Introduction to Information Governance

Transcription

1 Introduction to Information Governance Mandatory Training Page 0 of 39

2 Contents Page Page Introduction to Information Governance 2 Types of information 3 Information Governance Standards 4 The Information Governance Toolkit 5 Confidentiality- Topic 1..5 Confidentiality Scenario 1 6 Confidentiality, Duty of confidence. 7 Consent, Legal requirements 7 The Caldicott Guardian..8 Caldicott Principles 9 Providing a Confidential Service 10 Data Protection- Topic 2 11 Data protection and the law 11 Data Protection Scenario 1 11 Data protection principles 12 The principles explained 13,14 Data Protection Scenario 2&3 15 Data Protection Scenario 4&5 16 Data Protection Scenario 6 17 Data Protection Scenario 7&8 18 Data Protection Scenario 9 19 Page Good Record Keeping - Topic4 26 History, Tracking, Timeliness 26 Duplicates 26 Recording Quality Information 27 Locating records 28 What s the best approach 29 Information Security- Topic 5 30 What is information security 30&31 Hints and Tips 32,33,34 Portable media, passwords, use of IT 32 Use of , audit reports 33 Software/ Unlicensed software 34&35 Summary of Information Governance 35&36 Recap on topics 36 Relevant legislation 37 Assessment 38 Instructions 38 Question sheet 39 onwards Freedom of Information - Topic 3 20 Exemptions, Spotting a request 20 What you need to know about FOI 21&22 FOI Case study 1 23&24 FOI Case study 2 24&25 Page 1 of 39

3 Introduction to Information Governance Put simply, Information Governance is to do with the rules that should be followed when we process information. It allows organisations and individuals to ensure information is processed legally, securely, efficiently and effectively. IG applies to all the types of information which your Organisation may process, but the rules may differ according to the type of information concerned. In this module you ll look at how you can make sure you follow the right processes and procedures when you process information in other words, how to practice good Information Governance (IG). You ll find out about: how to avoid breaching confidentiality law and guidelines how to comply with data protection and freedom of information legislation what support you have - the IG Toolkit good record keeping effective information security. All of the above topics will give you good knowledge and skills to provide an effective, confidential and secure healthcare service. You will also find out about the IG Toolkit and how your contribution to IG best practice in your organisation is very important. Viewpoints: Keeping information secure Headline News In December 2007 it was widely reported in the national press that nine NHS trusts had misplaced thousands of patient and staff records. This was the latest in a series of data security incidents affecting organisations ranging from HH revenues and Customs to the DVLA Richard Vautrey deputy chairman of the British Medical Association s committee of GP s, told the BBC that: "Patients need to be absolutely confident that the information that is held securely cannot be lost in some haphazard way as appears to be the case. In such a sensitive climate, good Information Governance (IG) is very important and impacts on all of our jobs. Keeping information secure in our organisations is a hot topic. Sometimes it can be very simple actions which keep information secure and confidential. In this introductory level module you will look at the principles and procedures, in short the rules that can help Page 2 of 39

4 Types of Information There are different types of data, listed below. What type of information do you think details of a patient's mental health condition in their medical file would be classed as? Personal Information e.g. medical records, staff records Person-based but anonymous information e.g. public health statistical information that does not identify an individual Corporate data e.g. Trust accounts or statistical reports Information about individuals is personal information when it enables an individual to be identified or non-personal when it doesn t. This isn t always straightforward to establish but it is an important distinction in law. For example, a person s name and address are clearly personal information when presented together, but an unusual surname may itself enable someone to be identified. Personal information may be held subject to obligations of confidentiality and may be legally sensitive as defined by the Data Protection Act Personal information is classed as confidential if it was provided in circumstances where an individual could reasonably expect that it would be held in confidence, e.g. the doctor/patient relationship. Confidentiality is generally accepted to extend after death. Personal information may be classed as legally sensitive when it makes reference to particular matters, such as health, ethnicity or sexual life that are listed in the Data Protection Act. Other details, for example an individual s bank account details would also be regarded as sensitive by most people but are not legally sensitive. A further limit on the Data Protection Act is that it only applies to personal information about living individuals. Person-based anonymised information does not identify an individual directly and cannot be reasonably used to determine identity. The mental health conditions in this case would not be classed as personbased anonymised information as they are clearly linked with the individual's name and address etc. It is important to be aware that person-based but anonymised information is not subject to the same restrictions on processing as personal information. This is because no-one can be harmed or reasonably distressed by its disclosure. Neither confidentiality law nor the Data Protection Act applies to person-based information that has been effectively anonymised. This means that taking steps to anonymise information is often very important as it enables information to be processed without having to satisfy strict legal requirements. The mental health conditions in this case would not be classed as corporate data. Documents or information that are not about individuals are clearly not personal information but may be classed as commercially confidential e.g. for commercial reasons or because they contain legal advice. They may also be regarded as sensitive in a general sense because of the subject matter. An important consideration in relation to documents is whether or not they have to be disclosed when a Freedom of Information Act request is made and where they are confidential or sensitive they may be exempt from disclosure. Correct answer Not correct Not correct Page 3 of 39

5 Information Governance Standards You ll look at Information Governance standards in more detail later in this module, but at this stage it is worth noting that they are derived from the following: The Confidentiality NHS Code of Practice and the NHS Care Record Guarantee for England The Data Protection Act 1998 The Freedom of Information Act 2000 The Records Management NHS Code of Practice The Information Security NHS Code of Practice The Code tells you how to comply with the common law duty of confidentiality. The Guarantee tells patients how the NHS will use and protect the information in their health records. You will learn more about confidentiality in topic 1. The Act sets rules for how personal data is obtained, held, used or disclosed. You will learn more about the Data Protection Act in topic 2. The Act sets rules for disclosure of information about the work carried out by a public sector organisation. You will learn more about the Freedom of Information (FOI) Act in topic 3. The Code includes guidelines about how records, including health records, should be used and disposed of. You will learn more about how records management applies to your role in topic 4. The Code sets out, at a high level, how organisations should comply with information security principles. You will learn more about how you can keep information secure in topic 5. Page 4 of 39

6 The Information Governance Toolkit To help improve Information Governance across the NHS in England, the Department of Health determined a set of key standards. These are now mandatory for NHS organisations to carry out as an annual self-assessment. Annual reports The annual reports are monitored and approved through the Information Governance Toolkit, hosted and managed by the NHS Connecting for Health (CFH) Information Governance Policy Team. Who can view performance? NHS CFH then send the results to the Healthcare Commission to contribute to the Annual Health Check returns, for reference and potential audit and to the National Information Governance Board, the body responsible for driving improvements in information governance across health and adult social care. The Information Governance Toolkit standards and approved organisation reports can be found on the public-facing website Who is involved? There is a lead in your organisation who is responsible for carrying out this annual assessment and collating evidence. In order to help your organisation perform better it is necessary for all staff to be involved. Do your part in complying with Information Governance standards and best practice guidelines, and follow your organisation's policies. The assessment involves the contribution of the whole organisation, including you. Keep informed about your organisation's Information Governance agenda and find out who your Information Governance Lead is. At this stage you will begin to see how Information Governance is a cultural agenda, which is every employee s responsibility. Your responsibilities Information Governance (IG) helps to ensure that all staff know their responsibilities and comply with the law and best practice when processing information. You ll look at your responsibilities in some detail throughout this module, but in summary they include: providing a confidential service to patients, sharing information lawfully and appropriately processing information in accordance with the data protection rules and respecting the rights of individuals complying with Freedom of Information requirements recording information accurately and ensuring it is accessible when needed ensuring that information is held securely. Information Governance sets common guidelines that help NHS staff know they are working to the same standards as people outside their own area. Page 5 of 39

7 Confidentiality- Topic 1 Confidentiality Scenario 1 It s late one Friday afternoon in a county hospital. A celebrity is rushed into surgery for the emergency removal of his appendix. Best practice? The Hospital carries out an internal investigation to identify the staff member that disclosed the information, as well as the staff who viewed the record. If they were not directly involved with the patient's care, what actions were the staff members not justified in doing? Option 1: Viewing the patient s healthcare record Option 2: Sharing information relating to the patient s upcoming surgery Option 3: Disclosing information relating to the patient s past healthcare history The employees had no justified purpose for carrying out any of these actions. Viewpoints: Maintaining patient confidentiality The duty to maintain confidentiality is part of the duty of care to the patient. It is also integral to the contract of employment and regulatory professional codes of conduct. The breaches could lead to a disciplinary procedure or even dismissal Page 6 of 39

8 Confidentiality To help prevent the kind of breaches in confidentiality seen in this scenario, there are certain procedures to follow. Duty of confidence A duty of confidence arises when sensitive information is obtained and/or recorded in circumstances where it is reasonable for the subject of the information to expect that the information will be held in confidence. Patients provide sensitive information relating to their health and other matters as part of their seeking treatment and they have a right to expect that we will respect their privacy and act appropriately. The duty can equally arise with some staff records, e.g. occupational health, financial matters, etc. Patients have a right to be informed about how we will use their information for healthcare, the choices they have about restricting the use of their information and whether exercising this choice will impact on the services offered to them. Explicit consent Where it is proposed that patient information is disclosed outside of the organisation for purposes other than healthcare, in most cases it is necessary to ensure that the patient has explicitly consented to this happening. There are limited exceptions to this general rule. Legal requirement Always remember confidentiality is a legal requirement, supported by the confidentiality clause in your contract and, where applicable, your professional code of conduct. Your organisation is required to: inform patients about how personal information relating to them will be used inform patients of their right to object to the disclosure of their confidential personal information outside of the organisation seek explicit consent before disclosing patient personal information for non-healthcare purposes (unless rarely an exception applies). Viewpoints: Sensitive information and exemptions to consent Sensitive information is a category of personal information that is usually held in confidence and whose loss, misdirection or loss of integrity could impact adversely on individuals, the organisation or on the wider community.. Page 7 of 39

9 Certain types of information are classed as sensitive under the Data Protection Act 1998, but the definition for NHS Information Governance purposes is wider than, and fully encompasses, legally sensitive information. Personal information becomes sensitive if it includes any of the following types of information: health records or information relating to physical or mental health sexual life, sexual orientation or gender realignment social care records, child protection or housing assessments racial or ethnic origin political opinions or trade union membership religious beliefs DNA or fingerprints bank, financial or credit card details National Insurance number or tax, benefit or pension records travel details (for example at immigration control, or Oyster records passport number / information on immigration status or travel records work record or place of work, school attendance or records conviction, prison or court records, evidence or commission of offences or alleged offences. This is not meant to be an exhaustive list, but it does provide an indication of the wide range of information that needs to be processed with particular care. Note also that whilst the Data Protection Act only applies to personal information relating to living individuals, NHS Information Governance also encompasses information about deceased individuals. The exceptions to the requirement for consent are rare and limited to legal requirements to disclose information, e.g. by Acts of Parliament or court orders; disclosures permitted by regulations made under section 251 of the NHS Act 2006 (previously known as section 60 of the Health and Social Care Act 2001), or where there is a public interest justification for breaching confidentiality such as a serious crime, e.g. murder, rape or child abuse. The Caldicott Guardian To help maintain levels of confidentiality throughout the NHS, a report was commissioned in 1997 by the Chief Medical Officer. One of the key outcomes of this report was that Caldicott Guardians were appointed in each NHS Trust, in order to safeguard access to patient-identifiable information. Our Caldicott Guardian Is the Medical Director who is a member of the Board Page 8 of 39

10 The Caldicott Guardian is normally at Board or Senior Management level as they are responsible for reviewing, overseeing and agreeing policies governing the protection of patient or personal information. The Caldicott Guardian also takes responsibility for overseeing organisational compliance with the Caldicott Management Principles. Caldicott Principles A key recommendation of the Caldicott report was that staff justify every use of confidential information and routinely test it against six principles. Never disclose confidential information if you are unsure about your response to any of these six questions. Do you have a justified purpose for using this confidential information? The purpose for using confidential information should be justified, which means making sure there is a valid reason for using it to carry out that particular purpose. Are you using it because it is absolutely necessary to do so? Are you using the minimum information required? Are you allowing access to this information on a strict need-to-know basis only? The use of confidential information must be absolutely necessary to carry out the stated purpose. If it is necessary to use confidential information, it should include only the minimum that s needed to carry out the purpose. Before confidential information is accessed, a quick assessment should be made to determine whether it is actually needed for the stated purpose. If the intention is to share the information, it should only be shared with those who need it to carry out their role. Do you understand your responsibility and duty to the subject with regards to keeping their information secure and confidential? Do you understand the law and are you complying with the law before handling the confidential information Everyone should understand their responsibility for protecting information, which generally requires that training and awareness sessions are put in place. If the intention is to share the information, those people must also be made aware of their own responsibility for protecting information and they must be informed of the restrictions on further sharing. There are a range of legal obligations to consider when using confidential information. The key ones that must be complied with by law are provided by the common law duty of confidentiality and under the Data Protection Act If you have a query around the disclosure of medical or other confidential personal information you should go to your Line Manager initially then the IG Manager if you are still not sure. For serious and complex issues your Manager should contact the Caldicott Guardian for advice and guidance. Page 9 of 39

11 Providing a Confidential Service As well as the Caldicott Guidelines, you can also refer to the Confidentiality NHS Code of Practice model known as Protect, Inform, Provide Choice and Improve to help maintain a confidential service within your organisation. You should protect a person s information by recording relevant data accurately, consistently and keeping it secure and confidential.. Write patient records appropriately free of jargon or offensive, subjective or opinionated statements. Inform a patient how their information is used and when it may be disclosed. Where practical, provide patients with information leaflets about the organisation's confidentiality vows, or posters informing patients what the organisation does with patient information and why. Also, inform patients of their right to access their health records. Provide choice for patients to decide whether their information can be disclosed. Patients have the right to object to information they provide in confidence being disclosed to a third party in a form that identifies them. As long as the patient is competent to make such a choice and where the consequences of the choice have been fully explained, their decision should be respected. Always look to improve the way you and the organisation protect, inform and provide choice to the patient, clients and employees. You can do this by attending regular update training, seeking line manager support and by reporting possible breaches. Viewpoints: At the end of the day the focus of confidentiality is consent. Personal information shared in confidence should not be used or disclosed further without the consent of the individual. Exceptions to the requirement for consent are rare and limited to legal requirements to disclose information Page 10 of 39

12 Data Protection- Topic 2 Data protection issues can crop up in any organisation. Breaches often occur because staff are unaware of data protection principles, which are contained in the Data Protection Act In this topic you are going to look at a series of data protection issues that may occur Data protection and the law The Data Protection Act 1998 applies to all organisations in the UK that process personal information. The Act goes hand-in-hand with the common law duty of confidence and professional and local confidentiality codes of practice to provide individuals with a statutory route to monitor the use of their personal information. A breach of one of the eight Data Protection Principles can result in legal action being taken against an individual and/or the organisation. Learning the Principles of the Data Protection Act is therefore very important. There are additional offences under section 55 of the Act of unlawfully obtaining, disclosing or selling personal data. You will explore the Principles and the effects of section 55 in more detail later in this topic. Data Protection Scenario 1 Take a look at the list below. Which do you think are not real data protection principles? Option 1: 1. Processed Fairly and Lawfully Option 2: 2. Processed for a Specified Purpose Option 3: 3. Adequate, relevant and not excessive Option 4: 4. Processed under supervision Option 5: 5. Permanently kept on record for future reference The correct answer is Principles 4 and 5. Page 11 of 39

13 Data protection principles There are eight principles that must be followed when handling personal information. Processed fairly and lawfully Processed for a specified purpose Adequate, relevant and not excessive Accurate and kept up-todate Not kept for longer than necessary Processed in accordance with rights of data subject Protected by appropriate security Ensure that the proposed use of the information is lawful in the widest sense, e.g. doesn't breach other legal restrictions such as the common law duty of confidentiality. Inform patients why you are collecting their information, what you are going to do with it, and who you may share it with. Information recorded as part of the process of providing care should not be used for purposes that are unrelated to that care. There should be no surprises! Be open, honest and clear. The same principle applies to the personal information of staff. Only use personal information for the purpose for which it was obtained. Only share information outside your organisation, team, ward, department, or service if you are certain it is appropriate and necessary to do so. If in doubt, check first! Only collect and keep the information you need. Do not collect information just in case it might be useful one day!" You cannot hold information unless you know how it will be used and it is a justified use. Explain all abbreviations, use clear legible writing and stick to the facts avoiding personal opinions and comments. Take care when entering data to make sure it is correct. Make sure you check with patients that the information is accurate and up-to-date. Check existing records thoroughly before creating new records and avoid creating duplicate records Follow retention guidelines set out by the Records Management NHS Code of Practice and your organisation s retention policy. Make sure your information gets a regular "spring clean" so that it is not kept just in case it might be useful one day! Dispose of information correctly, according to your organisation's disposal policy. Individuals, whether staff or patients, have several rights under the Act. In summary individuals have: the right of access to personal data held about them the right to prevent processing likely to cause damage or distress the right to have inaccurate data about them corrected, blocked or erased the right to prevent processing of information about themselves for purposes of direct marketing rights in relation to automated decision-taking. The rights are not absolute, that means there may be occasions where the organisation is permitted to override them. Later in this module you will explore the rights in more detail This requires that all organisations that process personal information have security measures in place to ensure that the information is protected from accidental or deliberate loss, damage or destruction. Your organisation will have a security policy and processes to ensure the security of personal information. They will also have guidelines for staff about how to ensure Page 12 of 39

14 Not transferred outside the EEA without adequate protection personal information is protected from unauthorised access. You must make sure you comply with all the security processes and guidelines so that access to personal information is only available to those authorised to do so, and information is not accidentally or deliberately lost, damaged or destroyed. Some of the measures you should comply with are: only send confidential faxes using safe haven or secure faxes ensure confidential conversations cannot be overheard keep your passwords secret lock paper files away when they are not in use transport personal information by secure methods. You ll learn more on keeping information secure in the Information Security topic of this module. If sending personal information outside the European Economic Area (EEA), make sure consent is obtained where required and ensure the information is adequately protected. Be careful about putting personal information on websites, which can be accessed from anywhere in the world - get consent first. Check where your information is going, and know where your suppliers are based. The principles explained As you have just seen, Principle 1 of the Data Protection Act requires that personal data is processed fairly and lawfully. It also requires that personal data is only processed if one of the conditions in the Act is also met. Processing conditions There are several of these processing conditions, but the main ones that you need to be aware of when providing care and treatment are processing: for medical purposes where the patient has given their explicit consent to protect the vital interests of the patient or another person. Processing for medical purposes This means that sensitive personal data can be processed for the purposes of preventative medicine, medical diagnosis, the provision of care and treatment and the management of healthcare services. Explicit consent If you wish to process patient information for purposes other than healthcare, in most cases you must have the explicit consent of the patient to do so. Vital interests In exceptional circumstances, e.g. life or death situations, processing of sensitive information for non-healthcare purposes without consent is permitted. Page 13 of 39

15 Earlier, you saw a summary of individual s rights under Section 7 of the Data Protection Act. Now you ll look at the rights that may be most relevant to your organisation. Subject access requests Generally, individuals have the right to see information about them held by an organisation that is processing their personal data. Applications, which are known as subject access requests must be in writing and the individual should provide the organisation with sufficient information to enable their records to be correctly identified. The request must be complied with within 40 days of receipt but wherever possible information should be provided within 21 days. Therefore, if you receive a request for information, you should promptly forward it to the person in your organisation that has responsibility for subject access requests. Make sure you know who has this responsibility in your organisation. If you are the nominated person, you should ensure that staff members are aware that subject access requests should be forwarded to you promptly. If you require further advice about handling subject access requests, your IG Lead should be able to help you. You ll explore a scenario about complying with a subject access request later in this topic. The right to prevent processing likely to cause damage or distress. The individual is entitled to send a written notice to an organisation requesting that processing of their data stop, or does not begin. The individual must be able to show that he/she has suffered or would suffer substantial and unwarranted damage or distress if the processing goes ahead. The organisation doesn t have to comply where the organisation believes the processing is so important it must go ahead even though it causes damage or distress. Rectification, blocking, erasure and destruction An individual who believes that an organisation has recorded inaccurate personal information about them is entitled to apply to the court to have the information corrected or removed. This right applies to factual information only, not to opinions or a diagnosis that the patient disagrees with or which turns out to be wrong. Rights in relation to automated processing The individual can ask for your organisation to ensure that no decision which is taken by or on behalf of the organisation and significantly affects the individual, is based solely on information processed by automatic means. Page 14 of 39

16 Data Protection Scenario 2 Now it's time to see what can happen when these principles are ignored... Mr Jones answers his mobile phone one Tuesday morning to a call from the local hospital. By informing Mr. Jones of his ex-wife s condition, the receptionist unlawfully breached Mrs. Jones confidentiality. Also, the records being used here were obviously very out-of-date. If the patient had been asked whether her contact details were still correct when she came in for previous appointments, this mistake wouldn't have happened. Data Protection Scenario 3 Mrs. Foster has written asking for a copy of all her health records held by the local general hospital. The Data Protection Lead opens the letter and puts it on top of his to-do pile. Later the pile is accidentally knocked over and the letter slips behind the desk. After two months Mrs. Foster contacts the hospital to ask what is happening with her request. She is put through to the Data Protection Lead s extension, and hears a voic that the Lead is on holiday. The call is put back through to switchboard and Mrs. Foster enquires whether there is anyone else that can help her. Unfortunately, the switchboard operator has never heard of Information Governance so is unaware that there is anyone else she can refer Mrs. Foster to. She puts the call through to Trust Headquarters and one of the staff there takes Mrs. Foster s details and promise to get back to her. No-one does. Seven days pass and Mrs. Foster has still not been contacted, so she decides to ring the Information Commissioner to complain. Principle 6 requires compliance with the individual rights set out in section 7 of the Act. One of these rights is the right to subject access, which means that individuals have the right, with some limited Page 15 of 39

17 exceptions, to see information held by organisations that are processing their personal data. Organisations are required to comply with the request within set time limits. You looked at some of the individual rights earlier in this topic. Data Protection Scenario 4 Sharon, a health records assistant, has to check 100 health records at random to make sure they have the correct NHS number. Which one of these data protection principles might have been breached in this scenario? Option 1: Principle 1: Processed fairly and lawfully Option 2: Principle 3: Adequate, relevant and not excessive Option 3: Principle 5: Not kept for longer than necessary Option 4: Principle 7: Protected by appropriate security Option 5: Principle 8: Not transferred outside the EEA without adequate protection By leaving the health records unprotected and unprocessed Sharon has allowed a situation to arise where patient confidentiality could be breached. Fortunately, this was not the case here. Sharon has also breached Principle 7 of the Act by not ensuring that access to the health records was protected, either by locking the door or taking the records back to the correct storage area Data Protection Scenario 5 Miss Ford has requested to look at her health records held by the local general hospital. The hospital arrange for her to visit and go through the records with a health professional on hand to explain any abbreviations or complex medical issues. Whilst reading one of the entries written many years ago, Miss Ford points out a strange abbreviation, What does NLL stand for? The health professional responds, Hmm, I think it means Nice Looking Legs! Which of the following data protection principles is being breached in this scenario? Option 1: Principle 1: Processed fairly and lawfully Option 2: Principle 3: Adequate, relevant and not excessive Option 3: Principle 4: Accurate and kept up to date Option 4: Principle 6: Processed in accordance with rights of data subject Option 5: Principle 7: Protected by appropriate security Page 16 of 39

18 Option 6: Principle 8: Not transferred outside the EEA without adequate protection The inclusion of inappropriate and irrelevant detail within records breaches the 3rd principle and in this case could be considered offensive. Data Protection Scenario 6 Option 1: Principle 1: Processed fairly and lawfully Option 2: Principle 2: Processed for a specified purpose. Option 3: Principle 4: Accurate and kept up to date Option 4: Principle 5: Not kept for longer than necessary Option 5: Principle 7: Protected by appropriate security Option 6: Principle 8: Not transferred outside the EEA without adequate protection Principle 1 requires that personal data is processed fairly; this means that individuals should be informed of the purposes for which their data will be processed and who it may be disclosed to. This is normally done by use of fair processing notices setting out the list of purposes and other information regarding who may have access to the information. Information about staff home addresses is generally provided for Human Resources, payroll and emergency purposes; not for being contacted by the Communications team. It would be far better to distribute the information through internal systems, perhaps accompanying pay slips. Principle 2 requires that information provided for one or more specific purpose should not be used in a way incompatible with those purposes. New decisions about how data will be processed cannot be made by the data controller after the information has already been obtained. Additionally, some contracts may have clauses that enable staff to opt in or out of receiving such mail shots from the Communications team. Page 17 of 39

19 Data Protection Scenario 7 A company that specialises in data transcription has contacted the Trust. The company is based outside of the European Economic Area (EEA) and is offering a cost-effective transcription service. This seems a great opportunity and the Trust decides to trial the service offered. It sends a set of dictation tapes through a secure courier to the overseas address provided. In accordance with the trial the company transcribes the information, puts it on an encrypted DVD and returns it to the Trust. Shortly afterwards two patients contact the Trust to complain that they have been contacted by a drugs company offering them conditionspecific medicines. Which of the eight data protection principles is being breached in this scenario? Option 1: Principle 1: Processed fairly and lawfully Option 2: Principle 2: Processed for a specified purpose. Option 3: Principle 3: Adequate, relevant and not excessive Option 4: Principle 4. Accurate and kept up-to-date Option 5: Principle 5: Not kept for longer than necessary Option 6: Principle 8: Not transferred outside the EEA without adequate protection The Trust failed to ensure that there was an adequate level of protection for the personal information and failed to safeguard the rights of the patients concerned. In the case of person-identifiable data, regard should be paid to the guidelines issued by the Department of Health. These require that such information is NOT transferred outside the UK unless appropriate assessment of risk has been undertaken and mitigating controls put in place. Patients should also be made aware of this activity and form of processing via patient information materials. Data Protection Scenario 8: Retaining records Meg is a new ward clerk at the general hospital. She has been asked to check the storage room and dispose of any old patient admission books. Which of the eight data protection principles is being breached in this scenario? Option 1: Principle 1: Processed fairly and lawfully Page 18 of 39

20 Option 2: Principle 4: Accurate & kept up-to-date Option 3: Principle 5: Not kept for longer than necessary Option 4: Principle 6: Processed in accordance with rights of data subject. Option 5: Principle 7: Protected by appropriate security Option 6: Principle 8: Not transferred outside the EEA without adequate protection To comply with Principle 5 data controllers should regularly review the personal data they hold in line with record retention standards and delete information that is no longer required for the purposes for which it was obtained. In this case, the personal data was obtained for the purpose of recording a patient admission to a particular ward over 12 years ago. The information was retained to provide a record of which patients were also on the ward at the same time. However, it is unlikely that this information is still required and it should have been disposed of some time ago. Disposal does not necessarily mean destruction and care should always be taken to do things right when destruction is required. More information on record retention and disposal is provided in the Records Management NHS Code of Practice. Data Protection Scenario 9: Information for sale James is an administrations clerk at the local general hospital, currently involved in patient registrations. One morning on his way to work he is approached by a man claiming to be a private detective hired to locate the beneficiary of a will Would James have breached the Data Protection Act by providing this information? Option 1: No, the woman would want to know that she had been left something in the will Option 2: It depends whether he accepts the 100. Option 3: No, James would have only provided the woman s address, this isn t personal data. Option 4: Yes, James would have unlawfully disclosed personal data The address is personal data because it relates to a living individual who can be identified either solely with that data or with other information already available. The detective already has the woman s name and if James had supplied the address this would enable accurate identification. The disclosure would be a criminal offence under section 55 of the Act. James had not been given authority by the Trust to supply this information It makes no difference whether or not he accepts any money for the information. James could have easily referred the matter to his IG Lead, who if necessary can contact the woman and ask whether she wants this information given to the detective. Page 19 of 39

21 Freedom of Information- Topic 3 If you received a letter from a patient requesting a detailed breakdown of your organisation's expenditure for the year, would you know what to do? The Freedom of Information (FOI) Act 2000 requires disclosure of information by public authorities, such as NHS Trusts, County Councils and Government departments. Exemptions There are several exemptions within the Act, which are circumstances where you will not have to provide the requested information. The exemptions you may need to know about are where: the applicant could easily obtain the requested information from elsewhere the organisation already has published or has firm plans to publish the information Or where the information: relates to confidential business information is personal information about the applicant is personal information about someone other than the applicant and disclosure of it would breach either the Principles or section 10 of the Data Protection Act 1998, e.g. it is confidential to a third party. Unless an exemption applies, information must be supplied if a request is received. Spotting a request The FOI Act allows anyone to write to any public authority to ask for information to be provided to them. Which of the letters displayed do you think is an FOI request for information, A or B? The FOI Act only applies to requests for information that do not fall into one of the exemptions as in letter A. The request in letter B is for personal information about the applicant, therefore it should be considered under the Data Protection Act We will learn more about the actions that need to be taken when an FOI request comes through to your organisation, and what your responsibility is later on in this topic. Page 20 of 39

22 What you need to know about FOI First of all, take a look at the basic principles behind FOI: Types of information The FOI Act gives the public the right to request any information held by any type of public authority or by persons/organisations providing services for them. This includes educational institutions, NHS Trusts and contractors, Local Authorities etc. The public can request information held within things like minutes of meetings, work s, work diaries, corporate reports and other work documents. Exemptions may apply for certain information, which therefore would not be disclosed. Form of request Requests for information must be made in writing but there is no need for the applicant to mention the FOI Act. If a patient or member of the public asks you for information that you think is covered by the FOI Act, you should ask them to put their request in writing or assist them to do so. An applicant need not provide their true name in the request, but there must be a valid address for correspondence, which can be a postal address or an . Processing requests If you receive a request for information, you should promptly forward it to the person in the organisation that has been assigned responsibility for FOI requests. Make sure you know who has this responsibility in your organisation. You will learn more about processing requests on the next screen. Response time Generally, the organisation must comply with requests for information within 20 working days. If the organisation decides not to provide the requested information the applicant must be informed of this and in most cases he/she must also be told why the information has been withheld. Exemptions There are several circumstances under which information should not be disclosed, and earlier you had a brief look at some of the ones most applicable to your organisation. Unless you are the person nominated to respond to FOI requests, you will not have to take decisions on whether information should be withheld. If you are the responsible person, you can obtain further advice from the Information Commissioner s Office at: Page 21 of 39

23 Processing requests A designated FOI lead should be appointed within each Public Authority organisation and they should be trained to make judgement on what can and can t be disclosed under the FOI Act So, ask your FOI Lead if in doubt and follow your organisation s local procedure on dealing with FOI requests. OP13 The role of the Freedom of Information Lead is to establish, develop and manage an organisation-wide Freedom of Information policy and strategy designed to ensure that the organisation fully complies with all aspects of the Freedom of Information Act They may or may not be directly involved with handling requests for information as and when they arrive. You can also get advice from the Information Commissioner s Office, the contact details are on their website at: Breaches of the Act A criminal offence is committed if requested information is altered, defaced, blocked, erased, destroyed or concealed with the intention of preventing disclosure of any or part of the information. Liability Both your organisation, i.e. the legal entity, and the employee that prevented disclosure of information are liable to conviction. The Information Commissioner can take action through the issuing of notices if a complaint is received about the way a request for information has been handled. Information notices The Information Commissioner can issue an information notice that requires the organisation to provide information relating to the particular request that has resulted in the complaint. Page 22 of 39

24 Enforcement notices If the Information Commissioner believes that an organisation is not complying with the Act, he can issue an enforcement notice requiring compliance within a set timescale. This might relate to providing information that has been incorrectly withheld. Decision notices Here the Information Commissioner can issue a decision notice stating that a request for information has or has not been properly handled. If the decision is that the organisation has not handled a request adequately, the Information Commissioner will set out the steps that need taking to ensure compliance. Failure to comply If an organisation fails to comply with any one of the notices issued, the Information Commissioner can refer the matter to the High Court who can deal with the matter as contempt of court. The Act in practice Have a look at the two case studies below. You are going to see examples of members of the public requesting information and will be asked questions in each case, so pay close attention to what is happening. Remember to consider what constitutes an FOI request and also any breaches of the FOI Act in each case. FOI Case study 1: A call to action? The Trust receives a phone call from an anonymous source requesting details about the Trust s annual income and expenditure report. Caller: "Hi, yeah. My name's Jeff and I want to know how much money the hospital makes and your general expenditure. I want exact amounts and would like you to get me the details by the end of the week." The receptionist advises him to put his request in writing to the hospital and informs him that a response will follow once the request is received. Later that day, the patient advisory liaison service team (PALS team) receives an requesting the information. They forward the to the person responsible for dealing with FOI requests within the Trust, who decides there is no need to disclose the information as it is readily available elsewhere and they have firm plans to publish their next annual report. A response is ed to Jeff informing him that: this information is within the Trust s annual report, which is published on the Trust s website if he requires next year s report, they have plans to publish this at the end of the next financial year, usually by 6th April. The response also contains the link to the Trust website. Page 23 of 39

25 Select the reason you think the FOI Lead had for not sending the information requested once the written request was received Option 1: The applicant didn t give their name. Option 2: The applicant made the request by telephone. Option 3: Information was accessible elsewhere Option 4: The applicant didn t state that he was requesting the information in accordance with the FOI Act Option 5: The applicant wasn't very polite The information requested by the applicant could easily be obtained from the Trust s website, and in fact there was an intention to publish the latest annual report in April. Therefore, the Trust was not obliged to comply with the disclosure request. For information, the person requesting the information is not required to disclose their true identity and neither do they have to mention the FOI Act. FOI Case study 2: Art attack A children's ward has recently been redecorated as part of a Care in the Community project. A patient s father is not happy with the equipment being used in the ward. The Trust FOI lead sent the letter to Mr. Heath within one week after receiving the written request. He includes the following in the letter: a link to these documents on the Trust publication scheme website a copy of the most recent PAT report for this particular ward a list of new equipment ordered and due to be delivered by March of this year. Page 24 of 39

26 Was this FOI request dealt with efficiently and according to the terms of the FOI Act? Option 1: Yes Option 2: No Option 1: Yes Option 2: No Part of the information was available already so the applicant was directed to where this information could be located, in line with the exemption that the information is available elsewhere. The second part of the request was held by the Trust but not published. This information was disclosed as a valid request was received and the Trust responded correctly by sending a copy of the new equipment order list and the PAT report. Additionally, the request was processed and responded to within the 20 working days as required by the FOI Act Minimising complaints Many of the complaints concerning FOI requests are about organisations not responding to applicants in a timely fashion. Because of the tight timescales it is vital that if you receive a request for information you forward it to the person who has responsibility for FOI in your organisation as soon as possible. It is also important that you comply with good record keeping principles, such as using logical file names for records and documents so that they can be easily located if requested. You will explore good record keeping in a later topic. Page 25 of 39