Information Governance Policy

Transcription

1 Information Governance Policy Version Number: Name of originator/author: V3 Head of Information Governance and Records Name of responsible committee: I&IT Committee Name of executive lead: Director of Strategy, Transformation and Performance Date V2 issued: September 2011 Last Reviewed: December 2013 Next Review date: December 2015 Scope: Trust wide MMHSCT Document Code: CO28 Page 1 of 24

2 Document Title / Ref: Lead Executive Director Author and Contact Number Document Control Sheet Information Governance Policy Director of Strategy, Transformation and Performance Head of Information Governance and Records Type of Document Policy Broad Category Corporate Document Purpose The purpose of this Information Governance Policy is to be the definitive policy which sets out clear and robust Information Governance at the Trust. Scope All Staff including locums, Version number V3 trainees, students etc. Consultation None required Approving Committee I&IT Committee Approval Date January 2014 Ratification and Date Lead Executive Ratification Director of Strategy, Transformation and Performance Date of Ratification January 2014 V2 Valid from Date September 2011 Current version is valid from approval date Date of Last Review December 2013 Date of Next Review December 2015 Procedural Documents to be read in n/a conjunction with this document: Training Needs Analysis Impact All staff are required to familiarise themselves with this policy Financial Resource Impact None Document Change History Changes to this document in different versions must be detailed below. Rationale for the change should also be given Version Number / Name of procedural document this supersedes Information Governance Policy Type of Change i.e. Review / Legislation / Claim / Complaint Review Date December 2013 Details of Change and approving group or Executive Lead (if done outside of the formal revision process) Amended format to be in new Trust format for policy documentation and policy review External references used in the creation of this document: If these include monitoring duties upon the Trust for this policy the specific details should be recorded on the Monitoring and Compliance Requirements sheet Information Governance Toolkit v 11, HSCIC 2013 Privacy Impact Assessment submitted Fraud Proofing submitted Previous PIA 21/07/11 - no major changes Previous fraud proofing 02/08/11 - Any issues? Any issues? no major changes If not relevant to this procedural document give rationale: Review of a previous policy - no major changes None None Page 2 of 24

3 Policy authors are asked to consider each of the nine protected characteristics under the Equality Act We expect you to demonstrate that throughout the policy process you have had regard to the aims of the Equality Duty: 1. Eliminate unlawful discrimination, harassment and victimisation and any other conduct prohibited by the Act; 2. Advance equality of opportunity between people who share a protected characteristic and people who do not share it; and 3. Foster good relations between people who share a protected characteristic and people who do not share it. Please provide a brief account of how you have done this, further work to be completed and any support you have had in considering the aims and working in compliance with the Equality Duty. If you are unclear on how to do this or would like further advice and support then you may contact quality.admin@mhsc.nhs.uk. It is the responsibility of the approving group to ensure this statement reflects the Trusts objectives and position with compliance as set out within the NHS Equality Delivery System This previous version of this policy was subject to a full equality and diversity impact assessment in line with the Equality Duty which was approved by the Equality and Diversity Committee. The Equality Duty has however been considered during the review of the policy but as the policy changes are very minor they do not have any impact the policy complies with the Equality Duty In line with the Trust values we may publish this document on our External Website. Is there any reason you would prefer this is not done? No It is the Authors responsibility to ensure all procedural documents comply with the Trust values If you are unclear on any of the requirements in the document control sheet then please quality.admin@mhsc.nhs.uk before proceeding Page 3 of 24

4 Monitoring and Compliance Requirements Sheet For audit, Registration and NHSLA purposes all procedural documents must have monitoring requirements or key performance indicators set by the authors, Committees or Lead Directors. This allows the Trust to routinely monitor the effectiveness and impact of their procedural documents on a regular basis. Procedural Document Title: Information Governance Policy V3 Does this procedural document offer support or evidence for the Trusts registered activities and outcomes? Yes Primarily IG Toolkit Additional Not Applicable Additional Not Applicable Is this an NHSLA Document? No Which Standard does this relate to? n/a Which Criterion If other Monitoring requirements are necessary i.e. Health & Safety Act and you should include them here and record them in the External References section Specify where the requirement originates IG Toolkit Version 11 HSCIC Additional Details i.e. Section number, Code of : policies Minimum Requirement / Standard / Indicator to be monitored & Section of document it appears Level \ 1b Policies Policy, approvals, procedure and guidelines in place Process for monitoring Responsible Individual / Group Practice Frequency of Monitoring Responsible Group for review of results / action plan approval / implementation Review Head of IG and Records Biannual I&IT Committee Comments NB: If you have selected audit you should complete the required audit registration form and standards document and submit these with your expected timescales for completing the audit to quality.admin@mhsc.nhs.uk as soon as possible and no later than 4 weeks prior to the audit commencing. The Group / Committee should also ensure the monitoring work is added to their yearly schedule of monitoring and action logs as appropriate. Page 4 of 24

5 CONTENTS 1. Introduction Page 6 2. Policy purpose Page 7 3. Scope Page 7 4. Policy Objective Page 7 5. Legal Requirements Page 8 6. Principles of Information Use Page 8 7. Responsibilities Page Other Relevant Policies Page IG Assurances Page Training and awareness Page Monitoring, evaluation and review Page Counter Fraud Measures Page Accessibility of Documents Page References/Supporting Information Page 19 Appendix B Caldicott Principles Page 20 Appendix B - LEGAL & REGULATORY FRAMEWORK Page 21 Page 5 of 24

6 Information Governance Policy 1. Introduction Manchester Mental Health & Social Care Trust s (the Trust) uses large amounts of data /information in order to support the delivery of health and social care services. Most of this is service user s confidential personal information which they provide in support of their health and social care. They have rights under the law to expect the Trust to keep it confidential and therefore securely. To do this effectively what is needed is a cohesive, practical framework that governs and supports the legally compliant use of information. Information assets, such as data and the information systems it is processed on, have become vitally necessary in order to provide modern health and social care services. Such information assets must continue to work well in order to provide the entire scope of services and support that are now expected. There are strong legal requirements and NHS directives that necessitate working in an IG-compliant manner:- Confidential data must be kept confidential, adequately protected, only shared when legal and safe to do so and used (processed) in accordance with the law, notably the Data Protection Act. Information assets (e.g. data and systems) must be available when necessary for service provision and support Information assets must have the appropriate integrity and quality e.g. applications must work as expected and data must be as accurate as necessary In order to achieve the above a wide scoping IG risk management framework has developed over the years, comprising: law, ethics, directives, guidelines, controls, technology, standards etc. This document is the Trust s Information Governance Policy and is a key part of the IG Framework (IGF). The IGF is a broad framework of risk management implemented to manage the risks associated with using/processing data, especially of confidential data in order to facilitate and ensure its continued, appropriate and legally compliant use. It is firmly based on legislation, NHS policy, directives and guidelines, international information security standards and best practice in many areas (i.e. Informatics and IT, records management, information security, Data Protection etc). This policy is directed and guided by the Trust s Information Governance Framework and supported by related policies, procedures and processes. It is intended to be fully consistent and compatible with the policies and practices throughout the NHS and has been developed to achieve compliance with the legal, regulatory and ethical frameworks. All staff must read and comply with this policy, raising any points that are not understood with their management or the relevant staff whose contact details can be found in the Contacts section of this document. 2. Policy Purpose The purpose of this Information Governance Policy is to be the definitive policy which sets out clear and robust Information Governance at the Trust. This policy will not discriminate, either directly or indirectly, on the grounds of gender including gender reassignment, race, ethnic or national origin, sexual orientation, marital Page 6 of 24

7 status, religion or belief, age, disability, union membership, offending background and any unjustified grounds. 3. Scope This policy applies to the following: All staff and any others such as any individual, group, company, legal body or entity engaged in work/service provision, support or any other function relating to the Trust. This includes students, locums, maintenance staff, experts, support services, service providers, third parties, software developers, testers, system hosting providers or any others that use, process or have any access to, transmission of, or storage of confidential Trust data or information All information assets such as information systems and data processing facilities purchased, developed and managed by or on behalf of the Trust and its partners. All data and information used by the Trust that it has a legal or ethical requirement to meet and maintain. This is irrespective of how it is stored or transmitted e.g. , databases, fax, files on networks, paper records All kinds of Trust data and information including:- service users, staff and organisational information. Most importantly this is confidential data but also any supporting data is included. It applies to any data the Trust processes on behalf of another organisation or entity under an agreement or contract All uses and handling of such information as e.g. structured paper and electronic records and file systems processing, usage and handling All transmission and sharing of such information file-sharing, , fax, post and telephone. This includes such as database transactions that do not necessarily move anywhere except through electronic registers 4. Policy Objective The objective of this policy is to set out what must be complied with in order to implement the Information Governance (IG) Framework so as to enable the Trust to meet its responsibilities for the secure and appropriate management of information assets and resources. Furthermore, to set out the principles of IG in a clear and structured way that supports IG implementation with clear and practical rules. The aims of this policy and its supporting policies are to ensure and preserve:- Confidentiality limiting access to data to those authorised to view it. Integrity safeguarding the accuracy and completeness of information and ensuring the correct operation of all information assets (e.g. systems and networks). Accessibility ensuring that information is available and delivered to the right person, at the time it is needed. Authenticity ensuring information and records are credible and authoritative. Reliability ensuring information and records can be trusted as a full and accurate representation of the transactions, activities or facts. Page 7 of 24

8 5. Legal Requirements The legal framework on which this information governance policy is based is as follows; Data Protection Act 1998 Caldicott 2 Information: To share or not to share Computer Misuse Act 1990 Copyright, Designs and Patents Act 1988 Regulation of Investigatory Powers Act 2000 Human Rights Act 1998 Electronic Communications Act 2000 Freedom of Information Act 2000 Health and Social Care Act 2001 Access to Records Act 1990 The Caldicott Committee Report on the Review of Patient Identifiable Information (1997) Common Law Duty of Confidentiality Fraud Act 2006 Bribery Act Principles of Information Use The Trust endorses and promotes the following key principles, which are predicated from Data Protection Principles, for the effective use and management of its confidential information, requiring that staff observe and implement them in their use of data and information. Data/information must be:- Held securely and confidentially o Management must control access to information assets through correct, approved authorisation. o Confidential data must be kept securely. Staff work in appropriately secure premises and have lockable rooms, cupboards and cabinets in which to store confidential information. o Security credentials must be required for staff to access computers and applications. These must be kept secret by the authorised user granted access. Obtained fairly and efficiently. Staff must:- o have legitimate grounds for collecting and using the personal data they do o not use the data in ways that have an adverse effects on the individual(s) concerned o be transparent about how you (the care team etc) intend to use the data, and give individuals appropriate privacy notices when collecting their personal data o handle people s personal data only in ways they would reasonably expect Page 8 of 24

9 o make sure you do not do anything unlawful with the data. Recorded accurately and reliably. Staff must:- Take reasonable steps to ensure the accuracy of any personal data you obtain o o o ensure that the source of any personal data is clear carefully consider any challenges to the accuracy of information consider whether it is necessary to update the information Used effectively and ethically. Staff must:- o o Strive to achieve the maximum value from the resources used Not use information dishonestly, unethically or unsafely Shared appropriately and lawfully. Staff must:- o o Share confidential information with consent where legal, appropriate and, where possible, respect the wishes of those who do not consent to share confidential information. You may still share information without consent if, in your judgment, that lack of consent can be overridden in the public interest. This means applying the Public Interest Test and management should be consulted on this if there is any doubt that it is debatable or weak. Such sharing must be justifiable under the law and therefore it is advisable for staff to keep a record of their decision(s). Staff must understand that the law, notably the Data Protection Act, should not be a barrier to sharing information but provides a framework to ensure that personal information about living persons is shared in a legally compliant manner. Whenever there is any doubt or uncertainty about whether information can be shared or not then reference must be made to the Trust s Information Sharing Policy and Procedure and if necessary Information Governance advice sought (see Contacts section of this document). 7. Responsibilities 7.1 Staff Staff use information assets in their work e.g. paper records and computer systems. Due to the Trust being a health and social care provider there is naturally a lot of personal identifiable data collected, stored and used constantly on information assets such as Amigos. Therefore it is vitally important that staff know what kind of data and systems etc they use and how to access and use them safely and securely. The Data Protection Act 1998 defines and sets out the principles for using personal data and staff are advised to understand this and can read it by following this link:- Page 9 of 24

10 px All the following are really saying is Do the right thing when it comes to data and systems security. If you apply the golden rule of treating other people s personal data how you would want them to treat your personal data. N.B. (It should be noted that this must comply with UK law.) Staff must:- Comply with the law, notably the Data Protection Act, which contains eight principles. These specify that personal data must be:- 1. Processed fairly and lawfully. 2. Obtained for specified and lawful purposes. 3. Adequate, relevant and not excessive. 4. Accurate and up to date. 5. Not kept any longer than necessary. 6. Processed in accordance with the data subject s (the individual s) rights. 7. Securely kept. 8. Not transferred to any country outside the EEA without adequate protection in situ. Staff must comply with the following Caldicott Principles:- Justify the purpose(s) of every proposed use or transfer Don't use it unless it is absolutely necessary Use the minimum necessary Access to it should be on a strict need-to-know basis Everyone with access to it should be aware of their responsibilities Understand and comply with the law The duty to share information can be as important as the duty to protect patient confidentiality to share or not to share Staff must:- Comply with the Common Law Duty of Confidence This tort of common law obliges staff to secure and maintain the confidentiality of their service user s confidences. Information that is obtained may very well be confidential, and must not be used for the benefit of persons not authorised by the individual it is about. Staff must also be aware that such a confidence could, if compelled by law, be overturned. It is best to notify the individual about this prior to a duty of confidence being entered into. Page 10 of 24

11 Comply with Trust Information Governance policies and procedures A list of Trust policies is set out in its own section (IG Policy) in this policy to be referred to. A brief explanation of what is covered in each is provided. Work to Information Governance Guidelines Guidelines are available and issued from time to time. Be aware that there are legal penalties for breaking the law and that failure to comply with policy may result in disciplinary action or dismissal Please refer to the Legal & Regulatory Framework section in this document Complete Information Governance training as mandated or required The Trust mandates and will maintain the Information Governance Training Tool for the effective delivery of Information Governance training, awareness and education. It is available to all staff with computer access. The Trust will provide Information Governance induction training to all new members of staff. The Trust provides general Information Governance awareness and training material on the Intranet Evaluation of Information Governance training will be undertaken to assess the effectiveness of the training and influence changes to future training. Abide by their Terms of Employment, Contracts and/or Agreements The Trust will:- establish staff responsibilities in Terms & Conditions and Contracts of Employment establish sufficient IG content in contracts and agreements with Third Parties The Trust will:- appoint a Senior Information Risk Officer (SIRO) at Board level. This has already been done. establish and maintain standards and policies for the effective and secure use and management of its information assets and resources. establish and maintain standards and guidance for the effective and secure transfer of information into and out of the Trust. establish and maintain standards and policies for the disclosure of information. undertake or commission timely assessments and audits of its information and IT security arrangements. promote effective confidentiality and security practice to its staff through policies, procedures and training. Page 11 of 24

12 establish and maintain incident reporting procedures, and monitors and investigates all reported instances of actual or potential breaches of confidentiality and security. Staff must ensure:- Confidentiality Confidentiality is about managing and controlling access to data so that only those authorised to view it can do. Conversely it is also about ensuring unauthorised persons cannot access information assets. Authorised users are the only persons permitted to use Trust information assets. Any unauthorised use will usually constitute a breach of policy. N.B. Information asset administration staff must ensure confidentiality is kept and therefore must not access confidential data inappropriately. All staff must ensure that confidential information is not accessible to unauthorised persons. Precautions for information assets depend on the asset:- For paper assets such as: records, case notes etc please refer to the Service User Records Management Policy and procedure for details. For computer assets: files, applications and hardware please refer to the Information Security Policy for further details. For both above points: staff must ensure that security is implemented and maintained for the assets they use and share. Anything less could be construed as negligence. Integrity Integrity means safeguarding the accuracy and completeness of information and ensuring the correct operation of all information assets (e.g. systems and networks). Staff must work to the best of their ability and in compliance with Data Quality Policy to ensure that information is as accurate and complete as necessary. Where information assets are systems, computers etc staff must ensure their operation is not jeopardised and any potentials for such are reported to the line manager/ IT Help Desk. Accessibility Accessibility is about ensuring that information is available and delivered to the right person, at the time it is needed. This is primarily an operational issue regarding access to paper records and computer equipment, networks and data. Therefore staff must ensure that assets are accessible by authorised staff who need such access e.g. premises are open, computers are available. Administration staff must ensure such access is granted in an authorised and timely manner. Page 12 of 24

13 Authenticity Authenticity is about ensuring that data, information and records are credible and authoritative. All staff involved in processing data, records etc must implement the available checks and balances regarding this and comply with relevant policy. Reliability Reliability is about ensuring information and records can be trusted as a full and accurate representation of the transactions, activities or facts. Staff must implement the available checks and balances regarding this and comply with relevant policy, raising queries if thought necessary. 8. Other Relevant Polices and Associated Documents This policy should be read in conjunction with other relevant Trust policies and procedures as follows: A. Information Governance Framework B. Access to Records Policy C. Service User Record Management Policy D. Records Management Policy E. Use Policy F. Safe Haven Policy G. Registration Authority Policy H. Confidentiality NHS Code of Conduct I. Freedom of Information Policy J. Information Sharing Policy K. Removable media Policy L. Portable Devices Policy M. Trust Confidentiality Code of Conduct N. Trust SUI and Incident Reporting Policy O. Disciplinary Policy P. Home working Policy Q. Mobile Phone Policy R. Data Quality Policy S. Trust Risk Management Strategy T. Information Governance Strategy U. Individual System Security Policies V. Counter Fraud & Corruption Policy W. Counter Fraud & Corruption Response Plan These policies and other such policies that may be published from time to time shall be regarded as forming part of this policy document. Page 13 of 24

14 9. I G Assurances 9.1 Confidentiality and Data Protection Assurance Please refer to the Legal & Statutory Framework section of this policy. Information Sharing & Encryption Staff must ensure that information is disclosed and shared in accordance with the law and policy e.g. if an is to be sent that will contain confidential information then that must not be put in the message body of the but in an encrypted attachment. The password to open it must be sent in a separate or provided by phoning The Trust will ensure that Information Sharing Protocols and Agreements are available to be used in facilitating information sharing in a considered and controlled manner. Protective Marking Scheme There are 3 types of data categories at the Trust set out in the following grid. CONFIDENTIAL INTERNAL PUBLIC The Trust regards all identifiable personal information relating to patients and staff as confidential except and will keep it confidential unless compelled by law (e.g. the public interest ) to release it. Service User and Patient data, case notes, Amigos files, staff personnel records, financial records Statistics, work-a-day internal s with nonconfidential messages Communications advertising, internet site Safe Haven Guidelines The term Safe Haven applies to the handling of confidential information such as confidential faxes which must be sent securely. It also applies to staff that work in safe havens such as secure locations or between secure computers/systems. This is covered more extensively in the following documents:- The Trust has produced Safe Haven Policy and Service User Records Management Policy and Procedure. Staff must comply with these in their daily data use. Legal Compliance Please refer to the Legal & Statutory Framework in this document for further information. All staff must comply with the law and proactively help the Trust to continue in its compliance. The Trust will undertake or commission annual assessments and audits of its compliance with legal requirements. Page 14 of 24

15 Service users/ patients can apply for access to information relating to their own health care, their options for treatment and their rights as patients under the Data Protection Act The public may apply for information in the Public category under the Freedom of Information Act 9.2 Information Security Assurance All staff are expected to safeguard the information assets that they use e.g. their Trust laptop and access to the data that is accessible through it. Therefore staff must work in such a way as not to jeopardise the asset or put it at risk and ensure that it is secure. Where there is a risk to found then it must be reported to the IAO or IAA of the asset it is about. Staff must comply with the Information Security Policy and supporting procedures. The Trust will continue to manage risk in a proactive way and therefore put in place the appropriate:- Policies and procedures the Trust will govern and strive to prevent a range of potential security incidents and ensure that critical services can be resumed in a timely manner. It will therefore ensure much work and many policies, procedures, controls and countermeasures exist and more are proposed for update or development. Awareness Training the Trust has put in place, and monitors an IG Awareness training programme. Information Security Management The Trust will ensure it minimises or diminishes the compromise or loss of information through carelessness, theft, fraud, deliberate leak or attack. Therefore the Trust will work in accordance with best practice guidelines and NHS directives and adopted standards. Staff must do their bit in this, always seeking to look after the information assets around them and reporting anything untoward. Information Security Incident Management - Significant incidents and risks must be escalated to the Head of IG and SIRO for consideration/investigation on behalf of the Trust Board. The level of acceptable risk will be agreed by the Trust Board by consideration of the Trust's Risk Registers that they have oversight of and kept under review. Information security risks will be reviewed, evaluated, and risk management principles embedded as part of day-to-day business. Departmental approaches must be flexible and capable of adapting to fast moving or unpredictable events that require dynamic decision-making. Information security needs to be approached in a structured manner to ensure that risks are managed appropriately. The following approach to information risk management will be taken:- Page 15 of 24

16 Identify Assets: To identify its assets such as people, information, systems and services. Understand their values in terms of how they support health and social care services provision and what the impact of compromise or loss may be. Identify/engage Information Asset Owners: For the SIRO to nominate and engage Information Asset Owners over the Trust's information assets. (Note: This will include shared services assets.) Threat Assessment: To identify threats to the Trust s information assets on an ongoing basis, assessing the likelihood and scale of the threat and impact of a occurrence Vulnerability Assessment: To consider the vulnerability of assets, systems and services, including an assessment of the adequacy of existing safeguards; Risk Tolerance: understand the level of risk that the Trust is prepared to tolerate. Implement Controls: select proportionate security controls as necessary to reduce the risk to an acceptable level. Risks should be continuously monitored and corrective action taken where necessary. NB: The above will be done over all information assets, including shared infrastructure ones e.g. the computer network. 9.3 Clinical Information Assurance Staff must comply with all applicable Records Management policies and procedures. Information and records management Records Management The Trust will establish and maintain policies and procedures for the effective management of records. The Trust will undertake or commission timely assessments and audits of its records management. Managers are expected to ensure effective records management within their service areas. The Trust promotes records management through policies, procedures and training. The Trust uses Records Management: NHS Code of Practice as its standard for records management. 9.4 Secondary Use Assurance Staff must comply with all applicable Data Quality Policy and supporting procedures and raise related matters to the relevant management and Informatics staff. Information quality assurance Data Quality Assurance The Trust will establish and maintain policies and procedures for information quality assurance. The Trust will undertake or commission annual assessments and audits of its information quality. Page 16 of 24

17 Managers are expected to take ownership of, and seek to improve, the quality of information within their services. Wherever possible, information quality should be assured at the point of collection. Data standards will be set through clear and consistent definition of data items, in accordance with national standards. The Trust will promote information quality through policies, procedures/ user manuals and training 9.5 Corporate Information Assurance Business continuity and disaster recovery plans Physical security incident management/ Disaster Recovery The Trust has Disaster Recovery and Business Continuity Plans (please refer to them on the Intranet) so they will not be dealt with here but to say that e.g. break-ins, terrorist attack, flooding), electronic attacks, compromise of communications security or disruption of online services must be reported to the relevant Information Asset Owner (IAO) who reports to the SIRO Monitoring and compliance assurance Freedom of Information Non-confidential information about the Trust and its services will be available to the public through a variety of media. The Trust has established and will maintain policies to ensure compliance with the Freedom of Information Act. The Trust undertakes or commissions annual assessments and audits of its freedom of information policies and arrangements. The Trust has clear procedures and arrangements for liaison with the press and broadcasting media (Please refer to Communications Departmental policy etc) The Trust has clear procedures and arrangements for handling queries from patients and the public. 10 Training and Awareness In line with the Trust Mandatory Training policy, the Trust will ensure that all users of Trust information systems and assets are provided with the necessary information governance guidance, awareness and training as appropriate to discharge their IG responsibilities based on the outcome of the training needs analysis undertaken by the Learning and Development Department. This information is available on the Trust intranet. Page 17 of 24

18 11 Monitoring, Evaluation and Review of the Policy The process for monitoring both the compliance with this policy and its effectiveness will be through the use of audit in accordance with the Trust Audit Plan. All Audit Reports and action plans will be subject to regular monitoring by the I&IT Committee. In addition external and internal audits will be commissioned as appropriate. The Trust will also complete and submit the NHS Statement of Assurance and the IG Toolkit which monitors attainment against NHS Information Governance standards. The policy will be reviewed on a bi-annual basis by the Information Governance Manager and the Trust Information Governance Group and any amendments or additions will be made. However, where review is necessary due to legislative change this will happen immediately 12 Counter Fraud Measures In accordance with the Trust s counter fraud & corruption plan any suspicious activity, within the scope of this policy, will be referred to and subsequently investigated by the Trust s Local Counter Fraud Specialist. The results of any such investigation could lead to internal disciplinary and/or civil/criminal prosecution proceedings being instigated against the appropriate person/persons involved. 13 Dissemination, Implementation and Access to this Document This policy and associated procedural guidance once ratified will be disseminated by the Head of Regulation Compliance and Quality Improvement through the Trust Communication Channels as agreed with the Communications Department. The document will be made available on the Trust intranet site. 14 References and Supporting Information NHS Code of Practice for Information Security 2007, DoH Information Governance Toolkit v 11, HSCIC 2013 Page 18 of 24

19 Appendix A Caldicott Principles The Caldicott Principles - Revised September 2013 Principle 1. Justify the purpose(s) for using confidential information Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian. Principle 2. Don t use personal confidential data unless it is absolutely necessary Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s). Principle 3. Use the minimum necessary personal confidential data Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out. Principle 4. Access to personal confidential data should be on a strict need-to-know basis Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes. Principle 5. Everyone with access to personal confidential data should be aware of their responsibilities Action should be taken to ensure that those handling personal confidential data - both clinical and non-clinical staff - are made fully aware of their responsibilities and obligations to respect patient confidentiality. Principle 6. Comply with the law Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements. Principle 7. The duty to share information can be as important as the duty to protect patient confidentiality Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies. Page 19 of 24

20 Appendix B LEGAL & REGULATORY FRAMEWORK The Trust acknowledges the complexity of the Legal and Regulatory Framework described in this section seeking at all times to work in a compliant manner. Much legislation exists over the use of information, mostly pertaining to personal identifiable data (PID) as it has the highest risk rating and therefore needs most robust protection and secure handling. The Trust has implemented an appropriate management structure, as set out in the IG Management Framework section of this document, to govern all of this with the goal of achieving and sustaining legal compliance in all its data use. It is essential that relevant legislation is understood and applied sufficiently over the spectrum of IG, e.g. data loss incidents, breaches of confidentiality, technical security implementations etc. This requires that:- (a) (b) In-house IG expertise will need timely updating and that the Trust s strategic stance on this is to employ experts and update skills on an ongoing basis via PDPs External expertise may at times need to be called upon for this, the Trust has well established links with solicitors. The Trust will engage experts as and when necessary. The Legislative Framework is set out next:- LEGISLATIVE FRAMEWORK The Data Protection Act This Act sets out the principles and statutory requirements for guiding and enforcing legally compliant personal data use. The Trust s use (processing) of personal identifiable data must comply with the following principles:- Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive Accurate and up to date Not kept for longer than is necessary Processed in line with individual rights Secure Not transferred to other countries without adequate protection Secondly, the Act provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records. Moreover, all staff should be familiar with their own professional codes relating to Page 20 of 24

21 ethical aspects of information governance (i.e. respect for patient privacy and dignity). Data Protection The Trust will process requests for individual s personal data under the Act. Confidential data - Health records are defined under the Data Protection Act as sensitive personally identifiable information which therefore requires rigorous controls to be in place to support service user s expectation that their information will be held securely and shared only in a legally, ethically compliant manner. Data considered by the Trust and the law, to be commercially confidential will be safeguarded accordingly. Personal data access for patients, service users and staff etc - The Trust will give patients ready access to information relating to their own care in accordance with legislation, and will have clear procedures for handling queries from patients, service users and the public. Further the Trust will make available to staff, information relating to their employment subject to the Data Protection Act (NB: The Information Commissioner s Office (ICO) has the ability to set monetary penalties against organisations up to 500,000 for serious breaches of the Data Protection Act. This liability rests with the legal entity responsible for the processing of the data, even where this has been contracted out. The Trust needs to be aware of its obligations to ensure that information flows have a sound legal basis and ensure that they remain compliant with the law.) The Freedom of Information Act This Act is about information which (a) the Trust has agreed to make public or (b) provide in meeting a request under the FOI Act. FOI requests - The Trust will process requests under the Act. Publicly available information - The Trust will make available non-confidential information about the Trust and its services to the public through a variety of media, and has developed clear procedures for liaison with the press and media. Common Law: Duty of Confidence this tort of law relates to there being a reasonable expectation of the patient/service user to expect their personal data to be kept confidential by the clinician/staff they divulge it to. Access to Health Records Act 1990 (unless superseded by the Data Protection Act) regarding the right to apply for copies of deceased patients/service users clinical records. Living patients/service users apply under the Data Protection Act Computer Misuse Act 1990 about cybercrime/hacking The Human Rights Act Access to Health Records Act Caldicott review of Patient Identifiable Information 1997 Page 21 of 24

22 ance/dh_ Caldicott 2 There are many other laws and the following list is not exhaustive:- Copyright, Designs and Patents Act 1988 Copyright (Computer Programs) Regulations 1992 Crime and Disorder Act 1998 Electronic Communications Act 2000 Environmental Information Regulations 2004 Health and Social Care Act Regulation of Investigatory Powers Act 2000 (and Lawful Business Practice Regulations) Public Interest Disclosure Act 1998 NHS Trusts and Primary Care Trusts (Sexually Transmitted Diseases) Directions 2000 Human Fertilisation and Embryology Act 1990 Abortion Regulations 1991 Public Records Act 1958 Regulations under the Health and Safety at Work Act 1974 Re-use of Public Sector Information Regulations 2005 REGULATORY FRAMEWORK Further to legislation the NHS has mandated a number of elements of regulation that are an intrinsic part of Information Governance via a national programme. This area is developing at a fast changing pace and the focus within this section will need significant periodical review. Information Governance Toolkit which requires trusts to assess their progress against set criteria NHS Operating Framework - Since version 9 of the IG Toolkit, all requirements are 'key' and the Trust is expected to attain level 2 against all the requirements in its assessment set. Caldicott a report for the audit and improvement on the use of patient identifiable data (1997) and HSC 1999/012. The Caldicott Principles were derived from this. ISO 27001: Information Security Management Standard & CoP Information Quality Assurance, QIPP and the quality agenda generally. Confidentiality: NHS Code of Practice (2003) Page 22 of 24

23 Information Security Management: NHS Code of Practice f NHS Guidance on Consent to Treatment Records Management: NHS Code of Practice ance/dh_ Clinical Negligence Scheme for Trusts (CNST) via NHS Litigation Authority NHS Code of Confidentiality The Trust s Annual Governance Statement this mentions the work undertaken around IG and the completion and submission of the IG Toolkit self-assessment which is audited. Care Quality Commission Regulations and NHSLA compliance particularly Care Quality Commission, Outcome 21 (and 6): Records - This is one of the core 16 quality and safety standards and relates entirely to records management and handling. It is closely related to Regulation 20 of the Health and Social Care Act 2008 (Regulated Activities). Both require appropriate and legal records management. Information Technology As information technology progresses there needs to be information governance in place over it. Payment by Results/ Service Line reporting Pressure from clinical communities and Ministers to produce high quality information on the quality of care. Increased risk that clinical care will be undermined due to reliance on poor quality records made readily accessible through electronic means. Pressure from central government to assure the security of data transfers as a result of data losses. Monitor IG assurance agency Annual Governance Statement - IG assurance is a recognised part of the Trust s overall governance framework. ETHICAL FRAMEWORK The right to expect confidentiality to be kept when it can reasonably be expected entitles a patient to the exercise of control over the content, uses of and disclosures of their personal information. Respect for that privacy is an essential part of the patient/staff relationship. The ethical framework is enshrined by the following:- Common Law: Duty of Confidence a tort of UK Law Confidentiality: NHS Code of Practice which includes the following principles:- Protect look after patient s information Page 23 of 24

24 Inform ensure patients are aware of how their information is used; there should be no surprises Provide Choice allow patients to decide whether their information can be disclosed and used in particular ways. Improve practice by always looking for better ways to protect, inform and provide choice. Further to the above the following points are covered:- Openness The Trust will further enhance its transparency of arrangements, by the use of Information Charters which provide clarity to citizens about the use and handling of personal data, and a range of other measures to improve information security across the Trust. NHS Care Record Service and the NHS Care Record Guarantee Applicable law and ethics are enshrined in these. To implement what can practically be done in order to monitor access to patient data is appropriate and enable patients to restrict access to part or all of their information either by making a decision about which groups certain information may be shared with, or via the patient sealed envelope. Refer to:- Page 24 of 24