Data Sharing Protocols

Similar documents
Staff Guide to Information Sharing

Information Governance Management Framework

Data Protection Policy

DATA PROTECTION POLICY

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy

INFORMATION GOVERNANCE STRATEGY NO.CG02

Information Governance Policy

DATA PROTECTION POLICY

Data and Information Sharing Protocol and Agreement for Agencies Working with Children and Young People

Information Governance Policy

Information Governance Policy

Promoting and Supporting Quality Research in Suffolk. A guide to research governance and research activities in Suffolk

Data Protection Policy

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT

ESTRO PRIVACY AND DATA SECURITY NOTICE

Data Protection Policy

The Leeds Teaching Hospitals NHS Trust. Research & Development Department DATA PROTECTION IN RESEARCH GUIDANCE NOTES FOR RESEARCHERS

Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3

Human Resources and Data Protection

Information Governance Plan

Subject Access Request, Procedure, Guidance and Information

Information security incident reporting procedure

Information Governance Strategy. Version No 2.1

Data Protection Policy

Annual Continuing Education (ACE) (Print version) Information Privacy and I.T. Security and Compliance

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Monitoring Employee Communications: Data Protection and Privacy Issues

CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE

RD SOP17 Research data management and security

RECORDS MANAGEMENT POLICY

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

Information Governance Policy

Data Protection for the Guidance Counsellor. Issues To Plan For

A Question of Balance

Information Governance Policy

Data Protection Policy June 2014

INFORMATION GOVERNANCE HANDBOOK

Barnet Partnership Information Sharing Protocol

Privacy and Electronic Communications Regulations

Information sharing. Advice for practitioners providing safeguarding services to children, young people, parents and carers

NHS Waltham Forest Clinical Commissioning Group Information Governance Strategy

SUBJECT ACCESS REQUEST PROCEDURE

Information Governance Strategy. Version No 2.0

Data Protection Guidance

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

Data Protection Policy

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff.

Information Sharing Policy

HERTSMERE BOROUGH COUNCIL

Information Governance Framework

Cloud Software Services for Schools

INFORMATION GOVERNANCE POLICY

Policy Checklist. Head of Information Governance

Information Governance Standards in Relation to Third Party Suppliers and Contractors

Focus on Subject Access Requests for insurance purposes. August 2015 (updated further to July 2015 guidance)

USE OF PERSONAL MOBILE DEVICES POLICY

General Register Office for Scotland information about Scotland s people. Paper NHSCR GB 5/07. NHSCR s quality assurance procedures

DATA PROTECTION POLICY

Policy. Social Media Acceptable Use Policy. Executive Lead. Review Date. Low

UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY

The EDGE 2014 User Conference Information Governance Workshop

CORE SKILLS FRAMEWORK INFORMATION GOVERNANCE LESSON NOTES AND TIPS FOR A SUGGESTED APPROACH

Data Protection Training Module MMU Legal Department 2015

Originator: Chris Parkin Date: 4 March 2015 Approved by: Senior Management Team Type: Policy. Computer Security Policy

Date of review: January 2016 Policy Category: Corporate Sponsor (Director): Chief Executive CONTENT SECTION DESCRIPTION PAGE.

Corporate ICT & Data Management. Data Protection Policy

DATA PROTECTION AND DATA STORAGE POLICY

Data Protection Policy

Information Governance Policy

Policy Document Control Page

1. Introduction Statement of Policy The Eight Principles of Data Protection Scope Roles and Responsibilities.

Cloud Software Services for Schools

INFORMATION GOVERNANCE STRATEGY

General Register Office for Scotland information about Scotland s people. Paper NHSCR GB 1/08. NHSCR Scotland Information Governance Standards

Secure Transfer of Information Guidance for staff

Personal Information Protection Act. Information Sheet 12: 1. Service Providers Outside Canada: Notification, Policies and Practices

Little Marlow Parish Council Registration Number for ICO Z

Appendix 11 - Swiss Data Protection Act

Information Governance Framework. June 2015

DATA PROTECTION POLICY

Terms and Conditions for Jurrassic

Information Governance Policy

Subject Access Request Policy

Information Governance Policy

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September Information Governance Manager

How To Share Your Health Records With The National Health Service

INFORMATION GOVERNANCE POLICY

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;

Information Governance Policy

Risk Management Policy

Information Governance Policy

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

Corporate Policy and Procedure

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

You are authorised to view and download one copy to a local hard drive or disk, print and make copies of such printouts, provided that:

Information Incident Management and Reporting Procedures

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Transcription:

Data Sharing Protocols Responsible Officer Author Business Planning & Resources Director Corporate Office Date effective from October 2013 Date last amended NA Review date October 2016 Audience NICE Board and staff (including contractual staff) 1

Introduction 1. These protocols apply to requests received from third parties for the sharing of personal data held by NICE and explain how such requests should be handled. Similar standards should be applied to sensitive nonpersonal information. They cannot cover every circumstance of information sharing but they are intended to provide guidance to staff on the issues to be considered and to make them aware of their responsibilities in the handling of personal data. 2. Personal data is any information which relates to a living individual who can be identified from those data or other information held by NICE and includes any opinions about the individual. 3. Data sharing must be done in accordance with the conditions under which the data was received and to comply with the Data Protection Act 1998 and other legislation such as the Human Rights Act 1998 and common law duty of confidentiality in order for the sharing to be lawful. 4. Data sharing will be managed in accordance with agreements between NICE and third parties who supply the data and to ensure that the people whose data we hold know that their data will be handled confidentially in a secure environment with due care and respect for their privacy. 5. The protocols are not intended to be a substitute for formal legal advice which will be obtained where necessary. In all cases staff should take advice from their Information Asset Owner, the Caldicott Guardian or Governance Manager before sharing any personal data if there is any uncertainty about the lawfulness of the data sharing. 6. Data sharing should not pose a burden on staff or be counter productive to the efficiency of NICE business but it should be done within clear guidelines to protect the privacy and confidentiality of individuals. 7. Failure to follow these protocols may lead to unauthorised disclosure of sensitive personal information, damage to reputation of NICE and potential fines of up to 500,000 for breach of the Data Protection Act 1998. Scope 8. This policy applies to NICE staff (including those on secondment to other organisations) and the following groups of people working for or on behalf of NICE. This document describes these (non-staff) groups collectively as affiliates : committee chairs and members and remunerated expert advisers non-executive directors agency workers and contractors on temporary contract or employed through agency to work for NICE secondees (those who are seconded to NICE from other organisations) 2

unpaid students, volunteers or placement staff Responsibilities 9. All staff and affiliates have a responsibility to keep personal information secure from unauthorised disclosure. Staff need to be clear: What information can be shared and under what circumstances What information cannot be shared and under what circumstances Who to go to for advice if they are not sure what to do 10. Local management of personal data is the responsibility of the departmental Information Asset Owner (IAO) or other senior manager if there is no IAO in place. Their role is to ensure personal data is held securely in accordance with the Data Protection Act 1998, that access is maintained on a need to know basis and that any transfers are made in accordance with these protocols. Procedure 11. NICE will, where appropriate and practical, seek to get informed consent to share information so that the individual giving consent understands why the information needs to be shared, what information will be shared, who will see their information and how it will be used. 12. Teams should ensure data protection statements on all data collection forms include any potential sharing of data. 13. The general approach to data sharing should follow a four step process: a) Decide if NICE has the power to carry out the function to which the data sharing relates b) Decide if disclosure would breach any of the Principles in the Data Protection Act 1998. c) Decide if sharing the information would amount to a breach of the individual s right to a private life under the Human Rights Act d) Decide if disclosure would breach any common law duty of confidence to the individual 14. In addition, all decisions to share personal medical data must comply with ALL the Caldicott Principles 1 : a) Justify the purpose(s) for using confidential information b) Only use it when absolutely necessary c) Use the minimum that is required d) Access should be on a strict need-to-know basis e) Everyone must understand his/her responsibilities f) Understand and comply with the law 15. A flow chart on the procedure to be followed is set out in Appendix A and a quick guide of key issues to consider is in Appendix B. 1 DH Manual for Caldicott Guardians 2010 3

16. If at any point you are unsure about whether it is appropriate to share personal data you should take advice from IAO, senior managers or the Governance Manager. 17. Where the data refers to the medical condition of any individual the decision must be authorised by the Caldicott Guardian for NICE who is Gillian Leng. Unsolicited correspondence 18. Unsolicited correspondence sent to NICE, including correspondence containing sensitive personal data or confidential information, may be shared with third parties where there is a clear public interest in doing so or as required by law. If the Enquiries Team/Corporate Office considers there is a valid reason for sharing data, such as issues relating to safeguarding 2, these will first be discussed with the Caldicott Guardian. The law 19. All data sharing with third parties must comply with the law and other relevant NICE policies and procedures. Sharing personal data is covered by more than one piece of legislation and the most frequently referred to are the following: Administrative law The starting point is to identify the NICE function to which the data sharing is ancilliary to establish that NICE has the power, implicit or explicit, to share the data before proceeding to consider if it is lawful in the particular circumstances of the case. 3 If NICE does not have the power, or vires, to use and share the data it will be acting unlawfully and the fact that the individual may have consented would not make the activity lawful. 4 Data Protection Act 1998 The Data Protection Act 1998 is critical in terms of data sharing as it provides the legal framework for the handling and management of personal data set out in eight principles. The most important of these are that the data should be used fairly and lawfully and only in accordance with the purposes for which the data were obtained. Common law of confidence Common law protects the disclosure of information (whether personal or not) that is given in circumstances giving rise to an obligation of confidentiality on behalf of the person receiving the information. Confidentiality is not an absolute bar to disclosure but a judgement will be made as to where the public interest lies. The default position at NICE is we will not disclose any confidential information unless this is required by 2 'Safeguarding' is a term widely used in health and social care to indicate those who need protection from harm, usually the elderly, frail or children 3 Para 8. Public sector data sharing: guidance on the law. DCA. v 2003 4 Section 3(1). Public sector data sharing: guidance on the law. DCA. v 2003 4

law including, but not exclusively, the Freedom of Information Act 2000, or if there are compelling reasons for disclosure in the public interest. In these cases formal legal advice may be sought. Human Rights Act 1998 Disclosure or sharing of an individual s personal data prima facie engages their rights under Article 8(1) of the Human Rights Act 1998 which states: Everyone has the right to respect for his private and family life, his home and his correspondence. While this right is not absolute, interference with it must be justified by demonstrating the interference is: i. In accordance with the law ii. In the pursuit of a legitimate aim, and iii. Necessary in a democratic society Related policies Data Protection Policy Information Governance Policy Records Management Policy IT Security Policy Incident Reporting Procedure Research governance procedure 5

Appendix A Data Sharing Flowchart Request received from third party to share data Is there a legitimate reason to share the data? Can any individual be identified from the data? Will sharing comply with the Data Protection Act 1998? * Is the information confidential? Do you have the individual s consent to disclose or is there implied consent? Is there a clear public interest in sharing the data? SEEK ADVICE DO NOT SHARE Share information Identify how much information to share. Ensure you are sharing the information securely. Inform the person that the information has been shared if they were not aware of this and it would not create or increase risk of harm. * A breach of the common law of confidentiality or the Human Rights Act would necessarily be a breach of the First Principle of the DPA which requires the processing to be lawful; If information does not identify an individual and hence the DPA is not engaged, it may still have been provided in confidence and disclosure actionable as a breach of confidence. te, confidentiality can apply to the deceased. 6

Appendix B Quick guide to data sharing Factors to consider 5 When deciding whether to enter into an arrangement to share personal data (either as a provider, a recipient or both) you need to identify the objective that it is meant to achieve. You should consider the potential benefits and risks, either to individuals or society, of sharing the data. You should also assess the likely results of not sharing the data. You should ask yourself: What is the sharing meant to achieve? You should have a clear objective, or set of objectives. Being clear about this will allow you to work out what data you need to share and who with. It is good practice to document this. What information needs to be shared? You shouldn t share all the personal data you hold about someone if only certain data items are needed to achieve your objectives. For example, you might need to share somebody s current name and address but not other informationyou hold. Who requires access to the shared personal data? You should employ need to know principles, meaning that other organisations should only have access to your data if they need it, and that only relevant staff within those organisations should have access to the data. This should also address any necessary restrictions on onward sharing of data with third parties. When should it be shared? Again, it is good practice to document this, for example setting out whether the sharing should be an on-going, routine process or whether it should only take place in response to particular events. How should it be shared? This involves addressing the security surrounding the transmission or accessing of the data and establishing common rules for its security. How can we check the sharing is achieving its objectives? You will need to judge whether it is still appropriate and confirm that the safeguards still match the risks. What risk does the data sharing pose? For example, is any individual likely to be damaged by it? Is any individual likely to object? Did the individual have a reasonable expectation that their data might be shared? Might it undermine individuals trust in the organisations that keep records about them? Could the objective be achieved without sharing the data or by anonymising it? It is not appropriate to use personal data to plan service provision, for example, where this could be done with information that does not amount to personal data. Will any of the data be transferred outside of the European Economic Area (EEA)? If so, you need to consider the requirements of the eighth principle of the Data Protection Act 1998. Appendix C - Version Control Sheet 5 ICO Data Sharing Code of Practice May 2011 7

Version Date Author Replaces Comment 1 October 2013 Corporate office 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information