Data Protection Policy

Transcription

1

2 Issue Date: June 2014 Document Number: POL_1006 Prepared by: Information Governance Senior Manager Insert heading depending on Insert line heading length; please depending delete other on line length; please delete Insert cover heading options depending once you other cover options once on have line length; chosen please one. 20pt delete you have chosen one. 20pt other cover options once you have chosen one. 20pt Status: Approved Next Review Date: May 2017 Page 2 of 12

3 Information Reader Box Directorate Medical Nursing Patients & Information Finance Purpose Tools Guidance Resources Consultations Operations Commissioning Development Policy Transformation & Corporate Operations Publications Gateway Reference Document Purpose Document Name Policy and High Level Procedures Publication Date April 2013 Target Audience Additional Circulation List Description Cross Reference Superseded Document Action Required Timing/Deadlines Author All NHS England staff n/a Policy and high level procedures for compliance with the Data Protection Act n/a n/a To Note n/a Carol Mitchell, Information Governance Senior Manager 5e40, Quarry House LEEDS Tel: Status: Approved Next Review Date: May 2017 Page 3 of 12

4 Document Status This is a controlled document. Whilst this document may be printed, the electronic version posted on the intranet is the controlled copy. Any printed copies of this document are not controlled. As a controlled document, this document should not be saved onto local or network drives but should always be accessed from the intranet. Status: Approved Next Review Date: May 2017 Page 4 of 12

5 Contents Information Reader Box... 3 Document Status... 4 Contents Introduction Scope Roles and Responsibilities Distribution and Implementation Monitoring Equality Impact Assessment Associated Documents Version Control Tracker Status: Approved Next Review Date: May 2017 Page 5 of 12

6 1. Introduction 1.1 Background NHS England needs to collect personal information about people with whom it deals in order to carry out its business and provide its services. Such people include patients, employees (present, past and prospective), suppliers and other business contacts. The information includes name, address, address, data of birth, private and confidential information, sensitive information. In addition, we may occasionally be required to collect and use certain types of such personal information to comply with the requirements of the law. No matter how it is collected, recorded and used (e.g. on a computer or on paper) this personal information must be dealt with properly to ensure compliance with the Data Protection Act 1998 (the Act) The lawful and proper treatment of personal information by NHS England is extremely important to the success of our business and in order to maintain the confidence of our service users and employees. We ensure that the NHS England treats personal information lawfully and correctly. 1.2 Data Protection Principles NHS England fully supports and complies with the eight principles of the Act which are summarised below: 1. Personal data shall be processed fairly and lawfully. 2. Personal data shall be obtained/processed for specific lawful purposes. 3. Personal data held must be adequate, relevant and not excessive. 4. Personal data must be accurate and kept up to date. 5. Personal data shall not be kept for longer than necessary. 6. Personal data shall be processed in accordance with rights of data subjects. 7. Personal data must be kept secure. 8. Personal data shall not be transferred outside the European Economic Area (EEA) unless there is adequate protection. Status: Approved Next Review Date: May 2017 Page 6 of 12

7 2. Scope 2.1 Staff of the following NHS England areas are within the scope of this document: National Teams; Regional Teams; Area Teams; All Commissioning Support Units; NHSIQ; Leadership Academy; Sustainable Development Unit; Strategic Clinical Networks; Clinical Senates and, Staff working in or on behalf of NHS England (this includes contractors, temporary staff, secondees and all permanent employees). 3. Roles and Responsibilities 3.1 NHS England will:- ensure that there is always one person with overall responsibility for data protection. Currently this person is the Information Governance Senior Manager, Transformation & Corporate Operations Directorate. provide training for all staff members who handle personal information provide clear lines of report and supervision for compliance with data protection carry out regular checks to monitor and assess new processing of personal data and to ensure the NHS England notification to the Information Commissioner is updated to take account of any changes in processing of personal data Status: Approved Next Review Date: May 2017 Page 7 of 12

8 develop and maintain DPA procedures to include: roles and responsibilities, notification, subject access, training and compliance testing 3.2 Employee Responsibilities All employees will, through appropriate training and responsible management: Observe all forms of guidance, codes of practice and procedures about the collection and use of personal information. Understand fully the purposes for which the NHS England uses personal information. Collect and process appropriate information, and only in accordance with the purposes for which it is to be used by the NHS England to meet its service needs or legal requirements. Ensure the information is correctly input into the NHS England systems. Ensure the information is destroyed (in accordance with the provisions of the Act) when it is no longer required. On receipt of a request from an individual for information held about them by or on behalf of immediately notify their line manager. Not send any personal information outside of the United Kingdom without the authority of the Caldicott Guardian. Understand that breaches of this Policy may result in disciplinary action, including dismissal. Status: Approved Next Review Date: May 2017 Page 8 of 12

9 4. Distribution and Implementation 4.1 Distribution Plan This document will be made available to all Staff via the NHS England internet site A global notice will be sent to all Staff notifying them of the release of this document A link to this document will be provided from the Policy Directorate intranet site. 4.2 Training Plan A training needs analysis will be undertaken with Staff affected by this document Based on the findings of that analysis appropriate training will be provided to Staff as necessary Guidance will be provided on the Transformation & Corporate Operations Directorate intranet site. 5. Monitoring 5.1 Compliance with the policies and procedures laid down in this document will be monitored via the Information Governance team, together with independent reviews by both Internal and External Audit. 5.2 The Information Governance Senior Manager is responsible for the monitoring, revision and updating of this document on a 3 yearly basis or sooner if the need arises. 6. Equality Impact Assessment 6.1 This document forms part of NHS England s commitment to create a positive culture of respect for all staff and service users. The intention is to identify, remove or minimise discriminatory practice in relation to the protected characteristics (race, disability, gender, sexual orientation, age, religious or other belief, marriage and civil partnership, gender reassignment and pregnancy and maternity), as well as to promote positive practice and value the diversity of all individuals and communities. Status: Approved Next Review Date: May 2017 Page 9 of 12

10 6.2 As part of its development this document and its impact on equality has been analysed and no detriment identified. 7. Associated Documents 7.1 The following documents will provide additional information: REF NO DOC REFERENCE NUMBER TITLE VERSION Freedom of Information Policy 1.0 Information Governance Policy 2.0 Confidentiality Policy 2.0 Document and Records Management Policy 3.0 Information Security Policy 2.0 Information Sharing Policy 1.0 Status: Approved Next Review Date: May 2017 Page 10 of 12

11 Version Control Tracker Version Number Date Author Title Status Comment/Reason for Issue/Approving Body Information 1.0 April 2013 Governance Approved New policy Senior Manager Information Updated to reflect change of Policy 2.0 June 2014 Governance directorate to Transformation & Senior Manager Corporate Operations directorate Status: Approved Next Review Date: May 2017 Page 11 of 12

12 NHS England 2014 First published April 2013 Status: Approved Next Review Date: May 2017 Page 12 of 12