Data Protection Policy

Transcription

1 Data Protection Policy Version: V1 Ratified by: Operational Management Executive Committee Date ratified: 26 September 2013 Name and Title of originator/author(s): Chris Brady, FOI, Data Protection and Briefing Lead Name of responsible Director: Lee Whitehead Director of People & Communications Date issued: 12 November 2013 Review date: 3 years from date of first publication Target audience: All HEE Staff Document History: Version 1: OMEC, 26/09/13 1

2 Document Status This is a controlled document. Whilst this document may be printed, the electronic version posted on the intranet, and copied to the internet, is the controlled copy. Any printed copies of this document are not controlled. As a controlled document, this document should not be saved onto local or network drives but should always be accessed from the intranet. 2

3 Contents Paragraph Page 1 Introduction 4 2 Aim 4 3 Legislation 4 4 NHS & Related Guidance 4 5 Responsibilities 5 6 Security & Confidentiality 5 7 Database Management 5 8 Back Ups 6 9 Disclosure of Information 6 10 Disclosure of Information Outside the EEA 6 11 Training 7 12 Induction 7 13 Contracts of Employment 8 14 Disciplinary 8 15 Monitoring and Audit 8 16 Subject Access Requests 8 17 Disclosure of Personal Information 9 3

4 1. Introduction 1.1. Health Education England (HEE) has a legal obligation to comply with all appropriate legislation in respect of Data, Information and IT Security. It also has a duty to comply with guidance issued by the Department of Health, the Information Commissioner, other advisory groups to the NHS and guidance issued by professional bodies Penalties could be imposed upon HEE, and/or employees for non-compliance with relevant legislation and NHS guidance. 2. Aim 2.1. This Data Protection Policy details how HEE will meet its legal obligations and NHS requirements concerning confidentiality and information security standards. The requirements within the Policy are primarily based upon the Data Protection Act 1998 as that is the key piece of legislation covering security and confidentiality of personal information. 3. Legislation 3.1. For the purpose of this Policy other relevant legislation and appropriate guidance may be referenced. The legislation listed below also refers to issues of security and or confidentiality of personal identifiable information/data: Data Protection Act 1998 Access to Health Records 1990 Access to Medical Reports Act 1988 Human Rights Act 1998 Freedom of Information Act 2000 Regulation of Investigatory Powers Act 2000 Crime and Disorder Act 1998 Computer Misuse Act 1990 Criminal Justice and Immigration Act NHS & Related Guidance 4.1. The following are the main publications referring to security and or confidentiality of personal identifiable information/data (see section A for more information): Confidentiality: NHS Code of Practice Records Management: NHS Code of Practice Information Security: NHS Code of Practice Employee Code of Practice (Information Commissioner) 4

5 5. Responsibilities 5.1. The Chief Executive Officer has overall responsibility for the Data Protection Policy within HEE. The implementation of, and compliance with, this Policy is delegated to the Data Controller (Director of People & Communications) and the Data Protection Lead. The Data Protection Lead will report data protection issues to the Data Controller who will have responsibility for bringing these to the attention of HEE s Executive Team The Data Protection Lead role includes: Maintaining registrations Facilitating training sessions Dealing with subject access requests Acting as initial point of contact for any data protection issues which may arise within HEE Providing reports to the HEE Executive Team as required Auditing data protection compliance Facilitating action in areas identified as being non-compliant Assisting with complaints concerning data protection breaches Acting as the interface between data protection and freedom of information 5.3. This Policy will be reviewed annually, or more frequently if appropriate, to take into account changes to legislation that may occur, and/or guidance from the Department of Health, the Information Commissioner or any relevant case law The day to day responsibilities for enforcing this Policy will be devolved to application/system managers and other nominated personnel. In order to fulfil their roles, the Data Protection Lead in conjunction with the Data Controller will ensure that regular training is provided to remind these personnel of these responsibilities and the most effective way of ensuring adequate information security and confidentiality. 6. Security & Confidentiality 6.1. All information relating to identifiable individuals and any information that may be deemed sensitive, must be kept secure at all times. HEE will ensure there are adequate policies and procedures in place to protect against unauthorised processing of information and against accidental loss, destruction and damage to this information. 7. Database Management 7.1. The HEE Data Protection Lead will ensure that all databases that require registration are registered in accordance with the DPA requirements and these registrations are reviewed on a regular basis. Each computer system/database will have a 5

6 designated manager. A list of these nominated personnel will be maintained by the Data Protection Lead For the purposes of this policy the term Database refers to a structured collection of records or data held electronically which contains person identifiable information. In the event that further guidance is needed in respect to what constitutes a database please contact the Data Protection Lead. 8. Back-ups 8.1. Each application/system manager will have responsibility for ensuring there is a procedure which outlines the media, frequency and retention period for back-ups of the data and programs for the systems within their control Those systems which are run for the users by a third party organisation will have their systems backed up on a regular basis as defined by the Service Level Agreement. 9. Disclosure of Information & Information in Transit 9.1. It is important that information about identifiable individuals (such as the general public, patients and/or staff) should only be disclosed on a strict need to know basis. Strict controls governing the disclosure of patient identifiable information is also a requirement of the Caldicott recommendations All disclosures of computer held identifiable information should be included in the relevant data protection registration document for the database the disclosure may be made from Some disclosures of information may occur because there is a statutory requirement upon HEE to disclose e.g. with a Court Order, because other legislation requires disclosure (for staff to the tax office, pension agency and for patients to the Department of Health if the patient has a notifiable disease) If person identifiable information/records needs to be transported in any media such as: disc, memory stick or manual paper records, this should be carried out to maintain strict security and confidentiality of this information Contracts between HEE and third parties must include an appropriate confidentiality clause that must be disseminated to the third parties employees. 10. Disclosure of Information Outside the EEA Personal data, even if it would otherwise constitute fair processing, must not, unless certain exemptions apply or protective measures taken, be disclosed or transferred outside the European Economic Area to a country or territory which does 6

7 not ensure an adequate level of protection for the rights and freedoms of data subjects In the event that any member of staff wishes to process personal information outside of the United Kingdom, the HEE Data Protection Lead must be consulted prior to any agreement to transfer or process information. 11. Training The Data Protection Lead has overall responsibility for maintaining awareness of confidentiality and security issues for all staff. This is carried out at regular training sessions covering the following subjects: Personal responsibilities Confidentiality of personal information Relevant HEE Policies and Procedures Compliance with the Data Protection Principles Registration of automated databases Individuals rights (access to information and compliance with the principles) 12. Induction General good practice guidelines covering security and confidentiality Contact information relating to who is the Data Protection Lead and how they can be contacted for all problems which may occur in the areas of security and confidentiality of personal information A general overview of all Information Governance components General common sense issues such as locking doors and avoiding gossip in open areas or discussing sensitive information in public places (on trains, in taxis etc) Letting all staff know about relevant policies, procedures and good practice guidance and where this can be found A brief overview of how the data protection and freedom of information acts work and the differences All new starters to HEE will be given Information Governance training, to include compliance with the Data Protection Act and general IT security training, as part of the induction process. Extra training in these areas will be given to those who need it such as application/systems managers and those dealing with requests for information. A register will be maintained of all staff attendance at training sessions. Non-contract staff and those on short fixed term contracts will also be asked to attend induction sessions. These people will include temporary, agency staff and student placements. Training should also be open to external organisations carrying out functions for HEE such as security guards (where they are not contracted HEE employees) All staff will be made aware of what could be classed as an information security incident or breach of confidentiality. They will be made aware of the 7

8 process to follow and the forms to complete, so that incidents can be identified, reported, monitored and investigated. 13. Contracts of Employment Staff contracts of employment are produced and monitored by HEE Human Resources department. All contracts of employment include a data protection and general confidentiality clause. Agency and non-contract staff working on behalf of HEE must be subject to the same rules All HEE employees will be made aware of their responsibilities in connection with the DPA mentioned in this Policy through their Statement of Terms and Conditions, and targeted training sessions carried out by application/system managers and/or other trainers/specialists. 14. Disciplinary A breach of the Data Protection requirements could result in a member of staff facing disciplinary action. A copy of HEEs Disciplinary Procedure is available from the Human Resources Department. 15. Monitoring & Audit This policy will be monitored by the Data Protection Lead on a regular basis. In addition, application of this policy will also be reviewed by Internal and External Audit. 16. Subject Access Requests Current Data Protection legislation allows an individual who is the subject of personal information processed by HEE to access their information. In the event that an individual wishes to have a copy of their information under the subject access provision of the Data Protection Act a request must be made in writing to the Data Protection Lead HEE is obliged to respond to requests promptly within 40 days of a request being made for access to records containing person identifiable information. Failure to do so is a breach of the Act and could lead to a complaint to the Information Commissioner. If it is anticipated that a request will take longer than the 40-day period, HEE will inform the applicant giving an explanation of the delay and agree a new deadline In addition, HEE will charge for any subject access requests made in line with legislative guidelines. 8

9 17. Disclosure of Personal Information There are Acts of Parliament that govern the disclosure of personal information. Some of these Acts make it a legal requirement to disclose and others that state that information cannot be disclosed. These Acts are detailed below: Public Health (Control of Diseases) Act 1984 & Public Health (Infectious Diseases) Regulations 1985 Education Act 1944 (for immunisations and vaccinations to NHS SHAs from schools) Births and Deaths Act 1984 Police and Criminal Evidence Act 1984 Human Fertilisation and Embryology (Disclosure of Information) Act 1992 Venereal Diseases Act 1917 and Venereal Diseases Regulations of 1974 and 1992 Abortion Act 1967 The Adoption Act In the event that a request for disclosure is made referencing any of these Acts the HEE Data Protection Lead must be notified prior to any information being released 9