Personal Data Handling and Sharing Policy

Transcription

1 Personal Data Handling and Sharing Policy Originator Richard Gibson Date 20 June 2012 Verifier Lynda Oliver Date 20 June 2012 Reviewed Richard Gibson, Lynda Oliver Date July 2013

2 Contents Page 1. Introduction 2. Purpose of the Policy 3. Responsibilities 4. Data Gathering 5. Use of Data 6. Patient Rights 7. Sharing of Data 8. Scope 9. Procedures 10. Approval

3 Personal Data Handling and Sharing Policy 1. Introduction The Outside Clinic has an obligation to define the requirements for how we process data and how it is handled within the organisation structure. 2. Purpose of the Policy The purpose of this Policy is to define why data is collected, how it is used and how data is kept confidential. It also sets out the parameters for all employees of The Outside Clinic who are involved in how to share patient identifiable/sensitive information outside the organisation. 3. Responsibilities The Data Controller is responsible for keeping patient information confidential. The Data Controller is the Head Of Operations. 4. Data Gathering The Outside Clinic keeps records about patient s health and any treatment and care that is provided. These records help to ensure that we deliver the best possible care. The records may be written down (manual records) or held on computer. These records may include: Basic details about the patient such as address, date of birth. Contact we have had with the patient such as eye and hearing examinations. Notes and reports of the patient s health. Details and records about the patient s treatment and care. Some of this information will be held centrally to be used for statistical purposes. In these instances we take strict measures to ensure that individual patients cannot be identified. The information will only be used with their consent, unless the law requires us to pass on this information. 5. Use of Data Patient records are stored so that they can be used to guide and administer the care that is provided to them. Our medical professionals involved in their care has accurate and up-to-date information to assess their health and decide on the most appropriate care for them. Patient concerns will be fully investigated if a complaint is raised. The Outside Clinic will ensure that the appropriate information is available if the patient attends another medical professional or they are referred to a specialist, their GP or another part of the NHS or similar organisation. 6. Patient Rights Patients have a right of access to the information that we hold about them. The information can be provided by the patient making a request in writing to the Data Controller. We are required to respond within 40 days. The patient will need to give The Outside Clinic adequate information to ensure that the patient s identity can be verified.

4 7. Sharing of Data It is the Policy of The Outside Clinic to share patient information appropriately in order to ensure seamless and appropriate care for patients. Every member of staff has a contractual obligation to pass on or share patient identifiable information safely and securely. The Outside Clinic acknowledges that patients have a right to be aware when their data is being shared. If the sharing does not contribute to, or support the delivery of their care, then it may be that their written consent will be required. The sharing will be carried out in a safe environment and within the constraints of the Data Protection Act 1998, the Data Protection Principles and the Caldicott Principles. 8. Scope This Policy applies to all patient identifiable or The Outside Clinic sensitive information, be it manual or electronic, that is being shared or is planned to be shared with another organisation or individual. 9. Procedures Postal Security Envelopes should be securely sealed, clearly addressed to a known contact and marked confidential and addressee only. A return to sender address should also be marked on the envelope Telephone Security Telephone validation or callback procedures should be followed before disclosing information to someone you do not know to confirm their identity and authorisation. Fax Machine Security All fax machines, which could receive patient information when unsupervised, must be in an area that could be locked so that unauthorised staff or the general public cannot gain access to them. Confidential information should only be sent by fax where absolutely necessary. If you do send information that identifies a patient, always send a cover sheet with the fax, which contains a statement This fax is confidential and is intended for the person whom it is addressed. When faxing patient information, steps must be taken to minimise the risk of miss dialling. Pre-programmed dialling is recommended and you should never dial from memory. Never send a fax to an unsupervised machine, unless it is designated safe haven or secure. Make sure that an appropriate person is available to receive that fax. It is good practice to make sure after sending the fax that the right person has received it. Confidential information sent via fax should be accompanied by a phone call to the recipient. Coded numbers should be used instead of names/address wherever possible. The data should be anonymised where possible and kept to a minimum. Security ing patient confidential information is only permitted if it is encrypted or where system-to-system networks are known to be secure or by use of an NHS net address.

5 Using Anonymised or Pseudonymised Information Anonymising data means to remove factors that would enable an individual to be identified and is the method to be used for the sharing of bulk data. Pseudonymisation is the process of applying a pseudonym to replace person identifiable information and can be used with certain IT programs when transferring information concerning individuals. Encryption All portable media etc (laptops, data sticks) that are to be used for the downloading of patient identifiable/sensitive information must be: o o Manager. Supplied by The Outside Clinic. Encrypted. Any enquiries about encryption should be addressed to the Hardware and Network Data Sharing Examples of data sharing are: Patient data returns to the NHS England and Health Authorities. Communications with GP Practices. Copies of records being supplied to other hospitals taking over the care of the patient because, for example, the patient has moved. Outsourcing initiatives. Clinical audit or research. Patient information being shared with other health care agencies. Staff and Training Reference to Data Sharing is part of Information Governance training that takes place at induction and at mandatory updates. 10. Approval This policy has been approved by the undersigned and will be reviewed on an annual basis. Originator: Richard Gibson Date: 20 June 2012 Verifier: Lynda Oliver Date: 20 June 2012 Authoriser: Richard Gibson Date: 20 June 2012