Trust Informatics Policy. Information Governance. Information Assurance Policy

Transcription

1 Trust Informatics Policy Information Governance (Combined DP, DP Communication, Information Security & Clear Desk Policies) Document Control Document Title Author/Contact Pauline Nordoff-Tate Document Reference 155 Document Impact Assessed Yes/No Date: 18/05/12 Version 3.0 Status Approved Publication Date 28/05/12 Review Date 28/05/14 Approved by Dr P Williams Caldicott Guardian 28/05/12 Ratified by Information Governance Group 28/05/12 Distribution: Royal Liverpool and Broadgreen University hospitals NHS Trust-intranet using Sharepoint which will maintain the policy document in conjunction with each document author. Please note that the Intranet version of this document is the only version that is maintained. Any printed copies should therefore be viewed as uncontrolled and as such, may not necessarily contain the latest updates and amendments.

2 Royal Liverpool and Broadgreen University Hospitals NHS Trust Table of Contents Heading Page Number 1.0 Introduction Objective Scope of policy Policy Overview of the Data Protection Act (DPA) Caldicott Principles Fair Obtaining/ Processing and Consent Staff Information Rights under the DPA Security Contracts Transfer of Personal Information outside the EAA (European Economic Area) Controlling/Inventory of Assets Incident Management and Reporting Risk Assessment Service Continuity Planning System Planning, Procurement and Acceptance Security of Third Party Suppliers Protecting the Physical Environment Maintaining a Secure Perimeter Physical Access Controls Back-up, Recovery and Contingency Plans Protecting against Computer Viruses Security of Media in Transit Disposal of Printer Ribbons The Handling of Printed Output Security of Application Systems System Access Control - Data Access Operational Handbook User Password Management Computer Access Control Security of Networks Data Protection Communication for audit Research Patient Council Internet Clear Desk Roles and Responsibilities 17 I:\IG\IGM\IGT\March 2013\Document library\policies\draft\ia Policy V3

3 Royal Liverpool and Broadgreen University Hospitals NHS Trust 5.1 Directorate Managers/Heads of Department Associated documents and references Disciplinary Measures Training & Resources Induction Contracts of employment Monitoring and Audit Equality and Diversity 24 Appendix 1 - The Data Protection Act Appendix 2 The Caldicott Principles 24 Appendix 3 - Document History / Version Control 25 I:\IG\IGM\IGT\March 2013\Document library\policies\draft\ia Policy V3

4 1.0 Introduction The Trust has a legal responsibility to ensure that the processing of all personal information relating to a living individual is carried out in accordance with the requirements of the Data Protection Act 1998 and other relevant legislation. It also has a duty to comply with guidance issued by the NHS and related bodies. The Act forms the legal base within the UK to implement European Directive 95/46 On the Protection of Individuals with Regard to the Processing of Personal Data and brings the United Kingdom (UK) into line on Data Protection with the rest of the European Economic Area. The Data Protection Act sets out 8 key principles which must be applied to personal data (Appendix 1). This policy overlaps with the Information Access policy. This policy should be applied to all personal information held by or for the Trust. This includes patients, relatives, carers, staff or colleagues information held in any format (images/audio tape/cd s/paper/ computer/microfilm/scanned etc.) by or for the Trust. The increasing need to transmit information across networks of computers, including those in the primary care sector, renders the data more vulnerable to accidental or deliberate unauthorised modification or disclosure. The use of computers in the Trusts activities offers advantages if handled securely, but could present serious hazards if security is inadequate. 2.0 Objective The objective of this policy is ensure the appropriate processes and procedures are in place to ensure compliance with the Act, and associated day-to-day operational procedures required to establish and maintain the Trust Information Management and Technology (IM&T) security framework in relation to the provision of services between the Royal and the HIS. This includes regular audit and ensuring staff are appropriately trained and competent to comply with the Act. All Trust staff must be aware of their responsibilities and the regulations under the Act, and the consequences of breaching the legislation. 3.0 Scope of policy Data stored in information systems represent an extremely valuable asset. The increasing reliance of the NHS on information technology for the delivery of health care makes it necessary to ensure that these 4

5 systems are developed, operated, used and maintained in a safe and secure fashion. Within the Trusts, the use of information systems has a strategic role in ensuring that departments can carry out their business functions effectively. It therefore follows that IT security is of equal strategic importance to the continuity of the Trust s business. This policy applies to all staff employed by Royal Liverpool & Broadgreen Hospitals NHS Trust, including bank, agency and locum staff, students, voluntary staff, contractors and trainees on temporary placement, those holding honorary contracts or subject to the joint working authority with the Liverpool Chest and Heart Hospital, and any other shared working agreements with local partner organizations. 4.0 Policy 4.1 Overview of the Data Protection Act (DPA) 1998 This Act applies to all personally identifiable information held in electronic or manual files; computer databases; videos and other automated media about living individuals, such as personnel and payroll records, medical records, other manual files, microfiche/film, pathology results, x-rays, s, PACS, and scanned images. This list is not exhaustive. The Act dictates that information should only be disclosed on a need to know basis; however, data collected or disclosed should be adequate and justifiable to meet the needs of the task. Printouts and paper records must be treated carefully and disposed of in a secure manner, and staff must not disclose information outside their line of duty. Any unauthorised disclosure of information by a member of staff will be considered a disciplinary offence. The Act requires the Trust to register with the office of the Information Commissioner. The registration covers the personal data held, the purposes for which it is held, identifying how it is used and to whom it may be disclosed. Failure to register or an incorrect registration is a criminal offence. The Trust also has to comply with the Data Protection Principles (see Appendix 1) and apply exemptions appropriately. Under a provision of the Data Protection Act an individual can request access to their information, regardless of the media by which this information may be held/retained. Requests for personal information are handled by the Access to Information Team. Requests for other corporate information are dealt with under the Freedom or Information Act

6 The Data Protection Officer is responsible for ensuring that the Trust registers annually with the office of the Information Commissioner. This process is known as notification. Notification is one means of ensuring the public are aware of the uses of their information by the Trust. Managers of Trust services must inform the Data Protection Officer if there are any significant changes to the way in which information is handled or new process are put in place. The Trust does not have any automated decision making processes, however automated decision making processes are notifiable to the commissioner and therefore the Data Protection Officer needs to be informed. Information must be adequate, relevant, not excessive, and accurate, kept up to date where necessary and not kept for longer than is necessary. Information should be complete, adequate and justified as being required for the purpose for which it is required. This means that care must be applied at all points of processing from collection to sharing and disposal of information. Guidance on disposal of information can be found in the Trusts Records Management Policy. 4.2 Caldicott Principles There are specific requirements highlighted within the Caldicott recommendations that apply specifically to patient identifiable information. Most of these are also requirements of compliance with the Data Protection legislation, and there is much overlap between the two. Specifically they relate to security, confidentiality and fair obtaining of information as well as ensuring all disclosures are valid and authorised. The Trust has a Caldicott Guardian which is the Medical Director, who oversees issues in relation to patient information/data. Appendix 2 also details the Caldicott principles. 4.3 Fair Obtaining/ Processing and Consent There is a requirement to make the general public and staff aware of why the National Health Service (NHS) uses information about them under the first principle of the Data Protection Act (DPA), how this is processed, and to whom it may be disclosed. The Trust is obliged under data protection requirements and Caldicott recommendations to produce patient information leaflets and posters which are customised to its own use/s of patient information. 6

7 The primary mechanism for the delivery of these notices for patients is in the form of the Trusts Information about You Leaflets that are distributed to all patients with their first appointment letter. This is further supported by information posters located within patient waiting/clinic areas, statements in patient handbooks / survey forms / research consent forms, verbally by those health care professionals providing care, and wards that provide information relating to the processing of patient information. The patient information leaflet is available in large print, Braille, as audiocassette and in other languages on request, and interpreters can also be provided upon request. 4.4 Staff Information There must also be procedures to notify staff, temporary employees (volunteers, locums) etc. of the reasons why their information is required, how it will be used and to whom it may be disclosed. This may occur during induction or by their individual manager. The Data Protection Act also requires a similar level of notification to staff regarding the processing of their information. Specifically, this is in relation to security, confidentiality and fair obtaining of information, as well as ensuring all disclosures are valid and authorised. All staff information, whether manually or automatically held, will be kept secure when not being used for employment or related purposes. Staff will be kept informed of any changes to the processing of their information, such as the implementation of the Electronic Staff Record, changes in payroll or other projects where data may be shared, stored or disclosed in a different way. Staff will be made aware of their right of access to their records. 4.5 Rights under the DPA The Trust procedures ensure that the rights of individuals are upheld. Individuals have the following rights under the Data Protection legislation: Right of subject access to information held about them Right to prevent processing likely to cause harm or distress Right to prevent processing for the purposes of direct marketing Right in relation to automated decision taking Right to take action for compensation if the individual suffers damage 7

8 Right to take action to rectify, block, erase or destroy inaccurate data Right to make a request to the Information Commissioner for an assessment to be made as to whether any provision of the Act has been contravened The Access to Health Records Act 1990 provides access rights for relatives to deceased patient records. 4.6 Security All information relating to identifiable individuals must be kept secure at all times. The Trust will ensure there are adequate policies and procedures in place to protect against unauthorised processing of information and against accidental loss, destruction and damage to this information. It is important that all information is disposed of in a secure manner. There have been occasions where NHS information concerning patients has been discovered in public amenity waste disposal or in other public areas. It is essential that all paper waste containing personal information be disposed of in green bags for shredding, and in conjunction with the disposal and retention schedule in the Records Management Policy. The Trust ensures that all forms of electronic media are disposed of in an appropriate manner, and provides guidance to all staff on the best practice for the disposal of storage media in accordance with the Secure Disposal of Media Policy. It is essential that all information-processing systems in use within the Trust be protected to an adequate level from events that may impact upon Trust operational services. Confidentiality: data access is confined to those with specified authority to view the data. Integrity: all system assets are operating correctly according to specification and in the way the current user believes them to be operating. Availability: information is delivered to right person when it is needed. The purpose of this policy is to provide a framework within which Partner Organisations can develop a security aware organisation. 4.7 Contracts Information that is shared between any other Authority/Trust/Practice and third parties should have a contract in place and should include 8

9 appropriate confidentiality clauses. These must place the same requirements on the contractor to meet the 7 th Principle of the Act as are placed on the Trust as Data Controller. Advice should also be sought from the Data Protection Officer. 4.8 Transfer of Personal Information outside the EAA (European Economic Area) The Trust does have some transfers of information in the course of its normal business that requires it to send information outside of the EAA. This is monitored via the Trust s data flow returns and assessed for risk. If such a requirement arises, it must be discussed with the Data Protection Officer prior to transmission. 4.9 Controlling/Inventory of Assets An inventory of assets will be maintained through the Configuration Management Database (CMDB). The CMDB will be maintained and managed by the IT Service Desk. Asset identification - make, model, serial numbers User (i.e. the primary user ) Responsible System Manager Software - application system, packages Location - directorate, department, room, telephone number Significant data holdings All equipment owned and maintained by the Trust will be located carefully to ensure maximum physical security is possible. Equipment will be secured through the utilisation of products that conform to the Loss Prevention Standard LPS1214. The IT Security Team will offer advice and guidance on the choice of products. Portable equipment and media must be secured in an appropriate manner. The Estates Department is responsible for ensuring that all computer equipment is electrically checked and tagged, along with associated power leads and plugs, at intervals of one year Incident Management and Reporting An IT security incident is defined as any event which has resulted in, or could result, in: The disclosure of confidential information to any unauthorised individual The integrity of computer systems or data being put at risk The availability of computer systems being put at risk an adverse impact, for example: 1. Embarrassment to the NHS 9

10 2. Threat to personal safety or privacy 3. Legal obligation or penalty 4. Financial loss 5. Disruption of activities In order to ensure that IT security breaches are detected, investigated and reported, staff will follow the Information Security Incident Reporting procedures, which are designed to ensure a quick, effective and orderly response. These procedures are detailed within the Trust s Incident Investigation Policy. A copy can be found on the Trust Intranet or from the Data Protection Office Risk Assessment Each department is responsible for recording their own risks on the Datix system by the Information Asset Owner. These risks will be discussed at the Risk Management meeting. The degree of detail of each risk assessment exercise will reflect the value of the various asset(s) under review. Resulting management reports will be presented to the Information Governance Group. Once a system is reviewed, any countermeasures agreed will be implemented without undue delay. Risk assessment will be addressed through following the local Trust Risk Management Policy Service Continuity Planning In order for the Trust to be able to maintain essential business activities after any unforeseen major failure or disaster, the service provided by Informatics Merseyside and the Trust in liaison with relevant Systems Managers will ensure appropriate plans are developed and maintained for the speedy restoration of critical business processes and services. These plans will include measures within available resources to limit the consequences of any threats that are realised, and to provide a resumption of essential operations as soon as required System Planning, Procurement and Acceptance In order to ensure that security is built into all new systems, information systems procurement procedures must encompass security. All security requirements must, in liaison with the the IT Security Officer, be identified at the requirements phase of any new projects and will need to be justified, agreed and documented as part of the overall business case for an information systems. 10

11 4.14 Security of Third Party Suppliers The Trust will ensure access to IT facilities by third party suppliers is in strict accordance with a signed agreement which will refer to all of the necessary security conditions to ensure that the organisation concerned satisfies Trust security requirements Protecting the Physical Environment Computer crime is a growing problem. Computers and the components within them are the focus of one of the fastest growing crimes in the country. In order to maintain security at Trusts premises, and to protect all IT assets, fixtures and fittings within the building, it is of vital importance to maintain a secure perimeter in order to secure and protect assets, to prevent unauthorised access, and to supervise all visitors. In addition, computer equipment is vulnerable to damage through improper treatment and exposure to heat, damp, dirt, dust and static electricity. A range of simple, common sense precautions can avoid such damage Maintaining a Secure Perimeter The location of Trust systems ensures that the main host systems are located in premises that are protected by a security perimeter. Access to these premises is controlled by Security Staff who are responsible for ensuring no unauthorised access to the premises occurs. The sitting of such major systems in a purpose built data processing centre away from Trust premises, which by their nature are open to the public, is considered to be a key security policy. The security staff are responsible for ensuring appropriate areas of the Trust are closed and locked when they are unoccupied. Various parts of the Trust premises are equipped with intruder alarms, which are linked to the security desk. It is the responsibility of the security staff to ensure these are monitored. Staff also hold a responsibility for ensuring that individual/department work areas are secured as and when required Physical Access Controls In order to ensure security of Trust premises and the various IT assets, fixtures and fittings kept within the building, it is important to prevent unauthorised access by persons and also to ensure that visitors are properly accounted for and are supervised. Appropriate controls are implemented to ensure that access is restricted only to staff with key responsibilities for the maintenance and support of IT equipment. 11

12 Appropriate controls are also implemented to safeguard areas containing confidential information Back-up, Recovery and Contingency Plans An essential part of information security is the taking of regular data back-ups, because unless there is a recent copy of the data, there is no hope of recovering without serious disruption from any mistake or loss of the system. Data and software can be lost more easily than is generally supposed. The Partner Organisations corporate systems data and software, managed by the Trust or any third party on behalf of the Trust, are protected by clearly defined and controlled back-up procedures which produce copies of the Trust s corporate data and software Protecting against Computer Viruses The Trust ensures that appropriate protection is in place to protect its IT resources from all forms of malicious code across the entirety of the network Security of Media in Transit The risks faced in the transportation of media to external locations require that appropriate measures are adopted to ensure the integrity of the sensitive data being transferred. Information that is patient/staff identifiable should not be sent via the Internet Disposal of Printer Ribbons Finished printer ribbons are to be treated as confidential waste and should be destroyed by incineration. The ribbons should be returned to the Supplies Department who will arrange the incineration The Handling of Printed Output Computer printed output can provide perhaps the most common means of passing on confidential information to unauthorised persons - in most cases printed output are produced in easy, readable form. Printed output should be protected to the same degree as equivalent manuallyproduced records Security of Application Systems It is important that System Managers ensure that IT Projects and associated support activities are conducted in a secure manner and that due consideration is given to the security issues associated with new or changed operational software. The Operational Handbook should identify appropriate procedures and the IT Security Officer should be consulted over the security implications of any system. 12

13 4.24 System Access Control - Data Access Due to the nature of the information that the Trust holds, it is essential that this data be protected. As such, the Trust ensures that only staff authorised to access this data have the ability to do so. Access to any system must be granted in accordance with the Operational Handbooks, which will dictate the level of access. The use of special privileges must be restricted and controlled and each System Manager should establish a formal process, as part of the Operational Handbook Operational Handbook The Operational Handbook should contain a user registration and deregistration procedure for access to the computer system. It should: ensure that the user has authorisation from the System Manager to use the system check that the level of access is appropriate for the business purpose ensure that the IT Department or Facilities Management providers do not give access until the authorisation process has been completed maintain a formal record of all persons authorised to access the system detailing what they are allowed to do immediately change or remove the access rights of users who have changed jobs or left the Trust periodically check for, and remove, redundant user-ids and access profiles that are no longer required ensure that redundant user-ids and access profiles are not reissued to another person A formal process to review users access rights should be established and this should ensure that access rights are reviewed at regular intervals and that authorisation for special privileged access rights are reviewed more frequently User Password Management The primary control operated by the Trust is Password Authentication. Passwords and appropriate access permissions will be allocated in accordance with the Network Account Management and Password Management Policy and in accordance with individual Operational Handbooks. 13

14 4.27 Computer Access Control Access to computer facilities used within Trust is controlled via a number of distinct, separate log-on levels designed to minimise the opportunity for unauthorised access. System Managers and Directorate Managers must ensure that users have a unique identifier (user-id) for their personal and sole use at each of the above levels Security of Networks The Trust makes extensive use of data communications networks to gain more benefit from its application of Information Technology. The types of networks in use are: Network (LAN, WAN, WLAN etc) Networks are becoming increasingly interconnected with many services no longer being managed locally. A network that exists within Trust sites connects all networked devices including PC's, printers, servers and wireless devices, giving users access to central file storage, print and /schedule facilities. A Trust network is also connected, via private circuits to all other Liverpool NHS Trusts. This provides a secure private network for use by local partner Trusts to deliver network services and share information. These networks are in turn connected to the national network, N3 network, interconnecting all NHS organisations from GP's through Community to acute Trusts. However this interconnection between all Trusts must be protected, a breach of security in one location may unexpectedly expose other Trusts to similar or other risks. Therefore the NHS has introduced the NHS Code of Connection, requiring each NHS organisation to abide by the requirements of the NHS-wide Data Networking Security Policy and NHS-Wide Code of Connection for NHS Organisations. University Network Certain University staff have the right of access to University systems if they hold an honorary contract with Liverpool University. The University has agreed with the Trust that because of the open architecture of that network it cannot meet the requirements of the NHS Code of Connection. Consequently no personal computer can be connected to both networks because of the risk of security breaches to Trust data. The University IT Department will be responsible for maintaining the separate University Network and all personal computers purchased by them. At all times a physical separation of the two networks must be maintained. 14

15 Community of Interest Network (CoIN) The CoIN is a Metropolitan Area Network that links the North Mersey Region in order to enable access to services provided by other partner organisations and to the N3 Network. As such, it is essential to ensure that there are adequate layers of security provided for any external connections accessing services provided by the Trust. IT systems used within the Trust are properly assessed for security There are appropriate levels of security to maintain the confidentiality, integrity and availability of information and information systems All staff are aware of the limits of their authority and their accountability A means is established to effectively manage IT security The policy builds on the general requirements published by Connecting for Health (CfH) in the following documents: 1. Connecting for Health Good Practice Guidelines (CPG) 2. Data Networking Security Policy 3. NHS wide Networking Programme Guide 4. NHS wide Code of Connection for NHS Organisations In addition, due regard has been given to HSG (96)18 and the associated requirements of the Department of Health detailed in the guidance The Protection and Use of Patient Information Data Protection Communication for audit Patients need to be made aware that the information they give us may be recorded or shared in order to provide them with care and that it can also be used for the support of local clinical audit. The objectives of this document are: To raise patient awareness as to the use of their information so that they can receive care and treatment To inform them that we may use their information to protect the health of the public in general To ensure that all patients are aware that their information could be used to run the NHS efficiently, plan for the future, train its staff, pay its bills and account for it actions To ensure that all patients are aware their information can be used to educate tomorrow s staff To ensure that patients are aware that sometimes the law requires us to pass on information To ensure that patients are aware that we share their information with outside bodies such as the NHS central register 15

16 To ensure patients who are receiving care from other people as well as the NHS, realise that we may have to share their information for their benefit To ensure that patients are aware that their information can be used to carry out medical and other health research for the benefit of everyone 4.30 Research When research is carried out using patients or staff from this Trust, the same procedure must take place in relation to the processing of the personal information. Information sheet and consent forms perform as a fair processing notice under the first principle of the Data Protection Act. This means that the person must be fully informed of exactly what will happen to their information when taking part in this research. This must cover consent, what information will be recorded, who it will be shared with, including inside or outside of the EEA, if they can be identified, what will happen to this information after the research is over, if their GP will be informed, will their case notes be accessed etc Patient Council The Trust has created a forum whereby twenty hospital users are brought together to independently discuss the services provided by the Trust, and to subsequently propose changes that would improve the services provided. The Council meets on a monthly basis and is considered an important avenue for the improvement of services to patients Internet The Trust owns and operates its own Internet site that is readily accessible to all members of the public. Data Protection guidance on the site informs visitors about the processing that the Trust undertakes and provides a contact for any queries Clear Desk To discourage the practice of leaving confidential patient information unattended. A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted a) Sensitive or critical business information, e.g. on paper or on electronic storage media, should be locked away (ideally in a safe or cabinet or other forms of security furniture) when not required, especially when the office is vacated 16

17 b) Computers and terminals should be left logged off or protected with a screen and keyboard locking mechanism controlled by a password, token or similar user authentication mechanism when unattended and should be protected by key locks, passwords or other controls when not in use c) Incoming and outgoing mail points and unattended facsimile machines should be protected d) Unauthorised use of photocopiers and other reproduction technology (e.g., scanners, digital cameras) should be prevented and information should be removed from printers immediately In addition, any visit, appointment or message books should be stored in a secure area when not in use. Before a patient enters a consulting room, all evidence of the previous patient should be removed from view (computer screens, medical records, test papers or samples etc). It is good practice to lock all consulting rooms and office areas when they are not in use. The reception desk can be particularly vulnerable to visitors. This area should be kept as clear as possible at all times, in particular medical records or other patient identifiable information should not be held on the desk or within reach/sight of visitors. Where this is not possible, such as clinic areas, all reasonable attempts must be made to ensure that patient information is not accessible e.g. turning case notes round so that names and details of patients are not visible, obscuring files located at the end of a group of case notes and using bookends to ensure that files do not slip. The Data Protection Act 1998 Seventh Principle states: Appropriate operational and technical measures shall be taken against unauthorised access. to personal data For further guidance, the Information Security Officer can be contacted on 3671 or the Data Protection Liaison Officer on Roles and Responsibilities The Information Assurance Manager is responsible for this policy. The Deputy Director of Patient Access Services is responsible for the overall information governance agenda. The Information Assurance Manager is responsible for the operational management of data protection within the Trust and carries out the 17

18 formal role of Data Protection Officer. This covers maintaining registration, facilitating training, dealing with subject access requests and acting as initial point of contact for any data protection issues. 5.1 Directorate Managers/Heads of Department Directorate Managers/Heads of Department are responsible for ensuring that all staff within their departments are aware of: This policy and its contents How to obtain a copy if required Their own responsibilities and obligations to comply with its procedures To ensure that security breaches are investigated and reported in line with Trust procedures It is the responsibility of all staff to familiarise themselves with this policy and all related Informatics policies and documentation where applicable and to ensure high standards of data protection are met. This policy is applicable to any contractors or external agencies that have cause to handle personal information on behalf of the Trust. They must therefore ensure that data protection standards are met. The Medical Director (Caldicott Guardian) and Deputy Director of Informatics have senior responsibility reporting to the Trust Board. The Information Governance Group will oversee policy setting and implementation of this agenda. The Information Security Officer has responsibility for the IT Security element of the data protection agenda. Each computer system/database will have a designated application and/or system manager responsible for enforcing this policy. The IT Security Manager will maintain a list of these nominated personnel. 6.0 Associated documents and references This policy should be read in conjunction with all informatics policies found on the on the Intranet policy section. The legislation listed below also refers to issues of security and or confidentiality of personal identifiable information/data: Data Protection Act See Appendix 1 The Caldicott Principles See Appendix 2 18

19 Access to Health Records 1990 This Act is only applicable for access to deceased person s records and gives patient s representatives right of access to their manually held health records. Access to Medical Reports Act 1988 This Act allows those who have had a medical report produced for the purposes of employment and/or insurance to obtain a copy of the content of the report prior to it being disclosed to any potential employer and/or prospective insurance company. Human Rights Act 1998 This Act requires respect and protection of an individual s human rights. This includes an individual s right to privacy (under Article 8) Freedom of Information Act 2000 This Act requires public authorities to release recorded information to any person who requests it, without knowledge of why the request is made. Regulation of Investigatory Powers Act 2000 The Act covers the legal regulation of interception of electronic communications in the light of the Human Rights laws and rapidly changing technology. Crime and Disorder Act 1998 This Act introduces measures to reduce crime and disorder, including the introduction of local crime partnerships around local authority boundaries to formulate and implement strategies for reducing crime and disorder in that local area. The Act allows (but does not impose a requirement on) disclosure of person identifiable information to the Police, Local Authorities, Probation Service or the Health Service if the purposes are defined within the Crime and Disorder Act. The Computer Misuse Act 1990 This Act makes it a criminal offence to access any part of a computer system, programs and/or data where a user is not entitled to access. Some aspects of Personal Information and IT security are governed by various provisions of UK Law and guidance. The most relevant are: IMG E5498 Ensuring Security and Confidentiality in NHS Organisations HSG (96)18 The Protection & Use of Patient Information HSC 1999/012 Caldicott Guardians HSC 1999/053 For the Record HSC2000/009 Protection & Use of Patient Information 19

20 ISO27001/2 Industry and adopted NHS IT security standards Copyright, Designs and Patents Act (1988) The Obscene Publications Act (1959 & 1964) The common law duty of confidentiality The NHS (Venereal Diseases) Regulations 1974 and the NHS (Venereal Diseases) Regulations 1991 The Human Fertilisation and Embryology (Disclosure of Information) Act 1992 The Abortion Regulations 1991 The Mental Health Act (1983) The Mental Health Act Code of Practice (HSG(93)45) 6.1 Disciplinary Measures A breach of the Data Protection Act requirements could result in a member of staff facing disciplinary action. The Trust Disciplinary Policy is available from the Human Resources Department. The Trust may also be obliged to inform the police in some instances. All policies should be based on the most recent evidence or current best practice or national legislation and guidance. The supporting documents should be clearly identified within this section of the policy. 7.0 Training & Resources The Data Protection Officer has overall responsibility for documenting awareness of confidentiality and security issues for use by all staff. There are regular training sessions covering the following subjects: personal responsibilities confidentiality of personal information relevant Trust Policies and Procedures compliance with the Data Protection and Caldicott Principles individuals rights (access to information and compliance with the principles) general good practice guidelines covering security and confidentiality awareness to all staff regarding the data protection team and how they can be contacted for all problems which may occur in the areas of security and confidentiality of information All Directorates have the responsibility to ensure their staff completes training on an annual basis through the e-learning tool as well as by other methods of training delivery. 7.1 Induction All new starters to the Trust will be given data protection and general IT security training as part of the Trust induction process. All staff have a 20

21 responsibility to ensure they complete the e-learning modules via the intranet. Extra training in these areas will be given to those who need it, such as ipm if required. A register will be maintained of all staff attendance at training sessions. The Data Protection team will provide further training for data protection and information security to administration and clerical staff if requested. Divisions/Directorates will be responsible for providing further training to Consultants and Clinical staff via a nominated core trainer. 7.2 Contracts of employment Staff contracts of employment are produced and monitored by the Human Resources Department. All contracts of employment include a data protection, information security and general confidentiality clause. Agency and contract staff are subject to the same rules. Furthermore, all job descriptions will contain data protection and information security clauses. 8.0 Monitoring and Audit The Information Governance Group is a sub-group of the Trust Board with responsibility for the ratification of Information Governance policies and approval of work programmes. This group has senior level representation, chaired by the Caldicott guardian, and supported from all appropriate areas to ensure the Trust steers this agenda appropriately. It receives regular reports from the Information Assurance Manager and responsible staff dealing with all aspects of the agenda as outlined above, and approves central returns required by the Information Governance Toolkit to NHS Connecting for Health. The IGT will be used by the Trust to conduct baseline audit and construct action plans for future compliance with this agenda. The work programmes in the individual areas will be created by adherence to the IGT standards and to the national standards appropriate to the individual field of activity. Minimum requirement to be monitored Relevance of policy to Trust needs Process for monitoring, e.g audit Responsible individual / group/ committee Frequency of monitoring Responsible individual / group / committee for review of results Responsible individual / group/ committee for development of action plan Audit / Review IGG Annually IGG IGG IGG Responisble individual / group / committee for monitoring of action plan and implementation 21

22 9.0 Equality and Diversity The Trust is committed to an environment that promotes equality and embraces diversity in its performance as an employer and service provider. It will adhere to legal and performance requirements and will mainstream equality and diversity principles through its policies, procedures and processes. This policy should be implemented with due regard to this commitment. To ensure that the implementation of this policy does not have an adverse impact in response to the requirements of the Race Relations (Amendment Act), the Disability Discrimination Act 2005, and the Equality Act 2006 this policy has been screened for relevance during the policy development process and a full impact assessment conducted where necessary prior to consultation. The Trust will take remedial action when necessary to address any unexpected or unwarranted disparities and monitor practice to ensure that this policy is fairly implemented. This policy and procedure can be made available in alternative formats on request including large print, Braille, moon, audio, and different languages. To arrange this please refer to the Trust translation and interpretation policy in the first instance. The Trust will endeavour to make reasonable adjustments to accommodate any employee/patient with particular equality and diversity requirements in implementing this policy and procedure. This may include accessibility of meeting/appointment venues, providing translation, arranging an interpreter to attend appointments/meetings, extending policy timeframes to enable translation to be undertaken, or assistance with formulating any written statements. 9.1 Recording and Monitoring of Equality & Diversity The Trust understands the business case for equality and diversity and will make sure that this is translated into practice. Accordingly, all policies and procedures will be monitored to ensure their effectiveness. Monitoring information will be collated, analysed and published on an annual basis as part of our Single Equality and Human Rights scheme. The monitoring will cover all strands of equality legislation and will meet statutory employment duties under race, gender and disability. Where adverse impact is identified through the monitoring process the Trust will investigate and take corrective action to mitigate and prevent any negative impact. The information collected for monitoring and reporting purposes will be treated as confidential and it will not be used for any other purpose. 22

23 Appendix 1 - The Data Protection Act 1998 The eight Data Protection Principles are: 1 Personal data shall be processed fairly and lawfully. 2 Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4 Personal data shall be accurate and, where necessary, kept up to date. 5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. 6 Personal data shall be processed in accordance with the rights of data subjects under this Act. 7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 8 Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. 23

24 Appendix 2 The Caldicott Principles 1 Justify the purposes of using confidential information. 2 Only use when absolutely necessary. 3 Use the minimum that is required. 4 Access should be on a strict - need to know basis. 5 Everyone must understand their responsibilities. 6 Understand and comply with the law. 24

25 Appendix 3 Document history / version control Document History Version Date Comments Author 1 14/11/06 Add Classes of sensitive A Penketh data and personal data definitions. Add Schedules 2 and 3 in Appendix. Add note that the Trust does not have any automated decision making processes. Addition of section relating to staff records in /06/11 Amendments made and PNordoff-Tate reviewed and approved by the Information Governance Group. Amalgamated with Data Protection; Data Protection Communication; Information Security and Clear Desk Policies 3 18/05/12 Reference to NMHIS amended and changed to imerseyside (where relevant) in S2, 4.6, 4.9, 4.12, 4.19, Information Assurance Manager Review Process Prior to Ratification Name of Group/Department/Committee Date Reviewed by Amanda Penketh 13/11/06 Reviewed by the Information Governance Group 22/11/06 Approved by the Information Governance Group 10/04/06 Approved by the Information Governance Group 23/03/09 Approved by the Information Governance Group 04/07/11 Information Governance Group 28/05/12 25