NHS Doncaster CCG s Information Governance Framework is used in conjunction with the policy and will act as an overarching framework for the local delivery of Information Governance. 5. Dissemination, Training and Review 5.1. Dissemination The effective implementation of this policy will support openness and transparency. NHS Doncaster CCG will: Ensure all staff and stakeholders have access to a copy of this policy via the organisation s website and shared drive. Communicate to staff any relevant action to be taken Ensure that relevant information governance training raises and sustains awareness of the importance of effective information governance management This policy is located on the Shared Drive. All procedural documents are available via the organisation s website. Staff are notified by of new or updated procedural documents Training All staff are required to complete basic information governance training annually and will also be asked to complete other training commensurate with their duties and responsibilities. Staff requiring support should speak to their line manager in the first instance. Managers should contact the Corporate Services Team if there are specific training needs Review The policy will be reviewed every three years, and in accordance with the following on an as and when required basis: Legislatives changes Good practice guidelines Case Law Significant incidents reported New vulnerabilities identified Changes to organisational infrastructure 16

17 Changes in practice This policy will be performance monitored to ensure that it is in-date and relevant to the core business of the NHS Doncaster CCG. The results will be published in the regular Corporate Assurance Reports. 17

18 SECTION B INFORMATION GOVERNANCE STRATEGY & MANAGEMENT FRAMEWORK 1. Introduction 1.1. This document sets out the approach to be taken within the organisation to provide a robust Information Governance framework for the management of information. It supports the Information Governance policy and procedures by addressing key areas for Information Governance development across the organisation and with our partners and cannot be seen in isolation as information plays a key part in governance, strategic risk, knowledge management, service planning, procurement and performance management. The Information Governance Policy, Framework and procedures will be made available to staff via the website and shared drive to improve staff awareness of the organisation s approach to future Information Governance developments Key Related Procedures A. INFORMATION SHARING PROCEDURE B. RECORDS MANAGEMENT PROCEDURE C. ACCESS PERSONAL DATA UNDER THE DATA PROTECTION ACT 1998 AND ACCESS TO HEALTH RECORDS ACT 1990 D. CONFIDENTIALITY CODE OF CONDUCT AND DATA PROTECTION PROCEDURE E. DATA QUALITY PROCEDURE F. LAPTOPS, OTHER PORTABLE DEVICES OFFSITE USERS PROCEDURE G. MOBILE TELEPHONE PROCEDURE H. PROCEDURE FOR REGISTERING AND AUTHORISING COMPUTERISED DATABASES FOR THE STORING AND PROCESSING OF PERSONAL DATA I. PASSWORD MANAGEMENT PROCEDURE J. INTERNET, & SOCIAL NETWORKING POLICY K. PRIVACY IMPACT ASSESSMENT PROCEDURE 1.3. The Audit Committee oversees the Information Governance agenda, with operational delegation to the Corporate Governance Management Group The following organisational resources are available to the agenda: Chief of Corporate Services Governance Manager Information Asset Owners Information Asset Administrators 18

19 2. Strategic Aims Aim Detail Outcome Aim 1 -Training & Staff Awareness Fundamental to the success of delivering the Information Governance Framework is developing an Information Governance culture within the organisation. Awareness and Information Governance training is mandatory for all NHS Doncaster CCG staff through an e- learning programme. A training needs analysis will identify staff roles where additional Information Governance training is indicated and this will be made available through a variety of sources including e-learning and specialist sessions as required. All staff should have access to up-to-date legislation and guidance relating to their roles. This is facilitated by providing access to the internet, as well as suitable training. All staff are required to read and sign the Confidentiality Code of Conduct on appointment, which describes the organisation s expectations regarding staff compliance with statutory requirements such as the Data Protection Act 1998 and the Human Rights Act This requirement extends to all agency and temporary staff and, where appropriate, to contractors working on site. Adequate training must be available to all staff to support the development and implementation of new technologies and working practices. An information governance staff survey will be sent out annually to all staff to check their awareness of a range of Information Governance areas. A summary will then submitted as part of the Corporate Assurance Report. Where it is deemed appropriate to raise staff awareness further or to advise of recent changes, additional information is included in Team Meetings or via group e- mails to all staff. All staff are aware of Information Governance legal and national requirements thus reducing the risk of a breach which could result in distress to patients or colleagues or an incident, complaint, claim or adverse publicity for NHS Doncaster CCG. 19

20 Aim Detail Outcome Aim 2 Staff and Patients are informed of how their information is used The Organisation must ensure that staff and patients are made aware of how their information is used and of the importance of checking accuracy of data. In order to make sure that all are aware of their rights regarding data, there is a leaflet and Fair Processing Notice published on the CCG website. All staff should be aware of these documents and offer them if queried about these issues. Staff should be encouraged to check data accuracy to reduce the likelihood of mistakes being made e.g. incorrect identification of similarly named people. Staff and patients will be informed about the uses of information held about them. Effective and timely communication should enable the organisation to move forward with technological advances. Aim 3 Information Governance Toolkit Continual progress against the Information Governance Toolkit with a minimum score level 2 against all standards Continual progress and improvement against the Information Governance Toolkit is a key target for the organisation. In this way, Information Governance processes will be built into the culture and based on best practice. A score of level 2 or above for the Information Governance Toolkit is also required for performance management purposes. The organisation will reassess compliance on an ongoing basis to reflect changes in the toolkit requirements, to re-evaluate the robustness of evidence and to comply with NHS requirements for continuous rather than annual assessments. The organisation will ensure a proactive Information Governance culture and meet required performance targets. 20

21 Aim Detail Outcome Incidents and potential incidents involving information, data and personal or sensitive records are reported, analysed and lessons learned (see Risk Management Policy and Procedures) Aim 4 - Risk Management Any unforeseen occurrences involving staff or patient personal information or breaches of confidential business information (in whatever format) should be reported via the incident reporting system. Information Governance incidents may include Information Management Technology and Security, unauthorised access, Caldicott/Data Protection/Freedom of Information or all aspects of records management from creation to disposal. Staff should be encouraged to report these types of incidents promptly and should receive feedback to enable them to improve practice. Information Governance Incidents are reviewed as part of the overall risk management process and included where appropriate in the risk register. The Senior Information Risk Owner (SIRO) is responsible for ensuring the safe management all information related risks. The organisation has developed arrangements to report and manage serious incidents in line with the Information Governance Assurance Programme Guidance including reporting to NHS England and Information Commissioner as required. This also includes a requirement to incorporate such issues in the Annual Governance Statement. Improved incident reporting and hence, better understanding of real and potential risks requiring action. 21

22 Aim Detail Outcome The organisation will ensure that the data it uses is as accurate and up-to-date as possible. Aim 5 - Data Quality The organisation has data validation procedures to ensure agreed timescales for correction of errors and omissions. Corrections should be made within a maximum of two months. The procedure should also include a requirement to keep staff informed of these issues. The organisation needs to support data quality across our providers to ensure the provision of accurate data to support management and procurement of patient services. The organisation must ensure robust data quality checks are built in to the introduction and ongoing development of technological solutions to improve and manage records. Clear procedures around validation checks carried out and improved accuracy of information. Aim 6 NHS Number (Records Management / Information Lifecycle Strategic Aims) The organisation will work towards the use of the NHS number in all patient records and documentation related to the direct care of the patient, or where there is consent or a legal gateway. NHS Number compliance 22

23 Aim Detail Outcome All staff will work towards rationalising record collections through sharing records and the information they contain (subject to the requirements of the Caldicott Principles, the Data Protection Act 1998, Environmental Information Regulations 2004 and Freedom of Information Act 2000) by merging or ensuring effective cross-referencing. Aim 7 - Rationalising Records (Records Management / Information Lifecycle Strategic Aims) The organisation will carry out regular Data Audits which look at the records owned by the organisation and how they are stored and transferred. Following each audit, it is possible to identify records (manual and electronic) held by members of staff within NHS Doncaster CCG. At this point, the Lead in Records Management will be able to determine if any of these records could be subject to record sharing. If it is decided that different systems with common sets of data need to continue, documented procedures should be developed to ensure that any differences between the records are reconciled. Consideration will also be given to whether records could be merged or cross-referenced. The Information Asset Owners will ensure that all records held by their teams are included and assessed as part of the ongoing audits. All teams across the organisation are responsible for ensuring that they have a manageable and accessible filing system which reduces duplication and avoids retention of files beyond the recommended limits or operational need. Record collections assessed for rationalisation potential which will in turn reduce duplication and possible errors and effective progress towards integrated records. 23

24 Aim Detail Outcome All manual and electronic records in NHS Doncaster CCG will be appropriately stored and maintained in accordance with guidance and legislation (see Records Management Procedure). Aim 8 - Records Storage & Maintenance (Records Management / Information Lifecycle Strategic Aims) Manual Records: Storage facilities for current paper records are very restricted requiring ongoing review processes to support disposal or long term retention off site. Records should only be kept long term where there is a specific requirement to do so. Any records containing personal data may only be retained in line with the Data Protection Act 1998 and cannot be legally kept for any longer periods without express consent of the identifiable individuals. Non-Paper Records: There should be ongoing review of electronically held data to include retention periods and general housekeeping. General housekeeping issues include deleting duplicates and unnecessary information (whilst following the correct retention periods) from the server or any standalone systems. It should also be ensured that all confidential information is stored in the correct sections of the server. The review of records forms part of the Information Governance Toolkit Assessment Process and there will be checks across the organisation. Streamlined approach to paper record retention according to guidelines. Streamlined recording of electronic data according to guidelines and a reduced risk of information data breaches and ensuring compliance with retention guidelines. 24

25 Aim Detail Outcome Records will be reviewed under the retention periods stated and those no longer required by the services of the organisation will be considered for disposal e.g. permanent preservation, long term archiving, transfer, destruction or any other use as agreed by the relevant Line Manager / Caldicott Guardian. Aim 9 - Records Disposal (Records Management / Information Lifecycle Strategic Aims) There are occasions when records may need to be passed onto other NHS organisations thus disposing of the record. Detailed audits of such movement of records must be maintained. The principles of Caldicott, Data Protection and the IG Assurance programme must be adhered to. A record or brief description must be kept about any record that has been destroyed if it is deemed to be a document that was relevant to the business of the organisation. Further guidance should be sought from Corporate Services if required. Methods of disposal of records must meet confidentiality and security guidelines. For records disposed of by a contractor, the contractor will be required to sign confidentiality agreements and produce written certification as proof of destruction. Action that will be taken in the event of confidence being breached (e.g. termination of contract) will be specified. This will be managed as part of the organisations waste management policies and procedures giving due account to WEEE regulations for electronic equipment and best practice guidance on disposing of computer hardware. Streamlined, standardised record storage system according to guidelines and tighter confidentiality controls with contractors. 25

26 Aim Detail Outcome Aim 10 Documentation (Records Management / Information Lifecycle Strategic Aims) Standards will be applied to the production of documentation (manual and electronic) to ensure good record keeping principles are adhered to. The organisation has professional record keeping standards, staff training and a plan of audits to ensure high standards are maintained. Corporate standards have been reviewed across the organisation to ensure consistency and a policy and procedure has been developed to inform staff of the model formats for policies, strategies and procedures (Policy on Procedural Documents). Other guidance will be available from the Corporate Services Team. Templates will be available on the shared drive. Improved quality control and consistency of records. Improved corporate image and clarity for staff concerning publications/do cumentation. Increased understanding of documentation by the general public. 3. Openness & Information Sharing 3.1. NHS Doncaster CCG will ensure that the principles of Caldicott and the regulations outlined in the Data Protection Act 1998 and the organisation s Data Protection Procedure underpin the management of confidential information at all times The organisation recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. NHS Doncaster CCG needs to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest. Detailed guidance can be found in the organisation s Information Sharing Procedure Non-confidential information about NHS Doncaster CCG and its services will be made available to the public through a variety of means, in compliance with the Freedom of Information Act 2000 and Environmental Information Regulations The organisation s Publication Scheme will continue to meet the requirements of the Information Commissioner s Office Model Scheme for health bodies Patients will have access to information relating to their own health care, options for treatment and their rights as patients. There are clear procedures and arrangements for handling requests for personal information or medical records from patients and the public detailed in 26

27 the organisation s Access to Records Procedure and Records Management Procedure NHS Doncaster CCG has an obligation as a Data Controller to notify the Information Commissioner of the purposes for which it processes personal data. Notification monitoring within the organisation is carried out by the Chief of Corporate Services. Before the annual review of NHS Doncaster CCG s Notification, the Chief of Corporate Services will review the types of processing being carried out within the organisation (e.g. from the Data Flow Audit and Database of Databases) to ensure that the processing complies with the seventh principle of the Data Protection Act. Individual data subjects can obtain full details of the organisation s data protection registration / notification with the Information Commissioner from the Information Commissioner's website ( We will publish a Fair Processing Notice on our website. 4. Information Security 4.1. Information security risk is inherent in all administrative and business activities and everyone working for or on behalf of NHS Doncaster CCG continuously manages information security risk. The aim of information security risk management is not to eliminate risk, but rather to provide the structural means to identify, prioritise and manage the risks involved in all our organisational activities. It requires a balance between the cost of managing and treating information security risks with the anticipated benefits that will be derived The principles of information security require that all reasonable care is taken to prevent inappropriate access, modification or manipulation of data from taking place. In the case of the NHS, the most sensitive of our data is patient record information. In practice, this is applied through three cornerstones - confidentiality, integrity and availability Information must be secured against unauthorised access - confidentiality Information must be safeguarded against unauthorised modification - integrity Information must be accessible to authorised users at times when they require it - availability 4.3. Further information can be found in the organisation s Information Security Management Statement and Assurance Plan The organisation will undertake audits or commission assessments of its information and IT security arrangements. Risk assessments will be undertaken to determine appropriate, effective and affordable information security controls are in place in NHS Doncaster CCG locations. 27

28 4.5. NHS Doncaster CCG will promote effective confidentiality and security practices to its employees through policies, procedures and training The organisation will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security Breaches of Information Security will be investigated in line with guidance and reported as appropriate via the Chief of Corporate Services Information Asset Owners will liaise with the SIRO on all issues relating to information security risks within their area of responsibility An agreement describes the responsibilities of contractors and their sub contractors under the NHS Confidentiality Code of Practice 2003 and the Data Protection Act 1998 when undertaking work for or with NHS Doncaster Clinical Commissioning Group. It should be signed by all contractors prior to entering the CCG s site. This is the responsibility of leads managing those contractors, whether they are management associates or facilities contractors A procedure is in place for secure IT asset disposal Staff are reminded that the intentional disclosure of information to a third party where a gain is made for themselves or another, or results in the risk of, or actual loss to NHS Doncaster CCG is a potential criminal offence under Section 4 of the Fraud Act Suspicion of any such breaches should be reported without delay in accordance with NHS Doncaster CCG s Fraud Policy and Response Plan, or a confidential report can be made to the NHS Fraud & Corruption Reporting Line, by calling Information Quality Assurance / Data Quality 5.1. NHS Doncaster CCG will establish and maintain procedures for information quality assurance and the effective management of records. Refer to the organisation s Data Quality Procedure and Records Management Procedure for more details Audits will be undertaken or commissioned of the organisation s quality of data and records management arrangements Wherever possible, information quality will be assured at the point of collection. Integrity of information will be developed, monitored and maintained to ensure that it is appropriate for the purposes intended. Managers are expected to take ownership of, and seek to improve, the quality of information within their services. 28

29 6. Data Protection 6.1. NHS Doncaster CCG holds and processes information about its employees, patients and other individuals for various purposes (for example, the effective provision of healthcare services or to operate the payroll and to enable correspondence and communications). To comply with the Data Protection Act 1998, information must be collected and used fairly, stored safely and not disclosed to any unauthorised person. The Data Protection Act 1998 applies to both manual and electronically held data for living persons The lawful and correct treatment of personal information is vital to successful operations, and to maintaining confidence within the organisation and the individuals with whom it deals. NHS Doncaster CCG will comply with the 8 principles of Data Protection: 1. Personal data shall be processed fairly and lawfully by observing fully conditions regarding the fair and lawful collection and use of information. 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4. Personal data shall be accurate and, where necessary, kept up to date through our data quality procedures. 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes by applying strict checks to determine the length of time information is held. 6. Personal data shall be processed in accordance with the rights of data subjects under this Act, ensuring that the rights of people about whom information is held can be fully exercised under the Act. (These include: the right to be informed that processing is being undertaken; the right of access to one's personal information; the right to prevent processing in certain circumstances; the right to correct, information which is regarded as incorrect information). 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 29

30 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data Further details can be found in the Confidentiality Code of Conduct & Data Protection Procedure. 7. Records Management / Information Lifecycle Management 7.1. NHS Doncaster CCG recognises the need to ensure a structured and integrated approach to Records Management throughout the organisation which supports the overall Information Governance arrangements within the organisation NHS Doncaster CCG is committed to a systematic and planned approach to the Management of Records, from their creation to their ultimate disposal in accordance with relevant legislation. This will ensure that the NHS Doncaster CCG can control both the quality and quantity of the information that it generates, it can maintain that information in an effective manner, and it can dispose of the information efficiently when it is no longer required. Detailed Records Management guidance can be found in the organisation s Records Management Procedure / Information Lifecycle Procedure. 8. Freedom of Information and Environmental Information Regulations 8.1. The Freedom of Information Act 2000 is part of the Government s commitment to greater openness in the public sector The main features of the Freedom of Information Act are: A general right of access from 1 st January 2005 to recorded information held by public authorities, subject to certain conditions and exemptions; In cases where information is exempt from disclosure, except where an absolute exemption applies, a duty on public authorities to: (i) Inform the applicant whether they hold the information (ii) requested, and Communicate the information to him or her, unless the public interest in maintaining the exemption in question outweighs the public interest in disclosure; A duty on every public authority to adopt and maintain a Publication Scheme, specifically applicable to the NHS from 31 st October 2003; The office of the Information Commissioner with wide powers to enforce the rights created by the Freedom of Information Act and to promote good practice; 30

31 A duty on the Lord Chancellor to disseminate Codes of Practice for guidance on specific issues The Environmental Information Regulations 2004 give rights of public access to environmental information held by public authorities. These regulations have been introduced in line with European Directive 2003/4/EC and the Aarhus Convention on Access to Information, Public Participation in Decision Making and Access to Justice in Environmental Matters The Environmental Impact Regulations 2004 permit exceptions rather than exemptions and the emphasis is in favour of disclosure. It is important for the organisation to make the distinction between Freedom of Information and Environmental Information Regulations and to respond accordingly NHS Doncaster CCG believes that public authorities should be allowed to discharge their functions effectively. This means that the organisation will use the exemptions contained in the Freedom of Information Act 2000 where an absolute exemption applies or where a qualified exemption or exception can reasonably be applied in terms of the public interest of disclosure. Detailed information can be found in the organisation s Freedom of Information and Environmental Information Regulations Policy. 9. Confidentiality Code of Conduct / Caldicott 9.1. The principle behind the organisation s Confidentiality Code of Conduct is that no employee shall breach their legal duty of confidentiality, allow others to do so, or attempt to breach any of NHS Doncaster CCG s security systems or controls in order to do so. The organisation s Confidentiality Code of Conduct can be found in appended to this policy. Each new employee is required as part of their contract of employment to sign the Confidentiality Code of Conduct / their contract which is then retained in their personal file The Caldicott Guardian oversees the Caldicott function and is primarily concerned with upholding and supporting patient confidentiality. This function is based within the broader remit of the Information Governance Assurance Framework as outlined by the Department of Health s guidelines. Under the Data Protection Act 1998 and other relevant legislation, the role of the Caldicott Guardian is vital in the assurance and safety of patient identifiable information. A national Register of Caldicott Guardians is held and the NHS Doncaster Clinical Commissioning Group (CCG) Caldicott Guardian is registered NHS Doncaster CCG has appointed a Caldicott Guardian who has responsibility to ensure the protection of patient confidentiality throughout the organisation in accordance with legal rights. NHS 31

32 Doncaster CCG s Caldicott Guardian is the Chief Nurse. The Caldicott Guardian is supported by the Chief of Corporate Services as Senior Information Risk Owner. An annual Caldicott Plan is developed and it is approved by the Quality & Safety Committee In any case where confidential information has been requested for nonmedical purposes, the Caldicott Guardian will assess whether the information request is supported by the following six Caldicott principles: Principle 1 Justify the purpose(s) for using confidential information. Every proposed use or transfer of patient identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed, by an appropriate guardian. Principle 2 Only use it when absolutely necessary. Personal confidential data should not be included unless it is essential for the specified purpose(s) of that flow. Principle 3 Use the minimum that is required. Where use of personal confidential data is considered to be essential, the inclusion of each individual item of information should be considered and justified so that the minimum amount of identifiable information is transferred or accessible as is necessary for a given function to be carried out. Principle 4 Access should be on a strict need-to-know basis. Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the information items that they need to see. This may mean introducing access controls or splitting information flows where one information flow is used for several purposes. Principle 5 Everyone must understand his or her responsibilities. Action should be taken to ensure that those handling personal confidential data are made fully aware of their responsibilities and obligations to respect patient confidentiality. Principle 6 Understand and comply with the law. Every use of personal confidential data must be lawful. Principle 7 The duty to share information can be as important as the duty to protect patient confidentiality. Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies. 32

33 10. Information Risk Management & Lessons Learned Information Risk is inherent in NHS Doncaster CCG activities and an information risk assurance process is set out as a requirement of the Information Governance Toolkit. Information risk management is the ongoing process of identifying information risks and implementing plans to address them. The responsibilities, definitions, processes and templates as contained in the Risk Management Policy & Procedure also apply to information risk management NHS Doncaster CCG maintains an Assurance Framework which covers strategic risks, and a Risk Register which covers operational risks. All risks are reviewed regularly by the risk lead in line with the organisation s Risk Management strategy, policy and procedure. As part of this risk management programme of activity, NHS Doncaster CCG s Information Governance risks are routinely reviewed The Senior Information Risk Owner (SIRO) acts as an advocate for information risk on the Governing Body. The SIRO is the Chief of Corporate Services. Information Asset Owners (IAOs) liaise with the SIRO in relation to any risks associated with the assets for which they are accountable The following objective within our Risk Management Strategy underpins our strategic aim for risk management and the second column details our methods for delivery against the stated objective. Objective To ensure information risk management is integrated into the organisation s Information Governance Framework to assist in safeguarding the organisation s information assets, people finance, property & reputation. Delivery We will deliver this through: Collation and review of risk assessments Information Security threats to be followed up by and managed by appropriate action plans. Regular reporting and review of information risks by the SIRO Information Risk Management aims to: Protect NHS Doncaster CCG from those information risks of significant negative likelihood and consequence in the pursuit of NHS Doncaster CCG's stated strategic goals and objectives. Meet legal, statutory, and NHS Policy requirements. Assist in safeguarding NHS Doncaster CCG's information assets - people, finance, property and reputation Information risk assessments will be performed on a regular basis for all information systems and critical information assets. Information Risk assessments will also occur at the following times: 33

34 At the inception of new systems, applications and facilities that may impact the assurance of NHS Doncaster CCG Information or Information Systems. Before enhancements, upgrades, and conversions associated with critical systems or applications. When NHS policy or legislation requires risk determination. When the NHS Doncaster CCG Management team requires it An Information Governance Incident is an event which may result in: Degraded system integrity e.g. causing a virus to enter the system. Loss of system availability e.g. not working. Disclosure of confidential information e.g. password sharing (accidentally or on purpose). Disruption of activity e.g. inappropriately deleting files from S-drive. Loss e.g. theft of laptop. Legal action e.g. inappropriate disclosure of patient information. Unauthorised access to applications e.g. unauthorised access to payroll system All Information Governance incidents will be formally logged, categorised by severity and analysed in accordance with the organisation's Incident Management Policy One or more of the following individuals should also be advised according to the severity and type of incident as appropriate: Caldicott Guardian if the incident involves patient identifiable information. Chief of Corporate Services for information governance incidents. Human Resources Manager for incidents relating to Smart Cards Major breaches of confidentiality, including theft or loss of medical records and electronic equipment containing patient/personal data should be reported to the Chief of Corporate Services or their Deputy as soon as possible and within a maximum of 24 hours in line with Serious Incident (SI) reporting requirements All serious Information Governance incidents and results of incident investigations / root cause analyses will be discussed by the Audit Committee at the earliest subsequent meeting and the SIRO will keep the Governing Body informed as appropriate. Relevant reporting will be made externally in line with Information Governance requirements Learning from risks, incidents and other such events is key to developing a culture in the organisation that welcomes knowledge of such events as an opportunity to improve patient care, the services offered within NHS Doncaster CCG, and the working environment and safety of employees. 34

35 11. Information Asset Lists & Database List IT assets worth over 5,000 are included within the Asset List which is maintained by the Finance Team Information Asset Lists have been compiled for all teams and the maintenance of these is the responsibility of the Chief of Corporate Services who is the SIRO The Chief of Corporate Services maintains a list of databases held by the organisation which contain patient or employees information and have been approved by the Caldicott Guardian. It is the responsibility of all staff to ensure that authorisation is obtained to create and hold databases and spreadsheets which contain person identifiable information. This information can only be stored where there is consent or a legal gateway or it if held for the purposes of direct patient care. 12. Improvement Plan and Assessment Assessments of compliance with each requirement within the Information Governance Toolkit (IGT) will be undertaken throughout each year. Annual reports and proposed action / development plans will be presented to the Audit Committee for approval prior to submission annually in March. The requirements are grouped into the following initiatives: Information Governance Management Confidentiality and Data Assurance Information Security Assurance Clinical Information Assurance 35

36 SECTION - C INFORMATION GOVERNANCE PROCEDURES A. INFORMATION SHARING PROCEDURE B. RECORDS MANAGEMENT PROCEDURE C. ACCESS PERSONAL DATA UNDER THE DATA PROTECTION ACT 1998 AND ACCESS TO HEALTH RECORDS ACT 1990 D. CONFIDENTIALITY CODE OF CONDUCT AND DATA PROTECTION PROCEDURE E. DATA QUALITY PROCEDURE F. LAPTOPS, OTHER PORTABLE DEVICES OFFSITE USERS PROCEDURE G. MOBILE TELEPHONE PROCEDURE H. PROCEDURE FOR REGISTERING AND AUTHORISING COMPUTERISED DATABASES FOR THE STORING AND PROCESSING OF PERSONAL DATA I. PASSWORD MANAGEMENT PROCEDURE J. INTERNET, & SOCIAL NETWORKING PROCEDURE K. PRIVACY IMPACT ASSESSMENT PROCEDURE 36

37 INFORMATION SHARING PROCEDURE 37

38 A - INFORMATION SHARING PROCEDURE 1. Introduction 1.1. An information sharing procedure is crucial to the provision of comprehensive and continually improving health and social care through partnership working and embracing new technologies. It is also a major factor in joint working to protect the most vulnerable and in providing accessible services across the whole population It is equally important that our patients, clients and their families are confident that NHS Doncaster CCG and its partners will still keep their personal information safe and secure and that it will only be shared in agreed and appropriate circumstances The purpose of this document is to provide guidance to staff on the development of information sharing agreements to reflect the needs of their service, a proposed development, partnership group or in line with a statutory requirement In certain circumstances there may be a legal or statutory requirement to share data or information but this should still be considered in line with the Data Protection Act and Caldicott principles and it should be proportionate and appropriate. No Secrets: Guidance on developing and implementing multiagency policies and procedures to protect vulnerable adults from abuse. Data Protection and Sharing Guidance for Emergency Planners and Responders (HMG 2007). Data Sharing Review Report (Thomas and Walport 2008). Health and Social Care Act (2012). Caldicott Report (1997) Caldicott Review (2013). Common Law Duty of Confidentiality. 2. Data Protection Act The Data Protection Act 1998 and the common law duty of confidentiality should underpin the development of any information sharing decision. As data controllers, NHS Doncaster CCG and its partners have a duty to comply with the 8 Data Protection Principles: 1. Personal data shall be processed fairly and lawfully. 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any matter incompatible with that purpose or those purposes. 3. Personal data shall be adequate, relevant and not excessive. 38

39 4. Personal data shall be accurate, and where necessary, kept up to date. 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes. 6. Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act. 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data 2.2. In addition, health and social care data is subject to the Caldicott principles and the professional codes of practice. The Data Protection Act should not be seen as a barrier to information sharing but as a framework to support good information sharing in practice. 3. Key prior considerations for information sharing 3.1. There must always be a clear and justifiable purpose for sharing the information: Supporting the delivery of care Improving quality standards Effective partnership working Monitoring public health Audit and research Managing incidents, risks and complaints Contracting and service planning Education and training Protecting the vulnerable Investigating serious crime and fraud 3.2. Information is provided in confidence when it appears reasonable to assume that the provider of the information believed that this would be the case, or where a person receiving the information knows, or ought to know, that the information is being given in confidence. It is generally accepted that most (if not all) information provided by service users is confidential in nature Consent should be obtained wherever it is possible or appropriate: Always ask for informed consent where possible and appropriate. Be open about what information will be used for and who our partners are. 39

40 In situations where there may be a legal duty to share without consent, information sharing should still be proportionate and relevant. Seek advice in circumstances where children are involved or adults who lack capacity. Consider any barriers to understanding and facilitate good communication with all parties involved. When first setting up a service consider an information sharing agreement from the outset Individuals rights to confidentiality are not absolute and may be overridden if evidence that disclosure for specific purposes is necessary in exceptional circumstances such as; Where it is required by statute. Where not to share the information poses a public health risk. In the vital (life or death) interests of the data subject or another person and consent cannot be obtained. Where sharing is required to prevent, detect or prosecute a serious crime such as treason, murder, manslaughter, rape, kidnapping, hostage-taking, causing an explosion likely to endanger life or property and hijacking (this list is not exhaustive). Safeguarding of children or vulnerable adults where a lack of information sharing may lead to unjustified delay in making enquiries about allegations of serious harm Consideration should be given as to whether individuals can be identified from the data: Consider whether some or all of the information can be shared anonymously, in a redacted format, or psuedonymised. Information in healthcare is often sensitive personal data. Consent or a legal gateway is required when sharing personal confidential data. Be sure that you protect the rights of third parties mentioned in data The parties to the agreement must be stated: Consider who the partners are to be and whether they are bound by the same rules of confidentiality as NHS staff If external contractors are involved are the contracts specific on the confidentiality of information and any permitted secondary use. Ensure all parties sign up to the agreement at the appropriate level (e.g. Caldicott Guardian in health and social care) The actual information to be shared must be defined along with storage and retention criteria: Define the terms and conditions relating to how the information can be used. 40

41 Define at the outset the information to be shared and any information that is excluded. Ensure there is agreement on the responsibilities for managing the shared information and investigating any breaches or inappropriate use. Identify a data controller for the amalgamated information. Identify a retention period for the shared data and monitor compliance The security arrangements for the data in storage and transit must be considered: Make sure there are clearly defined rules for the way in which information is passed between individuals and teams. Keep records of information shared and where it is stored. Identify responsibilities for safe disposal of data. Ensure access controls have been agreed between all parties Mandatory information governance training, support and guidance must be available to all staff: Ensure all parties to a data sharing agreement have undertaken information governance training. Agree how support and advice will be provided to partners to the agreement All information sharing agreements must reflect NHS Doncaster CCG s Information Governance Policy and Procedures The appended information sharing flowchart may support consideration of information sharing issues. 4. Style and Format of Information Sharing Agreements 4.1. All agreements should be written in a style which is concise and clear using unambiguous terms and language A sample template is appended. Alternative formats can be used as long as the agreement includes at least the following information: Name of project, working group or client group. Purpose of Information Sharing. Partners all agencies involved. Date of Agreement. Review period. Approvals (where relevant). Relevant legislation and guidance. Process for sharing including transfer methods. Types of information to be shared. Constraints on the use of information (Terms and Conditions). Roles and responsibilities. 41

42 Specific issues for the agreement. Review, retention and deletion of information. Signature of all relevant parties including Caldicott Guardians where health and social care information is to be shared Key questions when seeking to share information are: What is the sharing meant to achieve? There should be a clear objective, or set of objectives. Being clear about this helps to establish what data need to be shared and with whom. What information needs to be shared? All the personal data held about someone should not be shared if only certain data items are needed to achieve the objectives. Who requires access to the shared personal data? Need to know principles should be employed, meaning that other organisations should only have access to data if they need it, and that only relevant staff within those organisations should have access to the data. This should also address any necessary restrictions on onward sharing of data with third parties. When should it be shared? Is the sharing part of an ongoing, routine process or will it only take place in response to particular events? How should it be shared? This involves addressing the security surrounding the transmission or accessing of the data and establishing common rules for its security. How can we check the sharing is achieving its objectives? Regular review will be needed to judge whether it is still appropriate to share the data and to confirm that the safeguards still match the risks. What risk does the data sharing pose? For example, is any individual likely to be damaged by it? Is any individual likely to object? Might it undermine individuals trust in the organisations that hold the records? Could the objective be achieved without sharing the data or by anonymising it? It is not appropriate to use personal data to plan service provision, for example, where this could be done with information that does not amount to personal data. 5. Development And Approval Process For Information Sharing Agreements STEP 1: The need is identified for an information sharing agreement within a service, or to support a work area or project and an author is identified. STEP 2: Draft an agreement to suit the service or adapt a nationally provided model that reflects the requirements set out above. 42

43 STEP 3: Ensure all agencies and departments support and understand the agreement. STEP 4: Seek advice as required from the Caldicott Guardian and/or Information Governance Lead. STEP 5: Obtain the formal approval and signatures from organisations and departments depending on the information and functions involved. STEP 6: Pass a copy of the completed agreement to the Information Governance lead who will ensure that it is publicly available as appropriate. 43

44 Information Sharing Guide You are asked or wish to share information Yes Is there a statutory obligation for sharing the information? No Is there a legitimate reason for sharing the information? No Yes No Does the information enable a person to be identified (i.e. is it person identifiable data)? Yes Yes Can the information be anonymised or pseudonymised? No Yes Do you have consent*? You can share Seek advice from your Caldicott Guardian if you are not sure what to do at any stage and ensure that the outcome of the discussion is recorded. No Is there sufficient public interest** to share? Yes No Do not share * See Glossary for definitions. ** Consult your Caldicott Guardian or Information Governance Lead *** Unless there is a statutory obligation you will probably need an Information Sharing Agreement (see Appendix for a template). Share the Information*** Record the information sharing decision and your reasons 44

45 INFORMATION SHARING AGREEMENT Title Introduction Purpose [Title of Information Sharing Agreement] xxxxxx are committed to partnership working and continually look for opportunities to work more closely with partners to xxxxxx. The purpose of this agreement is to facilitate effective information sharing between xxxxxx and xxxxxx. It will incorporate measures aimed at. Partners Legislation & Guidance Process Information to be shared Constraints on the Use of the Information This agreement is between the following partners: This agreement fulfils the requirements of the following: This agreement has been formulated to facilitate the exchange of information between partners. It is, however, incumbent on all partners to recognise that any information shared must be justified on the merits of each case. xxxxxx will share: The information is to be used for xxxxxx will not use the information for... Roles and Responsibilities under this Agreement Specific Procedures All parties are responsible for adhering to the Department of Health s Records Management Code of Practice and the Data Protection Act The data controller of the shared data is Handling Requests for Information where information requested relates to personal information all such requests must be made in writing using the relevant organisational forms. Requests for information may be made by telephone in cases of emergency, for example, where there is a risk of immediate violence. Where this occurs, the request for 45

46 information must be recorded on the relevant organisational form and submitted retrospectively. Replies to requests must be made within.. Review, retention and destruction of data Partners to this agreement undertake that personal data shared will only be used for the specific purpose for which it is requested. The recipient of the information is required to keep it securely stored and will delete it when it is no longer required. Files containing information from partner sources will be reviewed in line with the receiving organisation s policy. The recipient will not release the information to any third party without obtaining the express written authority of the partner who provided the information. Review of the Information Sharing Agreement Signatures The Information Sharing Agreement will be reviewed six months after its implementation and annually thereafter. The nominated holder of this agreement is. By signing this agreement, all signatories accept responsibility for its execution and agree to ensure that staff are trained so that requests for information and the process of sharing itself is sufficient to meet the purpose of this agreement. Signatories must also ensure that they comply with all relevant legislation. Signed on behalf of. Title:. Role/Position:. Date: Signed on behalf of. Title:. Role/Position:. Date: 46

47 RECORDS MANAGEMENT PROCEDURE 47

48 B - RECORDS MANAGEMENT PROCEDURE 1. Introduction 1.1. The organisation s records are a corporate memory, providing evidence of actions and decisions and representing a vital asset to support daily functions and operations. They support policy formation and managerial decision-making, protect the interests of NHS Doncaster CCG and the rights of patients, staff and members of the public who have dealings with the organisation. They support consistency, continuity and efficiency and productivity and help us deliver our services in consistent and equitable ways In addition to legislative requirements the organisation is subject to monitoring of records management through a number of compliance tools including the Information Governance Toolkit NHS Doncaster CCG is committed to openness and accountability and to ensuring that records are made publically available where appropriate, but the organisation is equally committed to the principles of confidentially of an individual s information and the rights of privacy enshrined in the common law duties of confidentiality, the Caldicott Principles and the Data Protection Act NHS Doncaster CCG is committed to a systematic and planned approach to the management of records within the organisation, from their creation to their ultimate disposal (information lifecycle) in accordance with relevant legislation. This will ensure that the organisation can control both the quality and quantity of the information that it generates, it can maintain that information in an effective manner and it can dispose of the information efficiently and securely when it is no longer required This Records Management Procedure aims to clearly describe NHS Doncaster CCG s approach to Records Management and provides the framework for developing good Records Management within the organisation to: Ensure systems are in place to provide a robust structure for Records Management within the organisation leading to the NHS Doncaster CCG Governing Body. Increase staff awareness of the issue of Records Management and the organisation s requirements from creation to disposal. Ensure legal obligations and national requirements are met. Set out generic principles on specific aspects of records. Ensure systems are in place to monitor and learn from Records Management incidents in accordance with the organisation s Risk Management Policy & Procedure. 48

49 2. Accountability and Responsibilities 2.1. Overall accountability for Records Management lies with the Chief Officer who has overall responsibility for meeting all statutory requirements and adhering to guidance issued in respect of records management. The operational responsibility is delegated to the Chief of Corporate Services Ongoing monitoring of the procedure and other reported records management issues is the responsibility of the Audit Committee. The Audit Committee has delegated operation responsibility to the Corporate Governance Management Group The Caldicott Guardian oversees all aspects of Caldicott Guidance on Health and Social Care Records and has responsibility for approving and ensuring that national and local guidelines and procedures on the handling, sharing and management of confidential personal information are in place. The Caldicott Guardian also oversees appropriate controls and procedures for the monitoring of databases (or spreadsheets) or software containing patient or staff identifiable information created by NHS Doncaster CCG The Chief of Corporate Services is the Senior Information Risk Owner (SIRO) for the organisation and should be advised of any significant risks or incidents involving the security of data in manual or electronic format Each Information Asset Owner (IAO) is responsible for: Maintaining professional standards according to best practice in liaison with staff working in the area. Ensuring local application of guidelines including retention and disposal schedules and advising on disposal. Determining the most effective ways of promoting the guidelines in their area e.g. training, induction, team meetings etc. Providing support and advice to staff in the area of Records Management with the assistance of the Caldicott Guardian and Corporate Services. Monitoring performance through quality control/periodic audits. Ensuring compliance with the standards, legislation, policies and procedures relating to the management of records. Identifying areas where improvements could be made. Ensuring that staff complete relevant training on records management, confidentiality and data protection. Reviewing/adopting tracking and registration systems for appropriate records in all areas. Ensuring appropriate records are archived. Ensuring that there is a mechanism for identifying records which must be kept for permanent preservation. 49

50 Ensuring the confidentiality, integrity, and availability of all information that their system processes and protect against any anticipated threats or hazards to the security or integrity of such information. Undertaking information risk assessments on all information assets where they have been assigned ownership, following guidance from the SIRO on assessment method, format, content, and frequency which is provided through the annual Data Assets & Flows update exercise. Reporting security incidents and ensure that the reports are fully documented, including type of incident, and ensure that countermeasures put in place. Reporting to the SIRO and ensure countermeasures are discussed and implemented in conjunction with security incidents. Initiating the necessary disciplinary action through the HR Team if a member of staff is found to be disregarding procedures which could result in a security incident All Chiefs have a responsibility to ensure they are familiar with the Records Management procedure. Chiefs are also responsible for ensuring staff are familiar and understand the procedure, receive training where required and are aware of any new procedures which impact upon their service area Line Managers Responsibilities - All line managers must ensure that their staff are adequately trained in records management issues and apply the appropriate guidelines Employees' Responsibilities - It is important to remember that record 'ownership' and copyright lie with the NHS organisation and not with an individual employee or contractor. However, each individual is responsible for the records they create or use by law and the quality of record keeping When commissioning or developing new services NHS Doncaster CCG s staff must ensure that the management of records is considered from the outset of the project and that the arrangements and any performance management standards are clearly defined within specifications and contracts Staff will be made aware of Records Management Procedure updates as they occur via team meetings and s from Corporate Services. 3. Types of Records 3.1. In the context of this procedure, a record is anything which contains information (in any media) which has been created or gathered as a result of any aspect of work of NHS employees. These may consist of: Patient health records; 50

51 X-ray and imaging reports, output and images; Photographs, slides, and other images; Microform (i.e. microfiche/microfilm); Audio and video tapes, USBs, CD-ROM, digital camera etc; s and NHS s; Computerised records, databases, disks and all other electronic records; Scanned records; Text messages; Diaries. This list is not intended to be exhaustive but to give a broad indication of the range of items likely to constitute a record. 4. Record Creation 4.1. General Points All NHS Doncaster CCG records should be created in Arial typeface (12 font) where a pre-existing bespoke system does not use an alternative. The use of jargon or initials should be avoided where possible. Access controls (who will be able to view the record) should be determined when files are created. All records should include the NHS Doncaster CCG name or logo. Text should not be justified i.e. it should be aligned to the left hand side of the page. All reviewed records e.g. forms, policies etc. will include a version number to ensure that old versions are not accidentally used. The individual who owns the record should retain all versions in case of future queries. Referencing/Naming each document or record should be referenced in a way which can be easily understood by others to help data retrieval at a later date. Protective marking - Records may be classified into one of several categories, e.g. draft, confidential this should be noted on the folder or record where relevant to reduce the likelihood of confusion or accidental viewing. Consideration should be given when creating a record as to whether this should be published proactively on the organisation s model Freedom of Information Act publication scheme. All formal documents should have page numbers in the format Page 1, 2, 3 etc of Templates for Meeting Papers, Letters and Faxes Templates for Meeting Papers (formal minutes and agendas), letters and faxes will be available on the Shared Drive. 51

52 4.3. All s should have a subject heading that is relevant to the but which does not contain personal or sensitive information. All should include at the end a name, contact details and a standard confidentiality statement Leaflets and Information for the Public These should follow the guidance in the organisation Communication Strategy and associated guidance Scanning Documents Documents received in hard copy only may be scanned in using NHS Doncaster CCG approved equipment but must be saved as an image which can be retrieved through effective electronic filing systems. Documents must only be scanned in such a way as to provide an exact image of the original. Care should be taken when scanning records to ensure the image is readable and that the whole page has been scanned correctly. Provided quality checks are in place there is no need to retain the original paper record once the image has been completed. Where scanning is proposed, other factors to be taken into account include: o The costs of the initial and then any later media conversion to the required standard, bearing in mind the length of the retention period for which the records are required to be kept. o The need to consult in advance with the local Place of Deposit or The National Archives with regard to records which may have archival value, as the value may include the format in which it was created. Before scanning a record you should consider who you may need to present the scanned documents to and whether they would accept scanned copies as evidence of a transaction. The following list provides further examples of when it may not be suitable to scan the record: o Where the original copy of a record is poor quality and a legible image cannot be obtained. o Where the original document contains physical amendments or annotations, or Tipex that cannot be identified on a scanned image. o Where the record is regularly amended. It is unsuitable to scan a series of records which you are still adding to. 52

53 You should ALWAYS check the quality of the scanned copy before destroying the original document. Scanner resolution is typically measured in dots per inch (dpi). The higher the resolution, the finer the detail captured. On the other hand the higher the resolution the larger the file size. A balance needs to be achieved between detail and file size. You should choose to scan all records to a Portable Document Format (PDF file). PDF files are non-editable, ensuring the authenticity of the record as it can not be altered once it has been scanned. This is especially important if you are destroying the original paper record Records Filing All records within a filing system should have an index. Records should be filed in an agreed order most appropriate to the class of record. File labels/titles should represent the titles given on the enclosed documents as far as possible. Acronyms and abbreviations should be avoided except where an explanation is clearly provided. The file cover/folder should contain the date for destruction (if applicable) and/or any restrictions e.g. Private and Confidential to reduce the likelihood of accidental viewing Electronic Records Records on shared servers (e.g. S-drive) should be broken down into directorates and teams, then folders should be created with titles to represent the enclosed documents. The folder titles will be stored in alphabetical order automatically by the system. In this way, the paper filing system will be mirrored. Individual documents should be identifiable i.e. by subject/date/draft number. All records which may need to be accessed by another member of staff should be stored in a shared area. If files are confidential, folders can have restricted access (by contacting the IT Helpdesk) so that only designated individuals can view these areas. Any Personal Confidential Information that is received and stored on the network must be stored on a network drive securely and in a designated folder that has access restricted to only those who need to access the data in order to perform their role. This acts as a Safe Haven. Safe Haven folders should have access restrictions imposed by the IT Helpdesk and the IT Helpdesk should be advised that access requests for that location must be approved by the relevant folder 53

54 owner. Only personal information which will never be required by other members of staff should be stored on personal areas of the server (U:drives). Inappropriate storage of information on personal drives (U:drives) may lead to password sharing especially when members of staff are absent, which then allows access to all files in the personal drive. Any form of password sharing, except for some pre-agreed communal equipment, is a breach of this procedure and could result in disciplinary action. It is important that all relevant s are filed with the appropriate file on the corporate shared drive and not just kept in in-box folders. This ensures an accurate record is available to anyone when the recipient is absent Records on CDs/ floppy discs/memory Sticks Some areas may have electronic information on CDs/floppy discs/encrypted memory sticks. Appropriately named folders should be created and maintained in alphabetical order. Any person identifiable or confidential information stored on removable media must be password protected or encrypted. The organisation provides encrypted memory sticks for use by staff and no other equipment should be used. The downloading of information to other types of portable media is actively discouraged and advice should be sought from the Corporate Services Team before any such action Photographs/Videos The organisation has collections of visual images either as artistic images and still photographs (which may be prints, negatives, slides, transparencies, and electronic-readable images) or as moving images (film or video). In the case of photographs, the quality of image available from negatives or original prints should be considered and new prints may be made in cases where the original is deteriorating. It should be ensured that a consent form is filled in where photographs / videos etc are taken of patients or members of the public, so they are aware of how their images will be used. Completed consent forms are held locally. 5. Records Storage, Maintenance and Tracking 5.1. General points The organisation makes use of a separate storage area for long term records storage (archiving). 54

55 NHS Doncaster CCG s has a shared documents folder for general viewing to reduce the incidence of duplicate copies being stored. Paper records in current use should be stored close to the user for easy access e.g. in their office. For records no longer in current use see the Records Retention Schedule. All current records should be stored so that they are accessible and comply with security and health and safety requirements. Storage accommodation for current records should be clean and tidy, should prevent damage to the records and should provide a safe working environment for staff. For electronic records, maintenance in terms of back-up and planned migration to new platforms should be designed and scheduled to ensure continuing access to readable information. There is a wide range of suitable office filing equipment available. The following factors should be taken into account: o Compliance with Health & Safety regulations (must be the top priority) o Security (especially for confidential material) o The user s needs o Type(s) of records to be stored o Their size and quantities o Usage and frequency of retrievals o Suitability, space efficiency and price Access to and Retrieval of Current Records The guidelines contained within this procedure such as record creation and filing will aid record access/retrieval. It should be reiterated at this point that only individuals with authorised access to the records should retrieve them Records Tracking Any paper records owned by the organisation which are loaned to another person, department or external organisation must have a tracking system established e.g. master copies of papers, library documents, HR /staffing files. The options for tracking are as follows:- Paper / Manual System Tracer card - This consists of a standard tracer card which is kept with the file and contains information which allows it to be located at a later date if it is found to be missing. When a record is taken out, the individual must complete the date, person who has removed the record, Department and telephone number. When the record is returned, the date of return should be completed. A paper register 55

56 a book, diary, or index card to record transfers. File on loan (library-type) cards for each absent file, held in alphabetical or numeric order. Electronically operated tracking systems An electronic system can drastically reduce the amount of paper generated, and therefore the volume of paper to be stored. Using an electronic tracking system rather than, for example, a card index, can be more efficient speeding up information retrieval times, reducing miss-filing, and the problems associated with the use of tracer cards. A well thought -out tracking system manual or electronic should meet all user needs and be supported by adequate equipment. It should provide an up-to-date and easily accessible movement history and audit trail. The success of any tracking system depends on the people using it and therefore all staff must be made aware of its importance and given adequate training and updating Staff Records / Personal Confidential Data in Transit If staff records or patient identifiable information is being delivered to another location they should be enclosed in envelopes or opaque wallets, marked confidential, and sealed for transfer. Any records that may be damaged in transit should be enclosed in suitable padding or containers. For larger quantities, records should be boxed in suitable boxes or containers for their protection. Each box should be secured, addressed clearly and marked confidential with the senders name and address on the reverse of the box. There are various options if records are to be mailed externally, such as recorded delivery, registered mail etc. When choosing options staff should consider the following: Will the records be protected from damage, unauthorised access or theft? Is the level of security offered appropriate to the degree of importance, sensitivity or confidentiality of the records? Does the mail provider offer track and trace options and is a signature required on delivery? For further advice please contact the Caldicott Guardian or Corporate Services Team Taking records off site Records should only ever be taken off site with the approval of the line manager. Security of these records should be paramount, 56

57 especially in the case of confidential records. The Caldicott Guardian can provide advice on the precautions to take. Records should never be left unattended e.g. on a back seat of the car. If the record is to be taken home, the record must be stored securely in accordance with the staff members Professional Code of Conduct and kept away from the base-point for the minimum length of time possible. It is essential that any such records are tracked out of the department so that staff are aware of the location of the record. 6. Record Disclosure / Information Sharing Access to records may be requested from different teams or different organisations. Where the information is confidential e.g. staff or patient personal information or sensitive information it should be ensured that the person is authorised to receive the information. See Information Sharing Procedure or Access to Records Procedure for more information. 7. Records Retention and Disposal 7.1. General points When a record is no longer in use or current, a decision must be made concerning its future. Certain types of records have a minimum retention period, so whether the record requires retention should be first determined by consulting the Records Retention Schedule appended to this procedure. Records which are not covered by these retention periods should be discussed locally, and whether or not the record should be retained should be agreed by a Senior Manager with the assistance of the Caldicott Guardian. If retention is not required, the record can be securely destroyed. If retention is required, the options for long term storage should be considered e.g. the organisation s archiving system. The alert mechanism for ensuring records are not destroyed should also be determined e.g. clear labelling. Staff should be aware that the minimum retention periods apply to both paper and computerised records, though extra care needs to be taken to ensure there is no corruption or deterioration of electronic data. For example, s concerning the subjects covered in the Records Retention Schedule appended to this procedure should be subject to the same retention period as a manual record Long-term Storage / Archiving 57

58 The following issues should be considered when deciding upon whether or not to use the archiving facility. If the record will foreseeably need retrieving in the future, the archiving facility may not be the best option as there are cost and time delay implications. The records will need boxing and labelling with the contents and disposal date. If the archiving facility is inappropriate, records can be stored locally in departments. Records which are stored locally should be clearly labelled with disposal dates (if known) e.g. on the file cover, so they are not accidentally disposed of Transferring Records There are occasions when non-current records need to be passed onto other NHS organisations thus disposing of the record. Details must be retained of such movement of records Destroying Records Records which are due to be destroyed but are the subject of a Freedom of Information Act 2000 or Environmental Information Regulations 2004 request and/or current complaint or litigation enquiry should be retained. Destruction should be delayed until disclosure has taken place or, if the organisation has decided not to disclose the Information, until the complaint and appeals provisions of the legislation have been exhausted or the legal process completed. A large number of NHS records contain sensitive or confidential information. It is therefore vital that confidentiality is safeguarded at every stage and that the method used to destroy such records is fully effective and secures their complete illegibility. Normally this will involve shredding, pulping, or incineration. Floppy disk/cd/backup tapes/audio tapes/memory sticks with person identifiable information must be reformatted with a random pattern to ensure data cannot be recovered or they must be physically destroyed. A record or brief description including any reference and date of destruction must be kept about any record that has been destroyed following being retained for the appropriate period. Further guidance should be sought from the Corporate Services Team if required. If records are inappropriately or unlawfully destroyed, the Incident Management Policy should be followed. If the records were electronic, the relevant back-up facilities should be utilised. 58

59 Confidential material designated for shredding should not be kept unsecured in any areas. 8. Appendices 8.1. Appendices to this procedure consist: Summary Records Retention Schedule Archiving Flowchart 59

60 Records Management Appendix 1 Summary Records Retention Schedule Below are some key principles to consider when archiving and retaining hardcopy and electronic documents. Please read the principles in conjunction with the archiving flowchart. 1. The Chair / Administrator of a meeting is required to take responsibility for archiving the agenda, minutes, papers and terms of reference. Attendees do not have responsibility to retain their copies. 2. Only documents which fall under the Records Retention Schedule need to be retained and/or archived. 3. If a document is available electronically, you do not need to archive a hardcopy place the e-file to be archived in an e-folder named Archive and include a destruction date with each one in line with the Records Retention Schedule. 4. All archived items require a destruction date in line with the Records Retention Schedule. 5. CCG administrative records containing individual patient identifiable clinical patient information around treatments, choose and book, referrals, continuing care etc will be classed as health and care records for retention under the appropriate schedule 6. The Records Retention Schedule demonstrates in detail the records to be held by NHS Doncaster CCG and the minimum retention periods. This is not a comprehensive list and if in doubt should be read in conjunction with Records Management NHS Code of Practice Part 2 (Department of Health 2006). Further advice is available from the Chief of Corporate Services. Typical retention periods for frequently archived items are detailed overleaf. 60

61 Typical retention periods Type of Record Records / documents related to litigation Board meetings and direct Sub Committees of Governing Body (Agendas / Minutes / Papers) Other CCG meetings (Agendas / Minutes / Papers) Business Plans (Master copies) including Local Delivery Plans Commissioning Decisions Papers of short lived importance not covered elsewhere i.e. advertising, covering letters, reminders, appointment letters, anonymous letters, drafts, etc. Project Files (Over 100,000) Project Files (less than 100,000) Project Team Files (Summary) Public Consultation (e.g. about future provision of services) Quality Assurance Records including Care Quality Commission, External Audit, Organisational Audit Reports (Major) Serious Untoward Incident Files Accounts annual final copy Accounts minor records including pass books, paying in slips, cheque counterfoils, petty cash etc Accounts working papers Contracts non sealed property or other Contracts sealed and associated records Contractual arrangements with hospitals or bodies outside NHS including all papers relating to financial settlements Tenders successful Tenders unsuccessful Minimum Retention Period To be reviewed 10 years after case closure destruction dependent upon advice from legal advisers 30 years Master copies retained duplicates should be retained as required and then destroyed 2 years or as agreed by chair of meeting 20 years Appeals 6 years from date of appeal decision Decisions 6 years from date of decision 2 years after settlement of the matter to which they relate 6 years including abandoned and deferred projects 2 years 3 years 5 years 12 years 30 years 30 years 30 years 2 years after completion of audit 3 years from completion of audit 6 years after termination of contract Minimum of 15 years and then review 6 years after end of financial year Tender period plus 6 year limitation period 6 years 61

62 Archiving Flowchart Records Management Appendix 2 Do you need to keep the document? (Please refer to the Record Retention Schedule) *** only retain documents for which you are the lead *** e.g. not for meetings you have attended but not chaired/administered Yes Is the document available electronically? No DO NOT ARCHIVE THE DOCUMENT Yes No Can the document be scanned? Yes No Scan the document PUT THE DOCUMENT IN AN ELECTRONIC FOLDER WITH A DESTRUCTION DATE IN THE TITLE (ACCORDING TO THE RETENTION SCHEDULE) DESTROY THE ORIGINAL PAPER VERSION APPROPRIATELY ARCHIVE THE DOCUMENT Set the retention period as per the retention schedule. Pack an archive box. Contact the Governance Manager for archiving forms and instructions. NB Do not include plastic sleeves, card folders, or file holders of any description separate any batches with elastic bands or a sheet of paper. Do not include any publications or documents that can be downloaded from the internet. Batch together in one box documents that can be destroyed at a similar time. Ensure each box is full to capacity. Ensure that all boxes have a destruction date, and if relevant an accompanying spreadsheet with the detail of what the box contains. 62

63 ACCESS TO PERSONAL DATA UNDER THE DATA PROTECTION ACT 1998 AND ACCESS TO HEALTH RECORDS ACT 1990 PROCEDURE 63

64 C - ACCESS TO DATA UNDER THE DATA PROTECTION ACT 1998 AND ACCESS TO HEALTH RECORDS ACT 1990 PROCEDURE 1. Right of Access to personal data 1.1. Staff, patients and other individuals have the right under the Data Protection Act 1998 to request access to any personal data that is being held about them either in an automatically processable form (mainly computer records) or in a relevant filing system (i.e. any set of information structured in such a way that specific information relating to a particular individual is readily accessible) and to request the correction of such data where they are factually incorrect or are opinions based on factual inaccuracies. Patients living outside the UK, but who once had treatment during their time in the UK, have the same rights to apply for access to their records and should be treated in the same way as applications from the UK. Under the Access to Health Records Act (1990), when a person has died, their personal representative, executor, or anyone having a claim resulting from the death may apply for access to the deceased s health records. Each case will be considered individually. 2. Procedure for access to personal data (all requests) 2.1. NHS Doncaster Clinical Commissioning Group (CCG), as a commissioning organisation, does not hold medical records. We, or our Commissioning Support Unit, may hold some personal confidential data with direct patient consent in order to effectively commission services such as Continuing Healthcare or to respond to an enquiry or complaint. Those who are the subject of this data are entitled to a copy of this data under the Data Protection Act in the same way as they are entitled to a copy of their medical records All requests for access to personal data held by NHS Doncaster CCG are dealt with by the Information Governance Team. For further information or guidance about access to health records requesters should be asked to contact the Information Governance Team on or in writing to: Information Governance Team NHS Doncaster Clinical Commissioning Group Sovereign House Heavens Walk Doncaster DN4 5HZ 2.3. If the requester requires access to their health records, then they will need to submit their request in writing to the appropriate organisation such as: 64

65 Their local GP surgery, optician, dentist or pharmacist. Their local Community or Mental Health Trust for care provided by that Trust. Their local Hospital Trust for care provided by that Trust Any request should be made in writing, with the requester s signature, and should contain enough information to identify the data required. If the request is in the form of a solicitor s letter, it will not require the completion of an application form. Individual consideration will be given to circumstances where the applicant is unable to provide a signature. A Health Records Access application form is appended to this procedure Disclosure must be made within the timescales laid down by the Act, i.e. within 40 days otherwise. NHS best practice recommends disclosure within 21 days where the record has been added to in the last 40 days Once the access request is received, the consent of the application is verified. Consent can take the form of: A signature from the patient (including if the request comes from a solicitor). A signature of the patient s representative e.g. the signature of a parent applying for access to their child s health records (it must be considered whether the child is of a capable age of making their own judgement on their healthcare), confirmation of a deceased patient s personal representative or grounds relating to a claim arising from a patient s death. A signature from a person appointed to act in the best interests of the patient (e.g. Lasting Power of Attorney / Independent Mental Capacity Advocate) The request should then be acknowledged so that the applicant is aware the request is being processed. This should be done even if the request is not applicable to the organisation or is being passed to another organisation. The application will then be forwarded to the appropriate Manager with responsibility for the records. In the event that records sought are not held by the organisation the applicant will be referred to the relevant staff in those health organisations that employ the clinicians who have recorded the applicant s care If the record could be classed as clinical, then the appropriate Manager must liaise with the relevant lead health professional to discuss disclosure. If the appropriate health professional is not available, the Manager should seek the advice of the health professional who seems most appropriate to advise on the application. If the record is non-clinical, then the appropriate Manager must liaise with the Chief of Corporate Services. The lead health professional / Chief of Corporate Services should advise on: 65

66 Whether access should be allowed or limited to prevent (i) the disclosure of information which may cause serious harm to the physical or mental health or condition of the patient or any other person, or (ii) the identification of third party individuals. Whether in conjunction with an application to a child s records, the child is capable of understanding the nature and purpose of the application. Whether access would be in accord with the best interest or wishes of the patient. Whether the applicant should be allowed to inspect the record itself or should be shown an extract setting out so much of the record as is not excluded from access. If an extract is to be shown this must be prepared by the health professional. Third party information this can be released if: i) the third party is a health professional who has compiled or contributed to the health records or who has been involved in the care of the patient; ii) the third party is not a health professional but gives their consent to disclosure; or iii) it is reasonable to dispense with the third party s consent (taking into account duty of confidentiality, any steps to seek consent, capability of giving consent and whether consent has been refused). Whether it is necessary for the health professional to be present when the record or extract is inspected (in order to provide any explanation or counselling) or if this can be supervised by the appropriate manager with responsibility for records. Whether access should be given by posting the record or extract to the applicant together with any necessary explanation. The lead health professional may wish to authorise disclosure subject to agreement with other health professionals and may authorise the Manager to act on his/her behalf. If a face-to-face meeting is required, the Manager should make an appointment with the applicant and lead health professional, if appropriate, within the timescales laid down by the Act, i.e. for best practice within 21 days where the record has been added to in the last 40 days, and within 40 days otherwise. If a paper copy is required, the Manager will arrange for a copy of the notes to be made available and returned to the individual processing the application Certain types of personal data may be processed for particular purposes without the consent of individual data subjects, for example: Where it is required by statute. Where not to share the information poses a public health risk. In the vital (life or death) interests of the data subject or another person and consent cannot be obtained. Where sharing is required to prevent, detect or prosecute a serious crime such as treason, murder, manslaughter, rape, 66

67 kidnapping, hostage-taking, causing an explosion likely to endanger life or property and hijacking (this list is not exhaustive). Safeguarding of children or vulnerable adults where a lack of information sharing may lead to unjustified delay in making enquiries about allegations of serious harm. For the exercise of public functions carried out in the public interest. 3. Amendments to Health Records 3.1. Any inaccuracies in the record, reported by the applicant, should be noted. If agreed by the health professional / manager (dependant on the type of record) these inaccuracies should be corrected using a single line to strike through the amendment and the amendment signed by the health professional / manager. Care must be taken not to obliterate information which may have significance for the future care and treatment of the patient or for litigation purposes. 4. Appealing Against a Decision / Making a Complaint 4.1. An applicant who wishes to appeal against a decision to either refuse access or refuse changes to a record should initially contact: Chief of Corporate Services Sovereign House Heavens Walk Doncaster DN4 5HZ 4.2. Should the response not be satisfactory to the appellant, the appellant should contact the Information Commissioner. The Information Commissioner has power to rule that any erroneous information is rectified, blocked, erased or destroyed. The applicant should be given the Information Commissioner s details if they wish to contact them. 5. Fees for Access to Health Records 5.1. Requests made under the Data Protection Act 1998 or Access to Health Records Act (1990) may be subject to fees. These will be notified to any requester in advance of processing the request: (a) 50 maximum fee (including postage) where the data subject is supplied with copies of manual or a combination of manual and automated records in permanent form. 67

68 (b) (c) (d) No fee where access (but no copies) is sought to manual records, at least part of which comprise a recent record (made within 40 days). 10 for granting access to automated records. 10 where access only (but no copies) is sought to manual records, none of which comprise a recent record (all are over 40 days old) NHS Doncaster CCG reserve the right to waive fees depending on individual circumstances Once the Manager has sufficient information to locate the record, identify the applicant and the fee (if applicable), a response to the request for access to personal data will be made within 40 days (including bank holidays and weekends) of the request, and, wherever possible, within 21 days (including bank holidays and weekends) where the record has been added to in the last 40 days. 6. Access to records where the patient cannot give consent 6.1. There may be occasions where records are required to be accessed in the public s best interest but where patient consent cannot be obtained as they may be deceased, it may cause serious distress, or they do not have the capacity to consent and have no next of kin or appropriate advocate. In instances such as these, the advice of the Caldicott Guardian must be sought. 7. Procedure for Access to Staff Records 7.1. Under the Data Protection Act 1998, members of staff are entitled to see information that is held about them (for example, their personal file). Staff wanting to view their records can ask their line manager for informal access. Members of staff wishing to request formal copies of their records or where an access to view records has been refused should contact the Human Resources Manager directly Any inaccuracies in the staff record, reported by the applicant, should be noted. If agreed by the Human Resources Manager these inaccuracies should be corrected or removed. An indication should be made in the staff record regarding the amendment made. Care must be taken not to obliterate information which may have significance for litigation purposes. If the organisation does not agree to an amendment, the applicant can discuss the issue further or pursue a complaint via the Grievance Procedure A Staff Access application form is appended to this procedure. 68

69 8. Access to Corporate Records and Information 8.1. NHS Doncaster CCG has a policy and procedure for the management of all requests for information not covered by the Data Protection Act 1998 or Access to Health Records Act All such requests must be handled strictly in accordance with the Freedom of Information Act 2000 and Environmental Information Regulations These requests are handled by the Freedom of Information coordinator. 9. Assessing performance on Access Requests 9.1. Access Requests are subject to statutory timeframes and performance against this is reported quarterly to the Audit Committee via the Corporate Assurance Report. A Patient Satisfaction Survey can be used to determine satisfaction with the outcome of the services where access requests are received directly from a patient i.e. not via a solicitor. 10. Recorded images The organisation may hold various recorded images of patients, staff and members of the public e.g. from CCTV systems hosted by NHS Property Services in various locations, or photos stored by the Communications Team. Staff, patients and other individuals may request access to these files in the same way as above. 11. Breaches related to disclosure of information Staff are reminded that the intentional disclosure of information to a third party where a gain is made for themselves or another, or results in the risk of, or actual loss to NHS Doncaster CCG is a potential criminal offence under Section 4 of the Fraud Act Suspicion of any such breaches should be reported without delay in accordance with the NHS Doncaster CCG s Fraud Policy and Response Plan, or a confidential report can be made to the NHS Fraud & Corruption Reporting Line, by calling Requests under Data Protection Act 1998 s29 (3) Organisations that have a crime prevention, law enforcement or tax collection function (e.g. Police, HMRC, DWP, NHS,CFSMS) may request information from NHS organisations under the provisions of Data Protection Act 1998 s29 (3). Information may be requested for the prevention or detection of crime, apprehension or prosecution of offenders or for the assessment or collection of tax, duty or similar 69

70 obligations. The organisation will make a decision based on the information provided in each instance but reserves the right not to release the information or to provide redacted information where it is considered appropriate. Any disclosures should be made with patient consent, or without consent in the over-riding public interest e.g. in serious cases of crime such as murder, manslaughter, rape, terrorism or serious fraud The Coroner may request access to medical or staff records. National guidance is that the Coroner is working in the public interest and should be provided with access to all aspects of records If the release relates to clinical records, advice should be sought from the Caldicott Guardian in such instances. If the release relates to corporate or staff records, advice should be sought from the Chief of Corporate Services in this instance. 13. Flowcharts Flowcharts are appended to cover access for living and deceased individuals. 70

71 LIVING INDIVIDUALS Access requested to record of living individual Relates to own record Does the subject of the record have mental capacity? (under the Mental Capacity Act) Relates to a third party record Does the subject of record have mental capacity? (under the Mental Capacity Act) YES NO YES NO GRANT ACCESS within 40 days legislatively, and 21 days wherever possible Has the written consent of the subject of the record been received for release to the third party? YES NO DO NOT RELEASE THE RECORD Has a third party been legally authorised to act on their behalf? YES Legal documents needed as proof: Deputyship Order from the Court of Protection or Registered and Certified Lasting Power of Attorney (LPA) for Health & Welfare (if Finance LPA, release only finance data) NO DO NOT RELEASE THE RECORD GRANT ACCESS within 40 days legislatively, and 21 days wherever possible Prior to any release of data, consideration should be given to the following: A healthcare professional should review the record. How much data is requested: the whole record or part? Release the minimum needed. Remove any references to third parties or references which could potentially identify third parties. Remove any data which could, if released, cause serious harm to the person s mental or physical health. Remove any data which relates to legal professional privilege. Remove any data which is restricted by order of the Courts or other legislation e.g. adoption records. 71 Copies only should be provided never originals.

72 DECEASED INDIVIDUALS Access requested to record of deceased individual Does the third party have a legal right of access to the record? YES NO DO NOT RELEASE THE RECORD Certain individuals have rights of access: The patient s personal representative (Executor or Administrator of the deceased s Estate) Any person who may have a claim arising out of the patient s death NB. Data Controllers must satisfy themselves as to the identity of the applicant, who should provide as much information as possible to identify themselves. Where the application relates to a claim, the applicant must provide evidence to support their claim. Evidence could include: A redacted copy of the Will showing the Executor / Administrator (or beneficiary for a claim) Grant of Probate (if a Will is in existence) Grant of Letters of Administration (if no Will) Legal evidence that a Will is being contested Executors can be a Solicitor or can appoint a Solicitor to act on their behalf. Next of kin has no legal definition and have no legal right of access. GRANT ACCESS within 21 days if added to in the last 40 days, and within 40 days otherwise Prior to any release of data, consideration should be given to the following: A healthcare professional should review the record. How much data is requested: the whole record or part? Release the minimum needed. Remove any references to third parties or references which could potentially identify third parties. Remove any data which could, if released, cause serious harm to the person s mental or physical health. Remove any data which relates to legal professional privilege. Remove any data which is restricted by order of the Courts or other legislation e.g. adoption records. Copies only should be provided never originals. 72

73 APPLICATION FOR ACCESS TO HEALTH RECORDS (DATA PROTECTION ACT 1998 / ACCESS TO HEALTH RECORDS ACT 1990) SECTION 1: PATIENT DETAILS Surname: Forenames: Address: Date of Birth: Postcode: Reference number (if known): NHS Number (if known): If the patient s name and/or address was different from the above during the period to which the application relates, please give details: Previous Surname: Previous Address: Postcode: SECTION 2: INFORMATION REQUESTED Please provide as much information as possible to clarify the information you are requesting. Give full details of all the episodes in which you are interested, and if you only wish to receive information relating to a specific aspect of one of these episodes, please specify in the comments section below. Care episode Dates Comments 73

74 SECTION 2: AUTHORISATION TO ACCESS THE RECORD I declare that the information given by me is correct to the best of my knowledge and belief and that I am entitled to apply to access to the health records referred to above under the terms of the Data Protection Act 1998 or Access to Health Records Act PLEASE COMPLETE ONE OF THE SECTIONS BELOW. A * I am the patient Signature: Date: B * I have been asked to act by the patient The patient s written authorisation to this effect is set out below. I certify that I (Name of Patient) of (Address) herby authorise (Name of applicant) to act on my behalf in respect of this application for access to my records. Signature Date N.B. If patient is unable to sign please contact the person who sent you this form for advice. * I am acting on behalf of the patient who lacks the capacity to consent as defined by the Mental Capacity Act I hold a Power of Attorney or a Deputyship from the Court of Protection, a copy of which is attached, or I have been appointed as an Independent Mental Capacity Advocate to act for the patient. Please now give us your details as the patient s representative Surname: Address: Forenames: Postcode: 74

75 C) Application for Young Person s Records * I have parental responsibility and the patient is under the age of 16 years, and lacks the capacity to understand the request or has consented to my making this request or the patient is aged and has learning disabilities Signature: Date: Please now give us your details as the adult applying for access to the record Surname: Address: Forenames: Postcode: D) Deceased Patient *I am the deceased patient s personal representative and attach confirmation of my appointment Signature: Date: Please now give us your details as the patient s representative Surname: Address: Forename: Postcode: E) Claim *I have a claim arising from the patient s death and wish to access information relevant to my claim on the grounds that: Please enclose evidence of a claim arising from the patient s death e.g. a copy of the Will Signature: Date: Please now give us your details as the person wishing to access the record Surname: Address: Forename: Postcode: 75

76 IF YOU HAVE COMPLETED SECTIONS A, B, C or E To help establish the patient s identity, your application must be accompanied by copies of TWO official documents that, between them, show the patient s name, date of birth and current address. DO NOT SEND ORIGINALS. For example, birth/adoption certificate, driving licence, medical card, passport or other official document that shows your name and address such as a utility bill.. Failure to provide this proof of identity may delay your application IF YOU HAVE COMPLETED SECTION D Please enclose a copy of the confirmation of your appointment. DO NOT SEND ORIGINALS. On completion, this form should be forwarded to the Corporate Services Manager, NHS Doncaster CCG, Sovereign House, Heavens Walk, Doncaster DN4 5HZ. Under the Data Protection Act 1998, NHS Doncaster CCG may charge a fee of up to to cover administrative charges such as photocopying and postage. You will be advised of such charges before your request is processed. 76

77 APPLICATION FOR ACCESS TO STAFF RECORDS (DATA PROTECTION ACT 1998) Surname: Forenames: Address: Date of Birth: Postcode: Details of record to be accessed: (please be as specific as possible about the type of data you are requesting / date range) Declarations: I declare that the information given by me is correct to the best of my knowledge and belief and that I am entitled to apply to access the records referred to above under the terms of the Data Protection Act (Please identify your status delete those below which do not apply) * I am the member of staff * I have been asked to act by the member of staff. The member of staff s written authorisation to this effect is set out below. Signature Date Authorisation: I certify that I (Name of member of staff) of (Address) herby authorise (Name of applicant) to act on my behalf in respect of this application for access to my records. Signature Date On completion, this form should be forwarded to the Corporate Services Manager, NHS Doncaster CCG, Sovereign House, Heavens Walk, Doncaster DN4 5HZ. Under the Data Protection Act 1998, NHS Doncaster CCG may charge a fee of up to to cover administrative charges such as photocopying and postage. You will be advised of such charges before your request is processed. 77