Data Sharing Protocols

Transcription

1 Data Sharing Protocols Responsible Officer Author Business Planning & Resources Director Corporate Office Date effective from October 2013 Date last amended NA Review date October 2016 Audience NICE Board and staff (including contractual staff) 1

2 Introduction 1. These protocols apply to requests received from third parties for the sharing of personal data held by NICE and explain how such requests should be handled. Similar standards should be applied to sensitive nonpersonal information. They cannot cover every circumstance of information sharing but they are intended to provide guidance to staff on the issues to be considered and to make them aware of their responsibilities in the handling of personal data. 2. Personal data is any information which relates to a living individual who can be identified from those data or other information held by NICE and includes any opinions about the individual. 3. Data sharing must be done in accordance with the conditions under which the data was received and to comply with the Data Protection Act 1998 and other legislation such as the Human Rights Act 1998 and common law duty of confidentiality in order for the sharing to be lawful. 4. Data sharing will be managed in accordance with agreements between NICE and third parties who supply the data and to ensure that the people whose data we hold know that their data will be handled confidentially in a secure environment with due care and respect for their privacy. 5. The protocols are not intended to be a substitute for formal legal advice which will be obtained where necessary. In all cases staff should take advice from their Information Asset Owner, the Caldicott Guardian or Governance Manager before sharing any personal data if there is any uncertainty about the lawfulness of the data sharing. 6. Data sharing should not pose a burden on staff or be counter productive to the efficiency of NICE business but it should be done within clear guidelines to protect the privacy and confidentiality of individuals. 7. Failure to follow these protocols may lead to unauthorised disclosure of sensitive personal information, damage to reputation of NICE and potential fines of up to 500,000 for breach of the Data Protection Act Scope 8. This policy applies to NICE staff (including those on secondment to other organisations) and the following groups of people working for or on behalf of NICE. This document describes these (non-staff) groups collectively as affiliates : committee chairs and members and remunerated expert advisers non-executive directors agency workers and contractors on temporary contract or employed through agency to work for NICE secondees (those who are seconded to NICE from other organisations) 2

3 unpaid students, volunteers or placement staff Responsibilities 9. All staff and affiliates have a responsibility to keep personal information secure from unauthorised disclosure. Staff need to be clear: What information can be shared and under what circumstances What information cannot be shared and under what circumstances Who to go to for advice if they are not sure what to do 10. Local management of personal data is the responsibility of the departmental Information Asset Owner (IAO) or other senior manager if there is no IAO in place. Their role is to ensure personal data is held securely in accordance with the Data Protection Act 1998, that access is maintained on a need to know basis and that any transfers are made in accordance with these protocols. Procedure 11. NICE will, where appropriate and practical, seek to get informed consent to share information so that the individual giving consent understands why the information needs to be shared, what information will be shared, who will see their information and how it will be used. 12. Teams should ensure data protection statements on all data collection forms include any potential sharing of data. 13. The general approach to data sharing should follow a four step process: a) Decide if NICE has the power to carry out the function to which the data sharing relates b) Decide if disclosure would breach any of the Principles in the Data Protection Act c) Decide if sharing the information would amount to a breach of the individual s right to a private life under the Human Rights Act d) Decide if disclosure would breach any common law duty of confidence to the individual 14. In addition, all decisions to share personal medical data must comply with ALL the Caldicott Principles 1 : a) Justify the purpose(s) for using confidential information b) Only use it when absolutely necessary c) Use the minimum that is required d) Access should be on a strict need-to-know basis e) Everyone must understand his/her responsibilities f) Understand and comply with the law 15. A flow chart on the procedure to be followed is set out in Appendix A and a quick guide of key issues to consider is in Appendix B. 1 DH Manual for Caldicott Guardians

4 16. If at any point you are unsure about whether it is appropriate to share personal data you should take advice from IAO, senior managers or the Governance Manager. 17. Where the data refers to the medical condition of any individual the decision must be authorised by the Caldicott Guardian for NICE who is Gillian Leng. Unsolicited correspondence 18. Unsolicited correspondence sent to NICE, including correspondence containing sensitive personal data or confidential information, may be shared with third parties where there is a clear public interest in doing so or as required by law. If the Enquiries Team/Corporate Office considers there is a valid reason for sharing data, such as issues relating to safeguarding 2, these will first be discussed with the Caldicott Guardian. The law 19. All data sharing with third parties must comply with the law and other relevant NICE policies and procedures. Sharing personal data is covered by more than one piece of legislation and the most frequently referred to are the following: Administrative law The starting point is to identify the NICE function to which the data sharing is ancilliary to establish that NICE has the power, implicit or explicit, to share the data before proceeding to consider if it is lawful in the particular circumstances of the case. 3 If NICE does not have the power, or vires, to use and share the data it will be acting unlawfully and the fact that the individual may have consented would not make the activity lawful. 4 Data Protection Act 1998 The Data Protection Act 1998 is critical in terms of data sharing as it provides the legal framework for the handling and management of personal data set out in eight principles. The most important of these are that the data should be used fairly and lawfully and only in accordance with the purposes for which the data were obtained. Common law of confidence Common law protects the disclosure of information (whether personal or not) that is given in circumstances giving rise to an obligation of confidentiality on behalf of the person receiving the information. Confidentiality is not an absolute bar to disclosure but a judgement will be made as to where the public interest lies. The default position at NICE is we will not disclose any confidential information unless this is required by 2 'Safeguarding' is a term widely used in health and social care to indicate those who need protection from harm, usually the elderly, frail or children 3 Para 8. Public sector data sharing: guidance on the law. DCA. v Section 3(1). Public sector data sharing: guidance on the law. DCA. v

5 law including, but not exclusively, the Freedom of Information Act 2000, or if there are compelling reasons for disclosure in the public interest. In these cases formal legal advice may be sought. Human Rights Act 1998 Disclosure or sharing of an individual s personal data prima facie engages their rights under Article 8(1) of the Human Rights Act 1998 which states: Everyone has the right to respect for his private and family life, his home and his correspondence. While this right is not absolute, interference with it must be justified by demonstrating the interference is: i. In accordance with the law ii. In the pursuit of a legitimate aim, and iii. Necessary in a democratic society Related policies Data Protection Policy Information Governance Policy Records Management Policy IT Security Policy Incident Reporting Procedure Research governance procedure 5

6 Appendix A Data Sharing Flowchart Request received from third party to share data Is there a legitimate reason to share the data? Can any individual be identified from the data? Will sharing comply with the Data Protection Act 1998? * Is the information confidential? Do you have the individual s consent to disclose or is there implied consent? Is there a clear public interest in sharing the data? SEEK ADVICE DO NOT SHARE Share information Identify how much information to share. Ensure you are sharing the information securely. Inform the person that the information has been shared if they were not aware of this and it would not create or increase risk of harm. * A breach of the common law of confidentiality or the Human Rights Act would necessarily be a breach of the First Principle of the DPA which requires the processing to be lawful; If information does not identify an individual and hence the DPA is not engaged, it may still have been provided in confidence and disclosure actionable as a breach of confidence. te, confidentiality can apply to the deceased. 6

7 Appendix B Quick guide to data sharing Factors to consider 5 When deciding whether to enter into an arrangement to share personal data (either as a provider, a recipient or both) you need to identify the objective that it is meant to achieve. You should consider the potential benefits and risks, either to individuals or society, of sharing the data. You should also assess the likely results of not sharing the data. You should ask yourself: What is the sharing meant to achieve? You should have a clear objective, or set of objectives. Being clear about this will allow you to work out what data you need to share and who with. It is good practice to document this. What information needs to be shared? You shouldn t share all the personal data you hold about someone if only certain data items are needed to achieve your objectives. For example, you might need to share somebody s current name and address but not other informationyou hold. Who requires access to the shared personal data? You should employ need to know principles, meaning that other organisations should only have access to your data if they need it, and that only relevant staff within those organisations should have access to the data. This should also address any necessary restrictions on onward sharing of data with third parties. When should it be shared? Again, it is good practice to document this, for example setting out whether the sharing should be an on-going, routine process or whether it should only take place in response to particular events. How should it be shared? This involves addressing the security surrounding the transmission or accessing of the data and establishing common rules for its security. How can we check the sharing is achieving its objectives? You will need to judge whether it is still appropriate and confirm that the safeguards still match the risks. What risk does the data sharing pose? For example, is any individual likely to be damaged by it? Is any individual likely to object? Did the individual have a reasonable expectation that their data might be shared? Might it undermine individuals trust in the organisations that keep records about them? Could the objective be achieved without sharing the data or by anonymising it? It is not appropriate to use personal data to plan service provision, for example, where this could be done with information that does not amount to personal data. Will any of the data be transferred outside of the European Economic Area (EEA)? If so, you need to consider the requirements of the eighth principle of the Data Protection Act Appendix C - Version Control Sheet 5 ICO Data Sharing Code of Practice May

8 Version Date Author Replaces Comment 1 October 2013 Corporate office 8