CONFIDENTIALITY CODE OF CONDUCT Version 8.1 Name of responsible (ratifying) committee Information Governance Steering Group Date ratified 14 January 2015 Document Manager (job title) Information Governance Manager Date issued 09 February 2016 Review date 31 January 2017 Electronic location Management Policies Related Procedural Documents ICT Security Policy, Safe Haven Policy, E-mail Policy, Data Protection Policy, Imaging Consent and Confidentiality Policy, Information Governance Policy, Records Retention and Disposal Policy, Health Records Management Policy Key Words (to aid with searching) Confidentiality, Privacy, Information Security, Data Protection, Encryption, Health Records, Record Management, Consent, Caldicott Version Tracking Version Date Ratified Brief Summary of Changes 8.0 12 Nov. 2014 Addition of definition of Personal Confidential Data (section 4) Addition of new seventh Caldicott Principle (6.1) Change to training requirements and process (7) Change to policy compliance monitoring (9) Change to expectations around sending confidential information by fax (10 – Appendix 1) Information Governance Manager 8.1 04 February 2016 (Chair’s Action) Include new references to legal requirements of the Gender Recognition Act related to confidentiality and disclosures of information. Information Governance Manager Title of Policy: Issue Number: Issue Date: Review date: Author Confidentiality Code of Conduct 8.1 09 February 2016 31 January 2017 (unless requirements change) Page 1 of 13 CONTENTS QUICK REFERENCE GUIDE ............................................................................................................. 3 1. INTRODUCTION.......................................................................................................................... 4 2. PURPOSE ................................................................................................................................... 4 3. SCOPE ........................................................................................................................................ 4 4. DEFINITIONS .............................................................................................................................. 5 5. DUTIES AND RESPONSIBILITIES .............................................................................................. 5 6. PROCESS ................................................................................................................................... 6 6.1. Principles and Legislation ......................................................................................................... 6 6.2. Consent to disclosure and use of confidential / personal information ........................................ 7 6.3. Secure Practices ...................................................................................................................... 8 6.4. Disclosures............................................................................................................................... 9 6.5. Possible sanctions for breach of confidentiality or data loss ................................................... 10 6.6. Reporting breaches ................................................................................................................ 11 7. TRAINING REQUIREMENTS .................................................................................................... 11 8. REFERENCES AND ASSOCIATED DOCUMENTATION .......................................................... 11 9. EQUALITY IMPACT STATEMENT ............................................................................................ 12 10. MONITORING COMPLIANCE WITH PROCEDURAL DOCUMENTS ........................................ 13 Title of Policy: Issue Number: Issue Date: Review date: Confidentiality Code of Conduct 8.1 09 February 2016 31 January 2017 (unless requirements change) Page 2 of 13 QUICK REFERENCE GUIDE This policy must be followed in full when developing or reviewing and amending Trust procedural documents. For quick reference the guide below is a summary of actions required. This does not negate the need for the document author and others involved in the process to be aware of and follow the detail of this policy. 1. All staff are responsible for the appropriate handling and use of confidential information, whether this on-site, or on occasions when information is taken off-site, accessed from home etc. 2. Unauthorised disclosure of confidential information is an offence under law. 3. Suspected or known breaches of confidentiality should be reported through the Trust’s incident reporting system. 4. Patients should be made aware that the information they give may be recorded and shared, and for which purposes. Patient consent should be sought if their personal information is intended to be used for reasons other than direct patient care. You should be able to answer any queries about how information will be used, or be able to direct the query to someone who can. 5. Individuals have the right to object to the disclosure of their personal information. You should be able to explain the implications of disclosing or not disclosing information so that valid choices can be made. 6. Access to confidential information should be restricted to a “need to know” basis. 7. There is a range of ways to ensure information is securely stored and disposed of – e.g. workstations, faxes, postal methods – ensure you are familiar with those that apply to you. 8. Certain disclosures, e.g. to the Police, may only be undertaken without patient consent in specific circumstances. Do not feel obliged to disclose information if it is not part of your job. 9. If you are required to disclose information, be aware of the Caldicott Principles so that only the minimum necessary information is sent, and only to the minimum necessary recipients. 10. Only duplicate confidential information when absolutely necessary and destroy appropriately once it has served its purpose. Title of Policy: Issue Number: Issue Date: Review date: Confidentiality Code of Conduct 8.1 09 February 2016 31 January 2017 (unless requirements change) Page 3 of 13 1. INTRODUCTION As a member of our staff, you have the responsibility for ensuring that you use and handle confidential or personal patient or staff identifiable information in a secure and confidential way. The majority of staff will have access to information relating to individuals (other members of staff, patients, relatives, etc.). The Trust has a responsibility to ensure, so far as is reasonably practicable, the privacy of all individuals is protected and the confidentiality of their records is preserved. 2. PURPOSE The purpose of this code of conduct is to inform you of the importance of maintaining the confidentiality of personal information, and of your personal responsibility associated with this aspect of your work within the Trust. It is important to note that where facilities to maintain the confidentiality and security of personal information have not been provided, this should be brought to the attention of your line manager. This document also aims to help ensure that you use sensitive information effectively, whilst at all times maintaining appropriate levels of confidentiality. You should be aware that any breaches of security, or infringements of confidentiality, would be taken very seriously by the Trust. You should also be aware that certain such instances may amount to gross misconduct, the ultimate sanction for which is summary dismissal from employment. In addition, unauthorised disclosure of confidential or personal information is an offence under the law and could lead to prosecution of individual members of staff and / or the Trust. This Code of Conduct complements the information and instructions contained within the Information Security Policy, which is issued by the ICT Department (and is available to view through Trust Management Policies), which remains the authoritative document relating to all aspects of Trust-wide information security. The Information Security Policy describes the responsibilities for information security for all staff in the Trust, and provides an implementation plan to ensure adequate compliance, audit and review. The Confidentiality: NHS Code of Practice (2003) underpins this document. 3. SCOPE This policy applies to all aspects of patient or staff personal information within the Trust and all aspects of processing, using, or sharing of personal information (verbal, telephone, e-mail, post, fax). This policy applies to all Trust employees and any other individual conducting business on behalf of the Trust. ‘In the event of an infection outbreak, flu pandemic or major incident, the Trust recognises that it may not be possible to adhere to all aspects of this document. In such circumstances, staff should take advice from their manager and all possible action must be taken to maintain ongoing patient and staff safety’ Title of Policy: Issue Number: Issue Date: Review date: Confidentiality Code of Conduct 8.1 09 February 2016 31 January 2017 (unless requirements change) Page 4 of 13 4. DEFINITIONS Personal Data Information that relates to a living individual who can be identified from this information, or other information which is in the possession of the data controller (the Trust). Sensitive Personal Data Personal information about: race or ethnicity, political opinions, religious or similar beliefs, trade union membership, physical or mental condition, sexual preferences, commission or alleged commission of offences or a legal proceeding. Person Identifiable Data (PID) Any information that contains the means to identify a person, e.g. name, address, post code, date of birth, NHS Number, National Insurance Number etc. Personal Confidential Data (PCD) A new term used in the 2013 Caldicott Information Governance Review, which describes personal information about identified or identifiable individuals and which should be kept provide or secret and includes dead as well as living people. This term may come to widely replace the acronym PID (for Person Identifiable Data) that has been in use in the NHS since 2008. Data Subject The person to which the information relates. 5. DUTIES AND RESPONSIBILITIES The Caldicott Guardian (Medical Director) is responsible for protecting the confidentiality of service-user information and enabling appropriate information sharing. The Senior Information Risk Officer (Company Secretary) takes overall ownership for the Trust’s information risk programme and for implementing and leading the NHS Information Governance risk assessment and management process, and to advise the Board on the effectiveness of information risk management across the Trust. The Chief Executive is ultimately responsible for the Trust’s compliance with the Data Protection Act and associated legislation regarding the confidentiality of Personal Data. The Information Governance Manager has responsibility to ensure that the Trust complies with Information Governance requirements, including, confidentiality and data protection. Line Managers are responsible for ensuring effective systems are in place to avoid breaches of security with regard to personal information. Specific guidance can be sought from the Trust ICT Security Specialist. The Data Protection Officer, who for Portsmouth Hospitals Trust is the Information Governance Manager, is responsible for the notification to the Information Commissioners of the use of personal information and its purposes, and for ensuring there is a suitable network of Information Asset Owners through which to provide localised guidance and expertise. You are personally responsible for: ensuring that personal data is kept secure and confidential at all times, including those occasions when it is necessary to remove it from the site, or when you work from home, etc.; Title of Policy: Issue Number: Issue Date: Review date: Confidentiality Code of Conduct 8.1 09 February 2016 31 January 2017 (unless requirements change) Page 5 of 13 ensuring that any information recorded is accurate, relevant and not excessive ensuring your password is confidential and only ever known / used by yourself; and reporting any incident that could possibly relate to a breach of confidentiality, e.g. loss, theft or corruption of information, a network security breach, password misuse, etc. through the Trust’s incident reporting system 6. PROCESS 6.1. Principles and Legislation The principles relating to security and confidentiality apply to all Personal Information, which is any information relating to any living individual who can be identified, such as patients, health care professionals, other staff, suppliers, contractors etc. Such personidentifiable information may be manually-held or automated, and so includes (but is not limited to), for example: all patient information including medical records; personnel records which include those held by line managers and those held centrally by the HR department; CCTV videos and other audio/visual recordings; photographs, x-rays and other images; and computer disks, tapes, CD-ROMs and other electronic media The access and use of all such personal information is governed by the Common Law Duty of Confidentiality, the Data Protection Act 1998, The NHS Code of Confidentiality 2003, The Computer Misuse Act 1990 and the Caldicott Principles. The Access to Health Records Act 1990 was largely superseded by the Data Protection Act 1998, but still applies to the records of deceased persons. Article 8 of the European Convention of Human Rights (the Human Rights Act in UK law) may also be relevant. The Common Law Duty of Confidentiality requires that information that has been provided in confidence may be disclosed only for those purposes about which the subject has been informed and has consented to, unless there is a statutory or court order requirement to do otherwise. The eight principles of the Data Protection Act 1998 (DPA) apply to all staff handling personal information (no matter in what particular format this is held). These principles are as follows: 1. Personal information (data) shall be processed fairly and lawfully and shall not be processed unless certain conditions are met. 2. Personal data shall be obtained for one or more specific purpose(s) and shall not be processed in any manner incompatible with that/those purpose(s). 3. Personal data shall be adequate, relevant and not excessive for the purpose(s). 4. Personal data shall be accurate and, where necessary, kept up to date. 5. Personal data processed for any purpose(s) shall not be kept for longer than is absolutely necessary. 6. Personal data shall be processed in accordance with the rights of data subjects under the DPA. 7. Appropriate technical and organisational measures shall be taken to ensure only authorised and lawful processing of personal data is undertaken and to ensure personal data is not lost, destroyed, or damaged. Title of Policy: Issue Number: Issue Date: Review date: Confidentiality Code of Conduct 8.1 09 February 2016 31 January 2017 (unless requirements change) Page 6 of 13 8. Personal data shall not be transferred to a country or territory outside the European Economic Area (EEA), unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. The seven Caldicott Principles, applying to the handling of patient-identifiable information are as follows: Principle 1 You must be able to justify the purpose(s) of every proposed use or transfer. Principle 2 You must only use patient-identifiable information when absolutely necessary. Principle 3 You must use the minimum information that is required. Principle 4 Access to information must be on a strict need-to-know basis. Principle 5 Everyone who has access to information must understand their responsibilities. Principle 6 The law must be understood and complied with. Principle 7 Good information sharing can be as important as good privacy The NHS and Social Care Record Guarantees for England Individuals’ rights regarding the sharing of their personal information are supported by the Care Record Guarantees, which set out high-level commitments for protecting and safeguarding service user information, particularly in regard to: 6.2. individuals' rights of access to their own information how information will be shared (both within and outside of the organisation) how decisions on sharing information will be made Consent to disclosure and use of confidential / personal information Patients and staff have the right to object to the use and disclosure of confidential / personal information and need to be made aware of this right. You must also seek consent from patients should their information be required to be used for purposes other than direct patient care, or other than for the purpose for which it has originally been obtained. You must therefore ensure that patients and staff are aware that the information they give may be recorded, and shared, and for which purposes. You should also check that information about the choices available in respect of how information may be used or shared is given and that they have no concerns or queries about this. You should be able to answer any queries about use of information or be able to direct the query to someone who can. In addition you should be able to explain the implications of disclosing or not disclosing information so that valid choices can be made. Care must be taken to ensure that information is provided in a suitable format or language that is accessible. Title of Policy: Issue Number: Issue Date: Review date: Confidentiality Code of Conduct 8.1 09 February 2016 31 January 2017 (unless requirements change) Page 7 of 13 Patients have a right to object to the disclosure of confidential / personal information, even if it is to a provider of essential healthcare. Where the patient is competent to make this decision, this should be respected unless there is an overriding interest in disclosure (such as protecting vital interests), but the implications must be clearly explained to the patient. The Gender Recognition Act (2004) does not allow for disclosures where a health professional believes it would be in the best interests of the patient. Under the Gender Recognition (Disclosure of Information) England, Wales and Northern Ireland (No. 2) Order 2005 information relating to gender reassignment, such as the patient’s previous identity, can only be disclosed if: The disclosure is made for medical purposes to a health professional and the person making the disclosures reasonably believes that the subject has given consent to the disclosure (or cannot give such consent); or If disclosure is required to prevent or detect crime or is requested under a Court Order, or is in accordance with any other provision of the Gender Recognition Act (2004). 6.3. Secure Practices You must ensure that confidential or personal staff or patient identifiable information is never left unattended, or where it might easily be accessed by a third party who is unauthorised to have this access. This includes, for example: leaving information in an unlocked and unmanned office; leaving information on the screen of an unattended PC; allowing another person access to your password inappropriately; or positioning a computer screen such that it is readily visible to others Before you leave your desk / work area at the end of your working day / shift, you must ensure that all paperwork (of any description) is stored away in a drawer or filing cabinet, and not left in view (i.e. clear desk routine must be followed). This will limit the possibility of accidentally leaving out, or misplacing, information of a confidential nature. If information cannot be stored away, you should ensure access is restricted e.g. by locking the office door or locking the department at the end of the day. If you are adding information to records, check its current accuracy and relevance and raise any queries with the data owner. You must ensure that confidential records are shredded when no longer required, or put into designated ‘confidential waste’ bins or sacks for commercial confidential disposal. You must comply with Trust Records Management Policies: Confidential or patient / staff identifiable information must not be placed in domestic waste bins. Care must be taken when disposing of items such as carbon paper, backing sheets and in particular printer ribbons, as these can contain confidential or patient / staff identifiable information. These must be disposed of by shredding or incineration. Pre-printed stationery such as headed paper or test report forms must be stored securely to prevent possible fraudulent use. Fax machines must be located in secure areas in order that incoming faxes cannot be read by unauthorised persons. You must comply with the Trust’s Safe Haven Policy. For guidance on this, please contact the Trust’s Information Governance Manager. Title of Policy: Issue Number: Issue Date: Review date: Confidentiality Code of Conduct 8.1 09 February 2016 31 January 2017 (unless requirements change) Page 8 of 13 Any redundant equipment, especially disk or tape copies, must be disposed of through the ICT department in accordance with recognised procedures (refer to your line manager / supervisor for details). You must only take records or other confidential information out of the office or off-site if on approved business (this includes the use of laptops and working from home). You must safeguard the security and confidentiality of the information at all times and should ensure that a list of the records that you take off-site is retained at your base. All correspondence containing confidential or personal patient or staff identifiable information must always be addressed to a named recipient e.g. addressed to a named person, a post holder, a consultant, a designated group or a legitimate Safe Haven, not merely to a department or organisation. Internal mail containing confidential or personal patient or staff identifiable information must only be sent in a securely sealed envelope, and marked accordingly (e.g. “Confidential” or “Addressee Only”, as appropriate). External mail containing confidential or personal patient or staff identifiable information must also be sent in a securely sealed envelope, and marked accordingly e.g. “Private and Confidential” or “To be opened by addressee only”, as appropriate. If deemed appropriate, sensitive / confidential mail may be sent by registered delivery or courier. Person Identifiable Data stored on removable media must be encrypted to NHS standards (256 bit AES). Advice on what and how to encrypt is available from the ICT Department. Should you need to email confidential or personal patient or staff identifiable information, the Trust Email Policy must be followed. 6.4. Disclosures Care must be taken to ensure that enquirers have a legitimate right to have access to the information that they ask for, so that information is only shared on a “need to know” basis. Always be mindful that people may try to obtain information by deception. It is important to consider how much information is needed before disclosing it and only disclose the minimum amount necessary. For example, providing an entire medical record is generally unnecessary and is likely to constitute a breach of confidence. Only duplicate essential records for a particular purpose, and ensure as far as possible that the person you disclose personal information to will not use it inappropriately. Any information shared with a non-NHS organisation should ideally be done so in accordance with an agreed information-sharing protocol, as sanctioned by the Information Governance Manager or Caldicott Guardian. If you are unsure or unclear about this procedure, refer to your line manager / supervisor for guidance. You are employed in a position of trust and must never abuse that trust by passing confidential or personal information to relatives or friends or by using such information for personal or commercial gain. Patients generally have the right to object to the use and disclosure of confidential information and need to be made aware of this right. However, information can be disclosed: With the individual’s consent for a specific purpose Title of Policy: Issue Number: Issue Date: Review date: Confidentiality Code of Conduct 8.1 09 February 2016 31 January 2017 (unless requirements change) Page 9 of 13 On a “need to know” basis if the person receiving the information is involved in the patient’s treatment and requires the information for clinical reasons When the information is required by law or under a court order. In these situations it may be necessary to discuss disclosures with a line manager, Information Governance Manager or Caldicott Guardian In child protection / vulnerable adults / safeguarding proceedings if it is considered that the information required is in the public or the individual’s interest Where disclosure can be justified for another purpose, such as public protection or prevention or detection of crime Requests for information from the police can be refused. However, an exemption, under section 29 of the Data Protection Act 1998, allows disclosure in the public interest, at the discretion of the Data Controller, for the prevention or detection of crime. If in any doubt refer requests from the police to the Information Governance Manager, or to your line manager. Further information is available in the Trust’s Disclosure of Information to the Police Policy. Requests for information from the media must always be referred to the Trust Communications Team, via your line manager. If you receive a request for information about a patient, staff member, etc., and it is not part of your job to respond, or you are in any way unclear or unsure about it, refer the request to your line manager / supervisor or to the person who is designated to deal with such a request. Enquiries from relatives and friends must be handled in accordance with the wishes (consent) of the patient and the enquirer must be identified in the first instance. Consider whether it is appropriate to disclose personal information about staff. There is no absolute requirement for staff names and contact details to be regarded as confidential, as many staff roles are public-facing. However, it may not be appropriate to disclose an individual staff name, e-mail account or telephone number if this member of staff is not expecting to receive any communications, may go on leave, or be otherwise unavailable. If there is any doubt, seek the member of staff’s permission, or consult the Information Governance Manager. 6.5. Possible sanctions for breach of confidentiality or data loss All staff members must be aware that there are possible disciplinary sanctions for failure to comply with their responsibilities, such as: deliberately looking at records without authority discussion of personal details in inappropriate venues transferring personal information electronically without encrypting it Sanctions can include disciplinary action, ending a contract, dismissal, or bringing criminal charges. Since April 2010, the Information Commissioner's Office (ICO) has had the power to fine organisations up to £500,000 as a penalty for serious breaches of the Data Protection Act 1998. The ICO has produced statutory guidance about how it proposes to use this power. Title of Policy: Issue Number: Issue Date: Review date: Confidentiality Code of Conduct 8.1 09 February 2016 31 January 2017 (unless requirements change) Page 10 of 13 6.6. Reporting breaches All actual or suspected breaches of confidentiality should be reporting using the standard Trust incident reporting process. 7. TRAINING REQUIREMENTS The Information Governance Manager and the ICT Technical Architect have overall responsibility for maintaining training and awareness of confidentiality and information security issues for all staff. However, the Trust Caldicott Guardian is also able to provide advice on the sharing of, and access to, patient identifiable information. Information Governance training is mandatory and all new starters must receive IG training as part of their corporate induction. All staff members are required to undertake accredited Information Governance training as appropriate to their role. The preferred method is through the Trust’s Essential Skills Handbook (ESH) and the associated e-assessment in the Electronic Staff Record (ESR). Information Governance training must be completed on an annual basis. Include within this section any processes for following up those who fail to complete the training: this needs to be in line with any learning and development policies and include a cross reference to such policies. 8. REFERENCES AND ASSOCIATED DOCUMENTATION The Data Protection Act 1998 http://www.opsi.gov.uk/Acts/Acts1998/ukpga_19980029_en_1 ISO 27001 International Standard of Information Systems Security http://www.iso.org/iso/catalogue_detail?csnumber=42103 NHS: Confidentiality Code of Practice 2003 (DoH) http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/ DH_4069253 Computer Misuse Act 1990 http://www.opsi.gov.uk/acts/acts1990/UKpga_19900018_en_1.htm Caldicott 2: The Information Governance Review (2013) https://www.gov.uk/government/publications/the-information-governance-review NHS: The Care Record Guarantee (Version 5) Health and Social Care Information Centre – NHS Care Record Guarantee Trust Policies: ICT Security Policy E-mail Policy Safe Haven Policy Clinical Records Management Policy Title of Policy: Issue Number: Issue Date: Review date: Confidentiality Code of Conduct 8.1 09 February 2016 31 January 2017 (unless requirements change) Page 11 of 13 9. EQUALITY IMPACT STATEMENT Portsmouth Hospitals NHS Trust is committed to ensuring that, as far as is reasonably practicable, the way we provide services to the public and the way we treat our staff reflects their individual needs and does not discriminate against individuals or groups on any grounds. This policy has been assessed accordingly. Our values are the core of what Portsmouth Hospitals NHS Trust is and what we cherish. They are beliefs that manifest in the behaviours our employees display in the workplace. Our Values were developed after listening to our staff. They bring the Trust closer to its vision to be the best hospital, providing the best care by the best people and ensure that our patients are at the centre of all we do. We are committed to promoting a culture founded on these values which form the ‘heart’ of our Trust: Respect and dignity Quality of care Working together No waste This policy should be read and implemented with the Trust Values in mind at all times. Title of Policy: Issue Number: Issue Date: Review date: Confidentiality Code of Conduct 8.1 09 February 2016 31 January 2017 (unless requirements change) Page 12 of 13 10. MONITORING COMPLIANCE WITH PROCEDURAL DOCUMENTS This document will be monitored to ensure it is effective and to assurance compliance. Minimum requirement to be monitored Various elements of the Information Governance Compliance Framework: IG Compliance Monitoring Tool Patient Satisfaction (Data Protection / Consent) Survey Flow Mapping Registers Information Asset Registers Information Sharing Protocol Registers Information Governance Contractual Arrangements Information Governance Incident Reports Title of Policy: Issue Number: Issue Date: Review date: Lead Tool IG Manager Information Asset Owners IG Compliance Framework Frequency of Report of Compliance Bi-annual Reporting arrangements CSCs reports biannually to the IG Steering Group Lead(s) for acting on Recommendations IG Manager Information Asset Owners Confidentiality Code of Conduct 8.1 09 February 2016 31 January 2017 (unless requirements change) Page 13 of 13