NO.RM18. RM18 - Data Protection Policy v9_150226

Transcription

1 DATA PROTECTION POLICY NO.RM18 Applies to: All NHS LA employees, Non-Executive Directors, secondees and consultants, and/or any other parties who will carry out duties on behalf of the NHS LA. Contractors and panel firms are required to adhere to the terms of their contractual agreements. Version: RM18 - Data Protection Policy v9_ Date of SMT Approval: 25 March 2015 Review Date: 25 March 2017 Author: Joel Henderson Owner: Tom Fothergill Beware when using a printed version of this document. It may have been subsequently amended. Please check online for the latest version. Page 1 of 10

2 Data Protection Policy CONTENTS Paragraph 1 Introduction 2 Purpose 3 Equality impact assessment 4 Duties 5 The Data Protection Act Definitions The Data Protection Act principles Individuals rights Exemptions & modifications Powers & duties of the Commissioner Notification 6 Duty of Confidentiality 7 The potential consequences of non-compliance with the law 8 The Regulatory Environment 9 Subject Access Requests 10 Training and Support 11 Monitoring effective implementation 12 Other relevant documents Introduction The business of the NHS LA involves the processing of information about individuals. Often, due to the nature of the work of the organisation, this information will include details that many people would consider to be sensitive and/or private (for example, details about physical or mental health, performance at work, and financial affairs). In order to minimise the risk of there being a successful legal challenge or regulatory action in relation to the way(s) in which the organisation processes personal information and indeed to retain the trust of those with whom we are dealing and that of the wider public, it is essential that we act in accordance with the law in this area. We also aim to follow best practice recommendations where this is feasible Purpose The purpose of this policy is to set out, in broad terms, the requirements with which we need to comply in processing personal information. If you are in any Page 2 of 10

3 doubt about what you should do in any particular situation, please contact a member of the Corporate Governance Team for advice. Equality Impact Assessment As part of its development, this policy has had an equality impact assessment. No detriment was identified. 1. Duties Chief Executive and Accounting Officer Accountable for all information governance matters including compliance with the requirements of the DPA. Audit and Risk Committee Has responsibility for the strategic processes for risk identification, control and governance. Director of Finance and Corporate Planning As the Senior Information Risk Owner (SIRO), the Director of Finance and Corporate Planning has overall responsibility delegated by the Chief Executive and Accounting Officer for the management of risks associated with the handling of information at the NHS LA, including risks associated with the requirements of the DPA. Caldicott Guardian The Caldicott Guardian within an organisation should be a senior health professional, who is responsible for ensuring patient data are kept secure. The Director of Safety and Learning fulfils this role for the NHS LA. Data Reference Group Has operational oversight of all data protection and confidentiality issues delegated to it by the Accounting Officer. Head of IT & Facilities As the Information Security Officer, the Head of IT & Facilities has overall responsibility for the provision of systems and facilities to support accurate, legally compliant, secure and efficient information governance. Information Governance Manager The Information Governance Manager is responsible for the day-to-day oversight of data protection issues and for ensuring that data are handled in accordance with NHS LA policy and legal requirements. Information Access Manager Page 3 of 10

4 Has responsibility for dealing with subject Access requests under the DPA and for ensuring that sufficient fair processing information is available to users of NHS LA services. Line Managers All line managers are responsible for the promotion of the principles of the DPA outlined within this policy and associated policies, within their teams. Employees All employees and secondees who are carrying out duties on behalf of the NHS LA are responsible for adherence to the principles of the DPA outlined within this policy and implemented in associated guidance and for reporting any related adverse incidents in line with RM05 Incident Reporting Policy and Procedure. 2. The Data Protection Act Definitions for the purposes of the Data Protection Act: Personal data : 1. A living individual can be identified from the data, or from the data and other information in your possession, or likely to come into your possession. 2. The data relate to the identifiable living individual, whether in personal or family life, business or profession. Processing : Processing, in relation to information or data, means obtaining, recording or holding the information or data (which includes, in relation to personal data, obtaining or recording the information to be contained in the data) or carrying out any operation or set of operations on the information or data. Data subject : Data subject means an individual who is the subject of personal data. A data subject must be a living individual. A data subject need not be a United Kingdom national or resident. Please note that whilst there are no clear legal obligations of confidentiality that apply to the deceased, there is an ethical basis for requiring that confidentiality obligations must continue to apply. This is supported within the DH Confidentiality Code of Practice and should be followed by all NHS LA staff. Page 4 of 10

5 Data controller : Data controller means:- A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. It is important to establish whether or not someone is a data controller because it is data controllers who are required to comply with the Data Protection Principles. A data controller must be a person i.e. a legal person. This term comprises not only individuals but also organisations such as companies and other corporate and unincorporated bodies of persons. Data processor : Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. The Data Protection Act principles The Act requires that personal information is: 1) Fairly and lawfully processed: In order to comply with this first principle, one of the following conditions must be met if personal data is being processed: 1. The data subject has given their consent. 2. The processing is necessary: - a. For the performance of a contract to which the data subject is party, or b. For the taking of steps at the request of the data subject with a view to entering a contract. 3. The processing is necessary to comply with legal obligation. 4. The processing is necessary to protect the vital interests of the data subject. 5. The processing is necessary for the Administration of justice. 6. The processing is necessary for the legitimate interests of the data controller (except where unwarranted because of prejudice or legitimate interests of data subject). The NHS LA has set out why we process personal data in our Privacy Notice which is set out on the NHS LA website here and NCAS here. 2) Obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with those purposes: Page 5 of 10

6 To comply with this principle, the NHS LA must inform the Information Commissioner of all the purposes for which it processes personal data. If the reasons for processing this information are changed, both the Information Commissioner and the Data subject must be informed. 3) Adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed: It is the responsibility of all NHS LA employees to ensure that personal data processing is adequate and not excessive, but relevant enough, for example, to distinguish between data subjects with similar details. 4) Accurate and, where necessary, up to date: Where NHS LA employees obtain information either directly from the data subject or via a third party, they must ensure the accuracy of the data held. If the data subject informs the NHS LA of a (factual) inaccuracy, the data must be amended to reflect this. 5) Not kept for longer than is necessary: The NHS LA should not retain information for longer than is required to fulfil the purposes for which it is collected, as per RM20 - Records Management Policy. 6) Processed in line with the individual's rights: Data subjects have the right to request any information processed by the NHS LA relating to them, and also have the right to request their personal data to be rectified, blocked or erased. 7) Secure: The NHS LA must have plans to prevent or manage any unforeseen events which may affect the secure processing of personal data. All employees must be aware of security issues associated with the processing of data. Data protection and confidentiality clauses must be formally defined and included within third party contracts. 8) Not transferred to other countries without adequate protection: If data is to be shared with an organisation outside the European Economic area, the NHS LA must assess the adequacy of protection by looking at the following issues: 1. The nature of the data. 2. The country of origin. 3. The country where the data is being sent. 4. The purpose for which the data is processed. 5. The security measures in place. A transfer can take place if any of the following conditions are met: Page 6 of 10

7 1. If the data subject grants permission. 2. If it is required in the performance of a contract. 3. If the data subject makes a request in order to enter into a contract. 4. In the conclusion or performance of a contract in the data subjects interest. 5. Under the order of the Secretary of State. 6. Under the approval of the Information Commissioner. 7. As part of legal proceedings/advice. In the event of data falling into this category, the SIRO should be contacted before any data is sent. 3. Individuals rights Right to subject access. Right to prevent processing likely to cause damage or distress. Right to prevent processing for the purposes of direct marketing. Rights in relation to automated decision taking. Right to take action for compensation if the individual suffers damage by any contravention of the Act by the data controller. Right to take action to rectify, block, erase or destroy inaccurate data. 4. Powers and duties of the Commissioner Should an individual feel they're being denied access to personal information they're entitled to, or feel their information has not been handled according to the eight principles, they can contact the Information Commissioner's Office (ICO) for help. Complaints are usually dealt with informally, but the ICO has legal powers, including the power to issue monetary penalty notices (fines), conduct audits and prosecute offenders. 5. Notification Notification is the process by which a data controller informs the Commissioner of certain details about the processing of personal data carried out by that data controller. Those details are used by the Commissioner to make an entry describing the processing in a register which is available to the public for inspection. The principal purpose of having notification and the public register is transparency or openness. The public should know or should be able to find out who is carrying out processing of personal data and other information about the processing, such as, for what purposes the processing is carried out. The DPA places obligations on data controllers in order to achieve transparency. Page 7 of 10

8 Notification, therefore, serves the interests of data controllers in providing a mechanism for them to publicise details of their processing activities and also serves the interests of data subjects in assisting them to understand how personal data are being processed by data controllers. 6. Duty of Confidentiality Information given to the NHS LA in confidence must not be disclosed without consent unless there is a justifiable reason e.g. a requirement of law or there is an overriding public interest to do so. This information is subject to a duty of confidence and, if it is disclosed unlawfully, legal action can be taken against NHS LA for breach of confidence. Confidential information will include but is not limited to medical information, personnel information, and commercially sensitive information relating to the business of the organisation.. The NHS LA has a duty both under the common law and under the Human Rights Act 1998 to ensure that the confidential information it holds is not inappropriately disclosed. For disclosure to be justified it must be in accordance with English law and must constitute a proportionate means of achieving a legitimate aim, such as the protection of health or the rights and freedoms of others. 7. The Regulatory Environment The Information Commissioner s office (ICO) is the UK s independent public authority set up to uphold information rights. They do this by promoting good practice, ruling on complaints, providing information to individuals and organisations and taking appropriate action when the law is broken. The ICO enforces and oversees the following legislation: Data Protection Act 1998 Freedom of Information Act 2000 Privacy and Electronic Communications Regulations 2003 Environmental Information Regulations 2004 There are a number of tools available to the ICO for taking action to change the behaviour of organisations and individuals that collect, use and keep personal information. They include criminal prosecution, non-criminal enforcement and audit. The Information Commissioner also has the power to serve a monetary penalty notice on a data controller such as the NHS LA. 8. The potential consequences of non-compliance with the law Page 8 of 10

9 The DPA requires all organisations which handle personal information to comply with a number of important principles regarding privacy and disclosure. The DPA does not guarantee personal privacy at all costs, but aims to strike a balance between the rights of individuals and the sometimes competing interests of those with legitimate reasons for using personal information. The DPA also allows people to find out what personal information is held about them by making a subject access request. All who are in scope of this policy must follow this policy in order to ensure that the NHS LA meets its legal obligations to preserve confidentiality, process personal data lawfully, and disclose information appropriately. Practical information on the NHS LA s arrangements for the archiving, retention and destruction of data, including claim files, is provided within CG02 Information Governance Principles. RM20 - Records Management Policy provides broader guidance on the storage, archiving, retrieval and disposal of all NHS LA records. This policy should also be read in conjunction with RM19 - Freedom of Information Policy, ITFA02 - Guidance for Working with Confidential or Sensitive Information and ITFA21 - Guidance for using Encrypted USB devices and Attachments. 9. Subject Access Requests Individuals have a right under the DPA to make a request in writing for a copy of the information held about them. This is called a subject access request. Subjects are also entitled to be given a description of the information, what it is used for, who it might be passed on to, and any other information held. Any such request for information should be construed a subject access request unless part of the normal course of business. Such requests should be passed to the Information Access Manager. Requests should be dealt with within the legal timescale of 40 calendar days. All necessary steps will be taken to ensure that information can be requested or is made available in an appropriate format for individuals with disabilities. For further detail please see Guidance Note on handling Subject Access Requests or contact the Information Access Manager. 10. Training and support The NHS LA will provide appropriate training to all staff on information governance including data protection. Page 9 of 10

10 Managers and other staff may request advice from the Corporate Governance Team should they require support with the implementation of this policy. 11. Monitoring effective implementation The effective implementation of this policy will be monitored by the NHS LA Information Governance Group including review of related incidents reported and associated actions taken, and by the NHS LA Board through review of incidents and risks arising. 12. Other relevant documents CG02 Information Governance Strategy RM05 - Incident Reporting Policy and Procedure RM07 - Complaints Policy and Procedure RM19 - Freedom of Information Policy and guidance document RM20 - Records Management Policy ITFA02 - Guidance for Working with Confidential or Sensitive Information ITFA21 - Guidance for using Encrypted USB devices and Attachments Document Control Change Record Date Author Version Reason for Change 10/10/14 Joel Henderson V1_0 draft Initial draft 23/11/14 Joel Henderson V2_0 draft Input from ISO Expert 24/01/14 Joel Henderson V3_0 draft Comments from IG Group Joel Henderson V4_0 draft Additional comments from IG Group 13/02/14 Joel Henderson V5_0 draft Amendments made to ensure consistency with other policies. 20/02/15 Joel Henderson V6_0 draft Amended in line with information handling guidelines. 24/02/15 Joel Henderson V7_0 draft Subject access amendments 26/02/15 Joel Henderson V8_0 draft Minor format amendments 25/03/15 SMT approved V9 final SMT approved Page 10 of 10