Data Protection and Confidentiality Policy

Document History 

Document Reference: IG01 
Document Purpose: This policy sets out the practice The Valleys Medical Partnership expect from all staff, including those working on behalf of the Practice, when complying with Data Protection legislation within the practice.   
Date Approved: 6 April 2021 
Version Number: 
Status: FINAL 
Next Revision Due: 6 April 2022 
Developed by: Paul Couldrey – IG Consultant 
Policy Sponsor: Bernie Highfield – Practice Business Manager 
Target Audience: This policy applies to any person directly employed, contracted, working on behalf of the Practice or volunteering with the Practice. 
Associated Documents: All Information Governance Policies and the Information Governance Toolkit, and Data Security and Protections Toolkit 2020 
DS&P Toolkit Standard  

REVIEW DATES AND DETAILS OF CHANGES MADE DURING THE REVIEW 

  • This is a new policy developed to support the Information Governance Toolkit and from April 2019 the NHS Digital Data Security and Protections Assurance Toolkit 

KEY WORDS 

  • Information governance, confidentiality, security, data protection, IG Toolkit, SIRO, Caldicott Guardian, Privacy, DS&P Toolkit 

SUMMARY 

  • This document provides a policy statement on the use and management of information in the Practice and describes the arrangements for providing assurance to the Practice Management Team that IG compliance standards are defined and met and IG incidents appropriately managed. 

INTRODUCTION 

  • The Data Protection Act 2018 (DPA) and the UK UK General Data Protection Regulation (UK UK GDPR) 2016 impose obligations on the use of all personal data held by The Valleys Medical Partnership whether it relates to patients and their families, employees, complainants, contractors or any other individual who comes into contact with the organisation. This has implications for every part of the organisation. The Practice also has a duty to comply with guidance issued by the Department of Health, the NHS Executive, NHS Digital and the NHS Information Governance Alliance the specific requirements NHS Digital Data Security and Protections Assurance Toolkit and guidance issued by professional bodies. 
  • The Practice and its employees are bound by a legal duty of confidentiality to all patients which can only be set aside to meet an overriding public interest, legal obligation, or similar duty. The DPA and UK GDPR apply all staff, contractors and volunteers working for the Practice. The Valleys Medical Partnership is a Data Controller, as defined in Article 3 (7) of the UK GDPR and Section 1 of the DPA and is obliged to ensure that all the Data Protection requirements are implemented. The requirements of Article 5 (1) of the UK GDPR and be able to demonstrate compliance with those requirements Article 5(2). 
  • This policy sets out how the Practice meets its legal obligations and requirements under confidentiality, Data Protection and information security standards. The chief requirements outlined in this Policy are based upon the DPA/UK GDPR, which is the central piece of legislation covering security and confidentiality of personal information. 

POLICY AIMS 

  • This Data Protection Policy (the Policy) aims to ensure that The Valleys Medical Partnership (the Practice) meets its legal obligations and NHS requirements concerning confidentiality and information security standards. The requirements within the Policy are primarily based upon The Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR) 2016 that are key pieces of legislation covering security and confidentiality of personal information. 

POLICY SCOPE 

  • This policy covers all forms of information held by the Practice, including (but not limited to): 
    • Information about members of the public 
    • Non-Practice employees on Practice premises 
    • Staff and Personnel information 
    • Organisational, business and operational information 

This policy applies to all Practice employees and third parties responsible for the delivery of contracted NHS services on behalf of the organisation. 

DEFINITIONS 

  • Information Governance (IG); IG is the organisational practice of managing information from its creation to final disposal in compliance with all relevant information rights legislation. IG is focused on ensuring that standards and services are introduced to ensure that Practice information is managed securely, compliant with legislation and available for access by both staff and external parties, including the public and regulators. 
  • Data Security and Protections Toolkit; The assessment toolkits are supported by both NHS Digital and NHS England and are self-assessment tool for Practices which incorporates a knowledge base and guidance all aspects of IG. The IGT/DS&P is updated annually to reflect new NHS guidance, legislation and NHS Codes of Practice. 
  • Senior Information Risk Owner (SIRO); The SIRO takes ownership of the practice’s information  risk policy and acts as an advocate for information risk on behalf of the Practice who is also the Senior Information Risk Officer. The SIRO for the Practice is Dr Richard Butler. 
  • Caldicott Guardian; The Practice’s Caldicott Guardian has a particular responsibility for reflecting patients’ interests regarding the use of patient identifiable information. They are responsible for ensuring patient identifiable information is shared in an appropriate and secure manner. The Caldicott Guardian is Dr Richard Butler. 
  • Data Controller; means the natural or legal person, public authority (PRACTICE), agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; Article 4(7) UK GDPR. 

Principles of DPC Policy 

  • To meet the vision for managing DPC standards there are three key interlinked aims to the policy which will ensure the delivery of an effective policy framework: 
    • Legal compliance; The Practice aims to meet and exceed all compliance requirements relating to DPC. The Practice will undertake or commission annual assessments and audits of its compliance with legal requirements through the Appropriate IG Toolkit and demonstrating compliance to all relevant healthcare standards, the policy will also demonstrate that the Practice has adopted the Accountability for demonstrating compliance with the UK GDPR as required by Article 5(2). 
    • Information security; The Practice will promote effective confidentiality and security practice to its staff through an Information Security Management Systems (ISMS) which includes policies, procedures and training. The Practice has established and maintains incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security. 
    • Openness; Non-confidential information on the Practice and its services should be available to the public through a variety of media. The Practice will undertake or commission annual assessments and audits of its policies and arrangements for openness through the IG Toolkit. 
  • The Practice has developed the Data Protection and Confidentiality Policy to enable the delivery of these three key aims for this policy. 

ROLES AND RESPONSIBILITIES 

Practice Management Team 

  • The Practice Management Team has overall accountability for the Practice’s ability to meet the policy requirements. The Management Team is responsible for: 
  • Receiving, considering and approving regular reports and briefings; 
  • Signing off the Practice’s Privacy Strategy and annual IG and DS&P toolkit returns. 
  • On behalf of the Management Team, the Information Governance Steering Group is responsible, for ensuring adequate arrangements are in place. 

Executive Lead 

  • The Senior Partner has overall responsibility for information governance in the Practice. As Accountable officer he/she is responsible for the management of information governance within the Practice and for ensuring appropriate mechanisms are in place to support service delivery and continuity. The Practice has a particular responsibility for ensuring that it corporately meets its legal responsibilities, and for the adoption of internal and external governance requirements. 

Caldicott Guardian 

  • The Practice Caldicott Guardian has Management Team level responsibilities for the Practice’s Caldicott Function and enables a direct reporting line to the Practice Management Team and the appropriate governance committee. The Caldicott Guardian is responsible for protecting the confidentiality of service user information and enabling lawful and ethical information sharing. This links directly to information governance (IG) and will require an IG Lead to liaise directly with the Caldicott Guardian.   

Senior Information Risk Officer 

  • The Senior Information Risk Officer (SIRO) has Management Team level responsibilities and takes overall ownership of the Practice’s IG processes and provides written advice to the Senior Partner on the content of the Practice’s Annual Governance Statement in regard to information risk. 

Information Governance Steering Group 

  • The Information Governance Steering Group is responsible on behalf of the Practice for; 
  • Developing, implementing and maintaining a ISMS and associated policies, an annual work programme to provide assurance to the Practice that effective arrangements are in place; 
  • Agreeing IG relevant reports and recommendations and timely preparation of the annual IG assessment for Practice Management Team sign off; 
  • Promote and embed IG into the organisational culture. 

IG Lead – Practice Manager 

  • The nominated IG Lead is the Practice Manager. The IG Lead has responsibility for project managing the overall co-ordination, publicising and monitoring of the Practice IG Framework. The Practice IG Lead has specific responsibility for the development of this policy, producing performance monitoring reports and producing IG toolkit central returns on behalf of the Practice. 

Data Protection Officer – PCIG Consulting Limited 

  • Paul Couldrey of PCIG Consulting Limited will act as the Data Protection Officer (DPO) for Practice, this role is key to ensuring that Practice comply and can demonstrate that they comply with the UK GDPR.  

Practice Employees & staff working on behalf of the Practice 

  • All Practice employees, whether permanent, temporary or contracted, and students and contractors are responsible for ensuring that they are aware of the requirements incumbent upon them and for ensuring that they comply with these on a day to day basis.
  • All employees are required to undertake regular Practice mandatory training in IG to ensure that they are fully aware of their individual responsibilities and have the relevant knowledge to ensure compliance.
  • Misuse of or a failure to properly safeguard information may be regarded as a disciplinary offence. 
  • It is important that staff a have an understanding of the legal framework and good practice guidance issued by their own professional bodies for sharing information to assist with multi-agency safeguarding enquiries, case discussions, serious case reviews (SCRs), multi-agency learning reviews (MALRs), domestic homicide reviews (DHRs), safeguarding adults reviews (SARs), Multi-Agency Risk Assessment Conference (MARAC), Multi-Agency Public Protection Arrangements (MAPPA), Vulnerable Adult Risk Management (VARM) meetings (county only), etc. 

Safeguarding 

Advice for practitioners providing safeguarding services to children, young people, parents and carers.  

In general Safeguarding teams should be able to quote their legal powers to exempt their requests from UK GDPR non-disclosure issue - ask for the request formally quoting their legal powers if they have a legal power consent is not required. 

  • For the purposes of safeguarding children and vulnerable adults, the following Article 6 and 9 conditions may apply:  
    • 6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’ 
  • and: 
    • 9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law..’ 
  • in particular social protection law. 

 As information relating to criminal convictions and offences are not special categories data, organisations will need to reference the Article 10 provisions of the DPA18 as a basis for processing of such data for safeguarding purposes. 

  • To meet the requirement in Article 9(2)(b) that the processing is necessary for the purposes of carrying out the obligations of the controller or data subject in the field of social protection law, the provisions of the Children Acts 1989 and 2004, and the Care Act 2014 are relevant.  
  • The Children Act 1989 (CA) establishes implied powers for local authorities to share information to safeguard children. Local authorities have a duty to investigate where a child is the subject of an emergency protection order, is in police protection or where there is reasonable cause to suspect that a child is suffering or is likely to suffer significant harm.  
  • The CA also requires local authorities ‘to safeguard and promote the welfare of children within their area who are in need’ and to request help from specified authorities including NHS Trusts and Foundation Trusts, NHS England and CCGs. These are required by the CA to comply ‘…with the request if it is compatible with their own statutory or other duties and obligations and does not unduly prejudice the discharge of any of their functions.’ Under the Children Act 2004 local authorities must make arrangements to promote cooperation with relevant partners and others, to improve well-being.  
  • The Care Act 2014 sets out a clear legal framework for how local authorities and other parts of the system should protect adults at risk of abuse or neglect. Local authorities have a duty to make enquiries where an adult is experiencing or is at risk of experiencing abuse or neglect and has duties to collaborate with partners generally and in specific cases.  

It remains the responsibility of organisations and the professionals they employ to ensure that they have a basis for processing that meets common law requirements and the requirements of the UK GDPR; and for public bodies that they are acting within their powers. 

POLICY STATEMENTS 

  • When Practice staff manages any business information then s/he is required to comply with the requirements of the procedures and requirements. This policy requires all staff to manage information to the highest standards to ensure compliance with appropriate standards, to secure all Practice information and to promote appropriate information access. 
  • The Practice fully endorses the six principles set out in the UK GDPR 2016.  The Practice and all staff who process personal information must ensure these principles are followed. In summary these state that personal data shall: – 
    • processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);  
    • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);  
    • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);  
    • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);  
    • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);  
    • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). 

Furthermore, the Practice is committed to implementing the eight Caldicott principles  

The Caldicott principles 

The Caldicott Principles (as updated December 2020) require all Practices having access to confidential information to exercise good practice when dealing with confidential information for non-healthcare purposes: 

  1. Justify the purpose(s) of using confidential information; 
  2. Only use it when absolutely necessary; 
  3. Use the minimum that is required; 
  4. Access should be on a strict need-to-know basis; 
  5. Everyone must understand his or her responsibilities; 
  6. Understand and comply with the law. 
  7. The duty to share information for individual care is as important as the duty to protect patient confidentiality. 
  8. Inform Patients and service users about how their confidential information is used. 

The Caldicott Guardian must approve any use of patient identifiable data for non-healthcare purposes. 

Any breach of the Data Protection legislation with specific reference to unauthorised use/disclosure of personal data or failure to safeguard personal data in accordance with Practice policy will be viewed as gross misconduct and may result in serious disciplinary action being taken, up to and including dismissal. Employees could also face criminal proceedings. 

Any breach of the Data Protection legislation with specific reference to unauthorised use/disclosure of personal data or failure to safeguard personal data in accordance with Practice policy will be viewed as gross misconduct and may result in serious disciplinary action being taken, up to and including dismissal. Employees could also face criminal proceedings. 

Subject Access (SAR/DSAR) 

There is a recognised procedure (The PATIENT ACCESS TO MEDICAL RECORDS POLICY & PROXY ACCESS 2021) by which personal data is disclosed either to the data subject or to their representative. 

Any request must be completed within a maximum of one month from date or receipt, from 25th May 2018 under UK GDPR rules there will be no fee charged for SAR. 

CONFIDENTIALITY

The ‘Confidentiality: NHS Code of Practice’ has been published by NHS England. The consultation included patients, carers and citizens; the NHS; other health care providers; professional bodies and regulators. 

  • This document is a guide to required practice for those who work within or under contract to NHS organisations concerning confidentiality and patients’ consent to the use of their health records. 

Patient Confidentiality 

  • Health information is collected from patients in confidence and attracts a common law duty of confidence until it has been effectively anonymised. This legal duty prohibits information use and disclosure without consent – effectively providing individuals with a degree of control over who sees information they provide in confidence. This duty can only be overridden if there is a statutory requirement, a court order, or if there is a robust public interest justification. 
  • On first contact with the Practice, all patients should be asked which relatives, friends or carers they wish to receive information regarding treatment and progress, or those they specifically do not give permission to receive information. 
  • In cases where relatives have been heavily involved in patient care, the patient must be explicitly asked as to what level these relatives can be kept informed. This is particularly important in cases where relatives are requesting information on the patient’s condition, perhaps before the patient has been informed. 
  • In the event a person lacks capacity to consent to information being shared staff should check if a person is authorised by a Lasting Power of Attorney (health and welfare) or been appointed by the court of protection to make that decision.
    • The document must be seen. This person can consent on their behalf but must act in the person’s best interest. If they have not, then no one can consent on behalf of that person. A professional in the care team must assess if it is in the best interest of the person to share the information. The person’s wishes and feeling, although not determinative, should be the starting point in this assessment. 

Staff Confidentiality 

All Staff are required to keep confidential any information regarding patients and staff, only informing those that have a need to know. In particular, telephone conversations and electronic communications must be conducted in a confidential manner. 

  • Confidential information must not be disclosed to unauthorised parties without prior authorisation by a senior manager. Staff must not process any personal information in contravention of the UK GDPR 2016 or DPA2018. 
  • Any breaches of these requirements will potentially be regarded as serious misconduct and as such may result in disciplinary action. 
  • All staff have a confidentiality clause in their contract of employment. The practice has an approved Data Protection and Confidentiality clause in all contracts with 3rd party contractors and suppliers who process personal information. 

EDUCATION AND TRAINING REQUIREMENTS 

The Practice is committed to the provision of IG training and education to ensure the workforce is informed, competent, prepared and possesses the necessary skills and knowledge to perform and respond appropriately to the demands of clinical care and service delivery. 

The Practice has a mandatory training programme which includes maintaining awareness of IG, data protection, confidentiality and security issues for all staff. This is carried out by regular training sessions covering the following subjects: 

  1. personal responsibilities; 
  2. confidentiality of personal information; 
  3. relevant IG Policies and Procedures; 
  4. general good practice guidelines covering security and confidentiality; 
  5. records management. 

All staff will be required to complete annual IG training (including data protection and confidentiality training) commensurate with their duties and responsibilities. All new starters will be given IG training as part of the Practice mandatory induction process.  

PROCESS FOR MONITORING COMPLIANCE 

  • The IG Lead will establish a performance management framework, reported through the Information Governance Steering Group on a six monthly basis. 

EQUALITY IMPACT ASSESSMENT 

The Practice recognises the diversity of the local community it serves. Our aim therefore is to provide a safe environment free from discrimination and treat all individuals fairly with dignity and appropriately according to their needs. 

  • As part of its development, this policy and its impact on equality have been reviewed and no detriment was identified. 

LEGAL LIABILITY 

The Practice will generally assume vicarious liability for the acts of its staff, including those on honorary contract. However, it is incumbent on staff to ensure that they; 

  • Have undergone any suitable training identified as necessary under the terms of this policy or otherwise. 
  • Have been fully authorised by their line manager to undertake the activity. 
  • Fully comply with the terms of any relevant Practice policies and/or procedures at all times. 
  • Only depart from any relevant Practice guidelines providing always that such departure is confined to the specific needs of individual circumstances. In healthcare delivery such departure shall only be undertaken where, in the judgement of the responsible clinician it is fully appropriate and justifiable – such decision to be fully recorded in the patient’s notes. 
  • Staff contracts of employment are produced and monitored by the Practice. All contracts of employment include a data protection and general confidentiality clause as part of controls to enhance privacy and information governance.  Agency and contract staff are subject to the same rules. 

SUPPORTING REFERENCES, EVIDENCE BASE AND RELATED POLICIES 

The Senior Information Risk Owner (SIRO) will direct the IG Lead to take actions as necessary to comply with the legal and professional obligations set out in the key national guidance issued by appropriate commissioning bodies in particular; 

  1. The NHS Confidentiality Code of Practice 
  2. Care Record Guarantee 
  3. NHS Records Management Code of Practice Part 2 
  4. NHS IGA UK GDPR Guidance 
  5. Information Security Management: NHS Code of Practice 

There are a number of policies and procedures within the Practice that should be read in conjunction with this document for a complete understanding of how the Practice is organised and the strategies in place to fulfil its obligations. The key documents are listed below: 

  • Patient Access to Medical Records Policy and Proxy Access 2018 
  • Practice Responsibilities Document 
  • Records Policy 
  • Breach Reporting Policy 

Due Regard 

  • This policy has been reviewed in relation to having due regard to the Public-Sector Equality Duty (PSED) of the Equality Act 2010 to eliminate discrimination, harassment, victimisation; to advance equality of opportunity; and foster good relations. 

Review and Monitoring 

  • The Practice Manager is responsible for regular monitoring of the quality of records and documentation and managers should periodically undertake quality control checks to ensure that the standards as detailed in this policy are maintained. 
  • This policy will be reviewed every two years unless new legislation, codes of practice or national standards are introduced.