Confidentiality and Data Protection Policy
advertisement
CONFIDENTIALITY AND DATA PROTECTION POLICY Calderdale CCG Confidentiality & Data Protection Policy v0.6 Review and Amendment Log / Control Sheet Responsible Officer: Chief Officer Clinical Lead: Dr Matt Walsh Author: Governance and Corporate Manager / CSU Date Approved: 23 January 2014 (tbc) Committee: Audit Committee Version: 0.6 Review Date: January 2016 Version History Version no. 0.1 Date 18 Dec 2013 0.2 10 Jan 2014 0.3 13 Jan 0.4 15 Jan 2014 0.5 23 Jan 2014 0.6 23 Jan 2014 Author Associate IG Specialist, WSYBCSU Associate IG Specialist, WSYBCSU Associate IG Specialist, WSYBCSU Associate IG Specialist, WSYBCSU Associate IG Specialist, WSYBCSU Description Initial Draft Circulation Draft SMT Comments from Corporate and Governance Manager Amendments following comments Associate IG Specialist, WSYBCSU Final Presented to Audit Committee for approval Ratified All staff Calderdale CCG Confidentiality & Data Protection Policy v0.6 Contents Section 1 Introduction 4 2 Aims and Objectives 4 3 Scope of the Policy 4 4 Accountability 5 5 Definition of Terms 6 6 Confidentiality Code of Practice, Guidance and Legislation 8 7 Procedure 12 8 Training & Guidance 16 9 Implementation and Dissemination 16 10 Monitoring Compliance with and the Effectiveness of the Policy 16 11 References 16 12 Associated Documentation 17 13 Equality Impact Assessment 17 Appendix Appendix 1 Privacy Impact Assessment Calderdale CCG Confidentiality & Data Protection Policy v0.6 1 INTRODUCTION 1.1 NHS Calderdale Clinical Commissioning Group (CCG) recognises the importance of reliable information, both in terms of the clinical management of individual patients and the efficient management of services and resources. The CCG also recognises the duty of confidentiality owed to patients, families, staff and business partners with regard to all the ways in which it processes, stores, shares and disposes of information. 1.2 Confidentiality and Data Protection legislation and guidance provide a framework for the management of all data from which individuals can be identified. It is essential that all staff and contractors of the CCG are fully aware of their personal responsibilities for information which they may come into contact with. 2. AIMS 2.1 The aim of this policy is to ensure that all staff understand their obligations with regard to any information which they come into contact with in the course of their work and to provide assurance to the Governing Body that such information is dealt with legally, securely, efficiently and effectively. 2.2 The CCG will establish, implement and maintain procedures linked to this policy to ensure compliance with the requirements of Data Protection Act 1998 and other related legislation and guidance and to support the assurance standards of the Information Governance Toolkit. 3 SCOPE 3.1 This policy must be followed by all staff who work for or on behalf of the CCG including those on temporary or honorary contracts, secondments, pool staff, students and WSYBCSU staff working for and behalf of the CCG. The policy is applicable to all areas of the organisation and adherence should be included in all contracts for outsourced or shared services. There are no exclusions. This policy covers: All aspects of information within the organisation, including (but not limited to): Patient/Client/Service User information Personnel/Staff information Organisational and business sensitive information Structured and unstructured record systems - paper and electronic Photographic images, digital or video recordings including CCTV Calderdale CCG Confidentiality & Data Protection Policy v0.6 All information systems purchased, developed and managed by/or on behalf of, the organisation. The processing of all types of information, including (but not limited to): Transmission of information – verbal, fax, e-mail, post, text and telephone Sharing of information for clinical, operational or legal reasons The storage and retention of information The destruction of information. 3.2 Confidentiality and Data Protection within an independent contractor’s premises is the responsibility of the owner/partners. However, the CCG is committed to supporting independent contractors in their management of information risk and will provide advice, share best practice and provide assistance when appropriate. 3.3 The CCG recognises the changes introduced to information management as a result of the Health and Social Care Act 2012 and will work with national bodies and partners to ensure the continuing safe use of information to support services and clinical care. 3.4 Failure to adhere to this Policy may result in disciplinary action and/or referral to the appropriate regulatory bodies including the police. 4. ACCOUNTABILITY 4.1 Governing Body The Governing Body is accountable for ensuring that the necessary support and resources are available for the effective implementation of this Policy. 4.2 The Audit Committee The Audit Committee is responsible for the review and approval of this policy, related work plans and procedures and will receive regular updates on compliance and any related issues or risks. 4.3 Accountable Officer The Chief Officer is the Accountable Officer of the CCG and has overall accountability and responsibility for Confidentiality and Data Protection and is required to provide assurance, through the Annual Governance Statement that all risks to the CCG, including those relating to confidentiality and data protection, are effectively managed and mitigated. 4.4 Senior Information Risk Owner The Chief Finance Officer is the Senior Information Risk Owner (SIRO) and has organisational responsibility for all aspects of risks associated with Information Governance, including those relating to confidentiality and data protection. Calderdale CCG Confidentiality & Data Protection Policy v0.6 4.5 Caldicott Guardian The Caldicott Guardian for the CCG is Dr Matt Walsh, Governing Body Member. The Caldicott Guardian plays a key role in ensuring that the CCG satisfies the highest practical standards for handling patient identifiable information. 4.6 Information Governance Lead The senior level Information Governance (IG) lead for the CCG is the Corporate and Governance Manager. The IG Lead is responsible for ensuring effective management, accountability, compliance and assurance for all aspects of IG and for liaising with the Information Governance Team from West and South Yorkshire and Bassetlaw Commissioning Support Unit (WSYBCSU) who provide agreed support to the CCG. 4.7 Information Asset Owners Information Asset Owners (IAO) are directly accountable to the SIRO and must provide assurance that information risk is being managed effectively in respect of the information assets that they are responsible for and that any new or changes introduced to their business processes and systems undergo a privacy impact assessment (appendix 2). 4.8 Heads of Service Heads of Service are responsible for ensuring that they and their staff are adequately trained, and are familiar with the content of this policy. 4.9 Employees All employees are responsible for: Ensuring compliance with this policy Seeking advice, assistance and training where required All employees are personally responsible for compliance with the law in relation to Data Protection and Confidentiality 4.10 West and South Yorkshire Commissioning Support Unit (WSYBCSU) The CCG contracts with WSYBCSU for Information Governance support including advice on Data Protection and Confidentiality and they can be contacted via the CCG IG Lead or emailing infogov@wsybcsu.nhs.uk for advice. Calderdale CCG Confidentiality & Data Protection Policy v0.6 5. DEFINITION OF TERMS The words used in this policy are used in their ordinary sense and technical terms have been avoided. 5.1 Personal Confidential Data Personal confidential data (PCD) refers to all items of information in any format from which an individual might be identified or which could be combined with other available information to identify an individual. This includes (but is not limited to); Name Date of Birth Post Code Address National Insurance Number Photographs, digital images etc. NHS or Hospital/Practice Number Date of death 5.2 Sensitive Personal Data Certain categories of information are classified as sensitive personal data and additional safeguards are necessary when sharing or disclosing this information in line with guidance and legislation. This includes (but is not limited to); Physical and Mental Health Social care Ethnicity and Race Sexuality Financial information Trade union membership Political affiliations Religion Records relating to criminal charges and offences 5.3 Corporate Information All categories of corporate information should be regarded as confidential in the first instance although they may be releasable through procedures such as Calderdale CCG Confidentiality & Data Protection Policy v0.6 Freedom of Information Act or the Publication Scheme. This includes (but is not limited to): 6. Board and meeting papers and minutes Tendering and contracting information Financial information Project and planning information CONFIDENTIALITY CODES OF PRACTICE, GUIDANCE AND LEGISLATION Information will be defined and where appropriate kept confidential, underpinning the principles of Caldicott, Health and Social Care Information Centre Guidance and professional Codes of Practice and legislation 6.1 Data Protection Act 1998 - Data Protection Principles All information and data which can identify a person, held in any format (visual/ verbal / paper / electronic / digital/ microfilm / etc.) is safeguarded by the Act, which is underpinned by eight principles. 1. Personal data shall be processed fairly and lawfully 2. Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed 4. Personal data shall be accurate and, where necessary, kept up to date. 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes 6. Personal data shall be processed in accordance with the rights of data subjects under this Act 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data 8. Personal data shall not be transferred to a country or territory outside the Calderdale CCG Confidentiality & Data Protection Policy v0.6 European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data 6.2 Human Rights Act 1998 Article 8 of the Human Rights Act 1998 established a right to respect for private and family life, home and correspondence. This reinforces the duty to protect privacy of individuals and preserve the confidentiality of their health and social care records. There should be no interference with the exercise of this right except as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety, the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. 6.3 Common Law Duty of Confidentiality This duty is derived from case law and a series of court judgements based on the key principle that information given or obtained in confidence should not be used or disclosed further except as originally understood or with subsequent consent. In some instances, judgements have been given which recognise a public interest in disclosure but these are on a case by case basis. United Kingdom courts rely extensively on this duty of confidentiality coupled with the Human Rights Act 1998 in making decisions on breaches of confidence. 6.4 Caldicott Principles Dame Fiona Caldicott produced a report in 1997 on the use of patient information which resulted in the establishment of Caldicott guardians across the NHS Structure. She was asked to conduct a further review and a new report: ‘Information to share or not to share’ was published in March 2013. The recommendations of this report have been largely accepted by the government and a revised set of Caldicott Principles have been published: 1. Justify the purpose(s) Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented with continuing uses regularly reviewed, by an appropriate guardian. 2. Don't use personal confidential data unless it is absolutely necessary Personal Confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s). 3. Use the minimum necessary personal confidential data Where use of personal confidential data is considered to be essential, the Calderdale CCG Confidentiality & Data Protection Policy v0.6 4. 5. 6. 7. inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out. Access to personal confidential data should be on a strict need-to-know basis Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes. Everyone with access to personal confidential data should be aware of their responsibilities Action should be taken to ensure that those handling personal confidential data both clinical and non-clinical staff - are made fully aware of their responsibilities and obligations to respect patient confidentiality. Understand and comply with the law Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements. The duty to share information can be as important as the duty to protect patient confidentiality Health and Social Care professionals should have the confidence to share information in the best interests of their patients within the frameworks set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies. The Caldicott Guardian also has a strategic and operational role, which involves representing and championing confidentiality and information sharing requirements and issues at senior management level and, where appropriate, at a range of levels within the organisation’s overall governance framework. A detailed description of the Caldicott Function is given in the Information Governance Framework. 6.5 Health and Social Care Information Centre (HSCIC) Guidance This organisation was established in April 2013 and will be responsible for facilitating the management and sharing of data across the re-configured NHS to support both operational and other functions such as planning, research and assessments. HSCIC produced a Code of Practice: ‘A Guide to Confidentiality in Health and Social Care’ in September 2013; 1. Confidential information about service users or patients should be treated confidentially and respectfully. Calderdale CCG Confidentiality & Data Protection Policy v0.6 2. Members of a care team should share confidential information when it is needed for the safe and effective care of individuals. 3. Information that is shared for the benefit of the community should be anonymised. 4. An individual’s right to object to the sharing of confidential information about them should be respected. 5. Organisations should put policies, procedures and systems in place to ensure the confidentiality rules are followed. 6.6 The NHS and Social Care Record Guarantees for England The NHS and Social Care Record Guarantees for England sets out the rules that govern how individual care information is used in the NHS and in Social Care. It also sets out what control the individual can have over this. Individuals’ rights regarding the sharing of their personal information are supported by the Care Record Guarantees, which set out high-level commitments for protecting and safeguarding service user information, particularly with regard to: individuals' rights of access to their own information, how information will be shared (both within and outside of the organisation) and how decisions on sharing information will be made. 6.7 Other legislation and guidance In addition to the main legal obligations and guidance there are a wide range of Acts and Regulations which govern the sharing of very specific types of data in such areas as; Safeguarding Children Sexually Transmitted Diseases Terminations, Assisted Conception Registration of Births and Deaths Criminal Investigations Terrorism. Communicable Diseases This is not an exhaustive list and further guidance can be obtained from your organisation’s Caldicott Guardian, Senior Information Risk Owner (SIRO) or the Information Governance Support Team. Section 251 of the NHS Act 2006 allows the Common Law Duty of Confidentiality to be set aside by the Secretary of State for Health in specific circumstances where anonymised information is not sufficient and where patient consent is not practicable. Calderdale CCG Confidentiality & Data Protection Policy v0.6 All staff are bound by the codes of conduct produced by any professional regulatory body, by the policies and procedures of the organisation and by the terms of their employment contract. The Department of Health Records Management Code of Practice sets out guidance for the creation, processing, sharing, storage, retention and destruction of records. 7 PROCEDURE 7.1 General principles The CCG regards all identifiable personal information relating to patients as confidential and compliance with the legal and regulatory framework will be achieved, monitored and maintained. The CCG regards all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise. The CCG will establish and maintain policies and procedures to ensure compliance with the Data Protection Act, Human Rights Act, the common law duty of confidentiality and the Freedom of Information Act and Environmental Information Regulations and other related legislation and guidance. Awareness and understanding of all staff, with regard to responsibilities, will be routinely assessed and appropriate training and awareness provided. Risk assessment, in conjunction with overall priority planning of organisational activity will be undertaken to determine appropriate, effective and affordable confidentiality and data protection controls are in place. 7.2 Using and Disclosing Confidential Patient Information for direct healthcare Consent to disclose can usually be taken to be implied when the information sharing is needed for direct healthcare but patients should still be informed about; The use and disclosure of their healthcare information and records The choices that they have and the implications of choosing to limit how information may be used or shared The breadth of the sharing necessary when care is to be provided by partner agencies and organisations The potential use of their records for the clinical governance and audit of the care they have received 7.3 Using and Disclosing Confidential Staff Information Consent to disclose can usually be taken to be implied when the information sharing is needed for direct communications related to their role, salary payment and pension arrangements. Staff should be made aware that disclosures may need to be made for legal reasons, to professional regulatory bodies and in Calderdale CCG Confidentiality & Data Protection Policy v0.6 response to certain categories of Freedom of Information Request where the Public Interest in Disclosure is deemed to override confidentiality considerations. 7.4 Using and Disclosing Corporate and Business Information All staff should consider all information which they come into contact with through the course of their work as confidential and it should only be disclosed, when appropriate, through the proper processes. 7.5 Protecting Information Good practice principles when working with confidential information: Staff must comply with all appropriate legislation and guidance Discussions and consultations on confidential matters should take place where they cannot be overheard Confidential information should never be left open on a desk Confidential information not in use should be locked away securely Storage systems should be secure All information held should be recorded on an asset register Staff are personally responsible for ensuring the safe processing of information Access to confidential information should be limited to the minimum necessary Consent to share should be recorded and the sharing limited to that which was agreed When sharing information with internal colleagues use sealed envelopes marked confidential Do not take confidential paper information outside of the workplace except in line with an agreed protocol or procedure Comply with the organisation’s procedures for disposal of confidential electronic or paper information Comply with the organisation’s policies and procedures on all aspects of information security and seek advice if you are unsure Do not discuss work matters in public places or on social occasions Work related information or images should not be uploaded to social media sites Do not give out confidential information over the phone Additional guidance when working with electronic equipment Ensure you have read and understood the organisation’s information security policies and procedures Computer screens should be locked whenever you are away from your device Log off when you have finished using a computer Always remove a smart card when you are away from your desk even for a few minutes Restrict access to confidential information which is stored on the server All portable media equipment must be encrypted including memory sticks Calderdale CCG Confidentiality & Data Protection Policy v0.6 Downloading confidential information to a non NHS portable device is forbidden Do not retain confidential information unless it is necessary Seek advice on fully deleting computer data if you are unsure Follow password guidance and change passwords regularly NEVER share a password or Smart Card with anyone or accept an instruction to do so Electronic equipment can only be disposed of through the IT Service provider Do not leave portable devices unattended where they can be seen e.g. in a car Keep back-up tapes, memory sticks etc. separate to your mobile device All mobile devices must be password protected and encrypted Mobile storage devices can only be used in line with agreed local procedures Information should only be kept on mobile devices for short term operational reasons and this should be backed up to a server regularly 7.6 Sharing Confidential Information without consent It may sometimes be necessary to share confidential information without consent or where the individual has explicitly refused consent. There must be a legal basis for doing so or a court order must be in place; Discuss the request with the Caldicott Guardian and/or the SIRO Disclose only that information which is necessary or prescribed by law Ensure recipient is aware that they owe a duty of confidentiality to the information Document and justify the decision to release the information Take advice in relation to any concerns you may have about risks of significant harm if information is not disclosed Take heed of 2013 additional Caldicott Guidance The duty to share information can be as important as the duty to protect patient confidentiality. 7.7 Transferring Information All paper transfers of confidential information must be secure; If your department needs to routinely transfer confidential information internally or externally ensure that there is an agreed protocol for such transfers Only use sealed envelopes for confidential information Fully address envelopes and mark them private and confidential regardless of how they are to be transferred Large or particularly sensitive files should be double enveloped and sent recorded delivery, hand delivered or a courier should be used. Consider using a PO Box return address to protect confidentiality Follow up transfers of sensitive confidential information to check receipt Confidential information being transported by car should be kept out of sight and should not be left in a car overnight Calderdale CCG Confidentiality & Data Protection Policy v0.6 Special consideration is needed for transfer of information outside the European Economic Area All electronic transfers of confidential information must be secure: Follow all Information Security and Technology Guidance, Policies and Procedures Take advice from the Information Governance Support Team or the SIRO E mails - users must follow guidance on transmitting confidential information Staff should only use approved NHS e mail accounts and confidential patient and staff information may only be transferred using NHS Mail Staff should not send confidential information to a personal e mail address Do not forward emails containing offensive information. Contact the IT Service Desk. Staff should not download or transfer large amounts of confidential data without the involvement of Information Technology Teams and the consent of the SIRO. Faxes should only be used where this is the most secure method available and a cover sheet should be used at all times giving names and contact details of sender and recipient Check fax numbers regularly, programme them in where possible and send test faxes before sending confidential information and ring to check receipt of the test. Ensure the fax will be received in a safe haven or that a named individual is there to collect it immediately Do not leave confidential faxes unattended if there is a delay in transmission 7.8 Records Management The CCG has a Records Management Policy which should be followed for all aspects of record creation, sharing, storage, retention and destruction of records. 7.9 Access to Records Individuals have a right to request access to their records in line with the Data Protection Act. All staff should familiarise themselves with the CCG’s Access to Records Procedure which should be followed for all requests for personal data. This procedure also gives guidance in relation to requests for the records of deceased person’s under the Access to Health Records Act 1990 and for dealing with requests for information from the police. Access to corporate information and records will be in accordance with CCG’s Freedom of Information and Environmental Information Regulations Policy. 7.10 Information Sharing The organisation will ensure that information sharing takes place within a structured and documented process and in line with the Information Calderdale CCG Confidentiality & Data Protection Policy v0.6 Commissioner’s Code of Conduct and the additional safeguards introduced by the Health and Social Care Act 2012. 7.11 Information Confidentiality Breaches All actual, potential or suspected incidents involving breaches of confidentiality must be reported via the CCG’s Incident Management Policy. All incidents involving patient data should be reported to the Caldicott Guardian. The SIRO should consider whether serious breaches of confidentiality or those involving large numbers of individuals need to be reported to the Information Commissioner via the Information Governance Toolkit. 7.12 Privacy Impact Assessment All new projects, processes and systems (including software and hardware) which are introduced must meet confidentiality and data protection requirements. To enable the organisation to address the privacy concerns and risks a technique referred to as a Privacy Impact Assessment (PIA) must be used. A PIA will: 8 Identify privacy risks to individuals Protect the CCG’s reputation Ensure person identifiable data is being processed safely Foresee problems and negotiate solutions TRAINING & GUIDANCE 8.1 Mandatory Training The Information Governance Toolkit requires that all staff must undergo Information Governance training annually. All staff will receive Information Governance Training via the CCG’s Statutory and Mandatory Training Programme. Training will be delivered through the HSCIC Information Governance Training Tool and managed on behalf of the CCG by the Learning and Development Team at West and South Yorkshire and Bassetlaw Commissioning Support Unit (WSYBCSU). Additional training may be sourced or provided by the organisation or WSYBCSU for specialist areas such as Data Protection. 9 IMPLEMENTATION AND DISSEMINATION Calderdale CCG Confidentiality & Data Protection Policy v0.6 Following ratification by the Audit Committee this policy will be disseminated to staff via the CCG’s intranet and communication through in-house staff briefings. This Policy will be reviewed every year or in line with changes to relevant legislation or national guidance. 10 MONITORING COMPLIANCE AND EFFECTIVENESS OF THE POLICY An assessment of compliance with requirements, within the Information Governance Toolkit (IGT), will be undertaken each year. This includes Confidentiality and Data Protection. Incidents are reported and all serious information governance issues must be reported by the SIRO at Governing Body level and in Annual Reports. 11 REFERENCES 12 Freedom of Information Act 2000 Data Protection Act 1998 Human Rights Act 1998 Common Law Duty of Confidence Health and Social Care Act 2012 NHS Act 2006 ASSOCIATED DOCUMENTS (Policies, protocols and procedures) The CCG has adopted a number of policies from NHS Calderdale PCT. These policies are being reviewed and updated through a rolling programme to take the CCG arrangements into account and support the Information Governance agenda: Operational Policy for Information Governance Information Sharing Protocol Information Security Policy Record Management Policy & Strategy Access to Records procedure Risk Management Policy Incident Reporting Procedures Freedom of Information and Environmental Information Regulations Policy System Level Security Policies Network Security Policy Acceptable Use Policy Privacy Impact Assessment Calderdale CCG Confidentiality & Data Protection Policy v0.6 Appendix 1 Privacy Impact Assessment Privacy Impact Assessment: Data Protection and Confidentiality Compliance in Changes to Business Processes, New or Upgraded Information Systems Procedure Calderdale CCG Confidentiality & Data Protection Policy v0.6 Version Control Sheet Document Title: Privacy Impact Assessment: Data Protection and Confidentiality Compliance in Changes to Business Processes, New or Upgraded Information Systems Version: 1.0 The table below logs the history of the steps in development of the document. Version Date Author Status Comment 0.1 March 2010 Senior Confidentiality IM & T Security Officer Draft 1.0 March 2010 Senior Confidentiality IM & T Security Officer Final Approved by Information Governance Group 2.0 Dec 2013 Associate IG Specialist Review Amendments made to reflect CCG arrangements Calderdale CCG Confidentiality & Data Protection Policy v0.6 Contents Section 1 Introduction 2 Aims and Objectives 3 Scope 4 Accountability 5 Definition of Terms 6 Procedure 7 Equality Impact Assessment 8 Implementation and dissemination 9 Monitoring and compliance 10 Associated Documents Appendices Appendix A Appendix B Process Flow Chart Questionnaire: Privacy Impact Assessment Calderdale CCG Confidentiality & Data Protection Policy v0.6 1. Introduction . 1.1 The introduction of new internal business processes (facilitated by information systems) and new or upgraded information systems could potentially result in the Clinical Commissioning Group (CCG) breaching the principles of the Data Protection Act 1998 and other associated legislation. 1.2 It is essential that any systems (or new business processes) which hold and use person identifiable information (patient or staff information) are tested for data protection and confidentiality compliance before they are procured or implemented. Where necessary small scale or a full scale Privacy Impact Assessment may then be recommended (in line with the Information Commissioners Privacy Impact Assessment Handbook). 2. Aims and Objectives 2.1 Data Protection and Confidentiality assessment is most effective when started at an early stage of a project, when: The project is being designed You know what you want to do You know how you want to do it, and You know who else is involved. 2.2 Ideally it should be started before: Decisions are set in stone You have procured systems You have signed contracts/Memorandum of Understanding’s/agreements, and While you can still change your mind! 2.3 It is vitally important that all proposed changes to the CCG’s IT systems and processes are able to maintain the confidentiality, integrity and accessibility of information. 2.4 This document details the actions to be taken before departments, areas or functions implement changes to internal business processes or procure new/upgraded information systems. 2.5 The attached compliance questionnaire will assist you in considering whether a new/upgraded information system or process will: Allow personal information to be checked for relevancy, accuracy and validity Enable the integrity of personal information to be maintained Incorporate a procedure to ensure that personal information is disposed of through archiving or destruction when it is no longer required Have adequate levels of security to ensure that personal information is protected from unlawful or unauthorised access and from accidental loss, destruction or damage Calderdale CCG Confidentiality & Data Protection Policy v0.6 Enable the timely location and retrieval of personal information to meet subject access requests Transfer personal data outside the European Economic Area (EEA) 3. Scope 3.1 This procedure applies to all staff who works for the CCG (including those on temporary or honorary contracts, secondments, pool staff and students and WSYBCSU staff working for/on behalf of the CCG). It also applies to relevant people who support and use these systems 3.2 This procedure is applicable to all areas of the CCG and adherence should be included in all contracts for outsourced or shared services. There are no exclusions. 4 Accountability 4.1 Chief Officer The Chief Officer is responsible for ensuring that the necessary support and resources are available for the effective implementation of this procedure. 4.2 The Audit Committee The Audit Committee is responsible for the review and approval of this procedure. 4.3 Chief Finance Officer The Chief Finance Officer has organisational responsibility for all aspects of Information Governance, including the responsibility for ensuring that the CCG has appropriate systems and policies in place to maintain the security and integrity of the CCG’s systems. 4.4 Heads of Service Heads of Service are responsible for ensuring that they and their staff are adequately trained, and are familiar with the content of this procedure. 4.5 Information Governance Lead The Corporate and Governance Manager (supported by the IG Team from West and South Yorkshire and Bassetlaw Commissioning Support Unit (WSYBCSU)) is responsible for providing advice and support. They are also responsible for reviewing this procedure and ensuring it is updated in line with any changes to national guidance or local policy. 5. Definition of terms The words used in this policy are used in their ordinary sense and technical terms have been avoided wherever possible. 6. Procedure 6.1 There are five steps to ensuring that data protection and confidentiality issues have been properly considered and managed prior to procurement and Calderdale CCG Confidentiality & Data Protection Policy v0.6 implementation of changes to internal business processes and information systems. The five steps are detailed below and also set out in the flow chart at Appendix 1: 6.2 Step 1 – Project Initiation Managers and/or members of staff leading changes to business processes and the procurement of new or upgraded information systems must initially complete the questionnaire: Privacy Impact Assessment Document (Appendix 2), to initiate an assessment of data protection and confidentiality compliance. The need for consultation must be communicated to all staff members who are involved in the procurement of any changes to systems and in the process design. The completed questionnaire should be submitted to your IM&T Project Lead or assigned WSYBCSU IG Lead for the CCG. 6.3 Step 2 – Review of Completed Questionnaire The IG Team at WSYBCSU will consult with you in respect to answers given on the questionnaire and help to identify any areas of risk. 6.4 Step 3 – Risk Assessment Any identified risks should be formally assessed and a risk treatment plan put in place to reduce the risk. Risks should be logged on the risk register. It is the responsibility of the Project/Change Initiation lead to ensure risks are assessed, treatment plans put in place and entries made on the risk register. 6.5 Step 4 – Agreement to Proceed Sign off via the CCG’s Senior Information Risk Owner/Caldicott Guardian to show that the CCG is satisfied that all data protection and confidentiality issues have been resolved or that proposed actions that would be needed to be put in place to reduce an identified risk, have been outlined via the CCG’s risk assessment process. Where a Business Case/Project Initiation Document is to be put together at the outset of the project, ensure this includes details of all risks identified and detail of steps taken to mitigate risks. 6.6 Step 5 – Post Implementation Risk Assessment The Project /Change Initiation lead for the new business process or information system should ensure that following implementation, a post implementation data protection and confidentiality risk assessment is undertaken to ensure that there are no new risks. It is expected this would be conducted as part of the overall evaluation of the project. All completed questionnaires will be filed as evidence that data protection and confidentiality compliance checks have been undertaken in accordance with requirement 237 of the Information Governance Toolkit. 6.7 Flow Chart Procedure See Appendix 1 for flow chart procedure. Calderdale CCG Confidentiality & Data Protection Policy v0.6 7 Implementation and dissemination Following approval by the Audit Committee this procedure will be disseminated to staff via the CCG’s intranet and internal communication mechanisms. This procedure will be reviewed every two years or in line with changes to relevant legislation or national guidance. 8 Monitoring compliance with and the effectiveness of the policy An assessment of compliance with requirements, within the Information Governance Toolkit (IGT), will be undertaken each year. Annual reports and proposed work programme will be presented to the Audit Committee for approval. 9. Associated Documents Disciplinary Procedure Confidentiality and Data Protection Policy Information Security Policy Information Governance Policy Risk Management Policy Calderdale CCG Confidentiality & Data Protection Policy v0.6 Appendix A Data Protection and Confidentiality Compliance in Changes to: Business Processes, New or Upgraded Software 5 step process for Ensuring Compliance Appendix A Step 1- Project Initiation Need for change or purchase of new system identified Yes Do you need a business case Complete business case with Risks fully identified and send with questionaire Complete Questionnaire No Consult and communicate with all staff involved Send Completed questionnaire to IMT Security officer (IMTSO) Step 2- Review of Completed questionnaire IMT Security Officer will contact you to agree area’s of risk and ask any further questions and clarify your answers where necessary Step 3- Risk Assessment Risk Assessed Risk treatment plan put in place to reduce risk Risks logged on departments risk register Forward copy of written risk treatment plan to IMTSO) Step 4- Agreement to Proceed Data Protection Lead/ Caldicott sign off plans Step 5 -Post Implementation Risk Assessment LP 2007 aA 8 Appendix B Privacy Impact Assessment Questionnaire This document must be completed for any new / or change in service which pertains to utilise personal identifiable information. It must be completed as soon as the new service / or change is identified by the Project Manger / System Manager or Information Asset Owner. This process is a mandated requirement on the Information Governance Toolkit to ensure that privacy concerns have been considered and actioned to ensure the security and confidentiality of the personal identifiable information. There are 2 types of Privacy Impact Assessments – a small scale and full scale. questionnaire is based on the Small Scale PIA. Following completion of this questionnaire, it may be necessary to conduct a Full Scale PIA. Full details are available in the Information Commissioner’s handbook. This Privacy Law compliance checks and Data Protection Act compliance checks are part of the PIA process – the questions to assess this are included in this form. Please complete all questions with as much detail as possible, this should form part of the project documentation. If you need help or guidance please contact the Information Governance Team on 01274 237431 or email infogov.wsybcsu.nhs.uk Further guidance on specific items can be found on the Information Commissioner’s website www.ico.gov.uk 9 Section A: New/Change of System/Project General Details Project Name: Objective: Background: Why is the new system / change in system required? Proposed Benefits: Issues which may stop benefits being achieved: Relationships: (for example, with other Trust’s or organisations) Related Projects: Name: Job Title: Project Manager: Telephone: Email Name: Information Asset Owner: All systems/assets must have an Information Asset Owner (IAO). IAO’s are normally the Heads of Departments and report to the SIRO. Job Title: Telephone: Email Customers and stakeholders 10 Section B Privacy Impact Assessment Key Questions Question 1. Will the system/project/process (The Asset) contain Personal Identifiable Data or Sensitive Data? If answered ‘No’ you do not need to complete any further information as PIA is not required. 2. Please state purpose for the collection of the data: for example, patient treatment, health administration, research, audit, staff administration 3. Does the asset involve new technologies which could impact privacy? E.g. tracking, data aggregation. 4. Please tick the data items that are held in the system Personal Sensitive 5. Will the asset collect new personal data items which have not been collected before? 6. Have checks been made regarding the adequacy, relevance and not excessive collection of personal and/or sensitive data for this asset? 7. Does the asset involve new Response No Patient Staff Other (specify) Yes No If yes, please give details: Name Address Post Code Date of Birth GP Consultant Next of Kin Hospital (District) No. Sex NHS Number National Insurance Number Treatment Dates Sex Diagnosis Religion Occupation Ethnic Origin Medical History Clinic Other (please state here): Yes No Yes No Detail: Yes No 11 or changed data collection processes that may be unclear or intrusive? 8. Is the third party Yes No contract/supplier of the system registered with the Data Protection Act Notification Number: Information Commissioner? What is their notification number? 9. Do the third party/supplier Yes No contracts contain all the necessary Information Governance clauses including information about Data Protection and Freedom of Information? 10. Who provides the Patient Staff information for the asset? Others – Please specify e.g. Interfaces from PAS 11. Are you relying on individuals (patients/staff) to provide consent for the processing of personal identifiable or sensitive data? 12. Have the individuals been informed of and have given their consent to all the processing and disclosures? 13. How will the information be kept up to date and checked for accuracy and completeness? 14. Who will have access to the information? 15. Is there a useable audit trail Yes No If no, what is your legal basis for processing the information? Yes (explicit) No Yes (implicit in leaflets, on website) Yes No in place for the asset. For example, to identify who has accessed a record? 12 16. Have you assessed that the processing of personal/sensitive data will not cause any unwarranted damage or distress to the individuals concerned? What assessment has been carried out? 17. What procedures are in place for the rectifying/blocking of data? 18. Does the asset involve new or changed access or information sharing procedures? 19. What are the retention periods (what is the minimum timescale) for this data? (please refer to the Records Management: NHS Code of Practice) 20. How will the data be destroyed when it is no longer required? 21. Will the information be shared with any other establishments/ organisations/Trust’s? Yes No Yes No Yes Please List: No Is an information sharing agreement in place with each establishment? 22. Are there any new links to other data collections elsewhere? Yes No Yes No Fax Via NHS Mail Website By hand Email 23. Where will the information be kept/stored/accessed? (Please Detail) 24. Will any information be sent off site If ‘Yes’ where is this information being sent 25. Please state by which method the information will be transported 13 Via courier Via post – internal Via telephone Via post - external Other – please state below: 26. Are you transferring any personal and / or sensitive data to a country outside the European Economic Area (EEA)? If yes, where? 27. Are measures in place to mitigate risks and ensure an adequate level of security when the data is transferred to this country? 28. Have the security requirements been documented? 29. Has an information risk assessment been carried out and reported to the Information Asset Owner (IAO)? Where any risks highlighted – please provide details and how these will be mitigated? 30. Have the requirements for disaster recovery and business continuity been considered? Check against the data flow mapping spreadsheet. Yes No Yes Not applicable No Yes No Yes No Yes No Yes No Evaluation 31. Is the PIA approved by the IAO or appropriate person? (see page 2) If not, please state the reasons why and the action plan put in place to ensure the PIA can be approved Please review all of your answers. If you have concerns that personal privacy may be impacted contact the Information Governance Team who will advise and if necessary 14 seek approval from the Senior Information Risk Owner (SIRO) and the Caldicott Guardian (CG). The Information Governance Team can be contacted on 01274 237431 or by email at infogov@wsybcsu.nhs.uk 15
