General Note 

NHS Fife acknowledges and agrees with the importance of regular and timely review of policy statements and aims to review policies within the timescales set out. New policies will be subject to an initial review within 12 months from the date of first issue.

Reviewed policies will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.

If a policy is past its review date, then the content will remain extant until such time as the policy review is complete and the new version published, or if national policy or legislative changes are made.

1.  FUNCTION

NHS Fife has an obligation to comply with all appropriate legislation and Scottish Government instructions and guidance in the handling of personal information. The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA), (DP Legislation) governs the way that organisations such as NHS Fife handle, collect, process and store personal information. This document fulfils the requirement for NHS Fife to have an appropriate policy in place under Data Protection Act 2018, schedule 1, para 39.

1.1 NHS Fife recognises the critical importance of safeguarding personal and sensitive information. All staff have a duty to uphold confidentiality and comply with legal, contractual, and ethical standards. The following applies:

1.2 All NHS Fife staff are bound by a common law duty of confidentiality to protect and maintain accurate personal information encountered during their work.

1.3 To ensure staff remain informed and compliant, staff, supported by their Line Managers, should continue to ensure they undertake the mandatory training requirements for Information Governance and Cyber Security. In addition, NHS Fife Information Governance and Security, in collaboration with NHS Workforce Directorate, will work with line managers to deliver a comprehensive training and awareness programme entitled IG&S Personal Development Programme (PDP) which can be accessed through Turas training. This programme supports both new and existing staff in understanding their individual responsibilities regarding data protection and confidentiality.

1.4 Staff should be aware of and comply with GP/M5 Device Management Policy before using portable memory devices.

1.5 All NHS Fife staff, and people working on our behalf, including contractors, partners and third parties with access to NHS Fife data must do their utmost to ensure that personal data is accurate, created in a timely manner and kept secure. All NHS Fife staff, and people working on our behalf, must be aware of the requirements of this policy when they collect or handle personal data. NHS Fife staff and people working on our behalf, must not disclose data except where there is a recognised legal basis/requirement to disclose e.g. Another Act requires the information to be disclosed, or it is in the greater public interest to disclose the data. If there is ever uncertainty around data sharing, the data protection team must be contacted: fife.dataprotection@nhs.scot

2.  LOCATION

2.1 This policy is intended for all NHS Fife staff, volunteers, contractors and partners.

2.2 The NHS Fife Data Protection Notice is available at: www.nhsfife.org/about-us/accessing-records/data-protection/

3. AIM, PURPOSE AND OUTCOMES

3.1 The purpose of this Policy is to specify how NHS Fife manages all information to meet legal and government obligations is to ensure that all staff, contractors and partners understand their responsibilities when processing NHS Fife information, particularly Personal Data and Special Category Data.

3.2 Personal data is defined as any information relating to an identified or identifiable person; an identifiable natural person is one who can be identified, directly or indirectly.

3.3 Special Category data is defined as personal data that needs more protection because it is sensitive; race/ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic & biometric data, health data, sex life and sexual orientation.

3.4 This Policy has been written in accordance with current relevant legislation and will be updated in a timely manner upon the introduction of / modification of legislation. The Reference Appendix at the end of this Policy will be updated to reflect the legislation referred to. The Policy may also be amended, as required, following changes in the environment that NHS Fife operates in, or any other significant event which requires an amendment to this Policy.

4.  RESPONSIBILITY

4.1 It is the responsibility of all staff to follow this and all related policies. Day-to-day responsibility for the operation of this policy shall be delegated to the following:

4.2 Chief Executive:

The Chief Executive has overall for the security of all data and systems used to process information (personal and confidential) within NHS Fife. The Chief Executive is responsible for accepting any remaining risks identified through the information risk management process.

4.3 Senior Information Risk Owner (SIRO):

The SIRO has the responsibility for overseeing the identification, assessment and treatment of information risks within NHS Fife to ensure compliance with the data protection regulations and the NHSS Information Governance and Security Strategic Framework and policies. If the SIRO is not available, then the Deputy SIRO will support compliance.

4.4 Caldicott Guardian(s)

NHS Fife Caldicott Guardian(s) have responsibility at Board level for additional protection of patient identifiable data.

4.5 Director of Digital and Information

The Director of Digital and Information has the responsibility for the operation of a Data Protection Function for the organisation and to ensure that the Data Protection Function abides by Data Protection legislation to ensure that it is adequately resourced and supported as part of digital systems and process deployment.

4.6 Head of Information Governance and Security and Data Protection Officer

The NHS Fife Head of Information Governance and Security is responsible for delivering the highest standards of Information Governance and Security and to ensure NHS Fife complies with all legal requirements relating to the Data Protection Act, UK GDPR Regulations, Public Records (Scotland) Act 2011, Freedom of Information (Scotland) Act 2002 and all other relevant standards, laws, and regulations and EU GDPR. 

4.7 As the Data Protection Officer (DPO) they are responsible for:

• Monitoring the organisation’s data protection compliance.
• Informing and advising on data protection obligations.
• Providing advice on Data Protection Impact Assessments and monitoring organisational performance.
• To register and cooperate with and act as the point of contact between NHS Fife and the supervisory authority, the Information Commissioner's Office (ICO)

4.8 Information Governance and Security Team

The Information Governance and Security (IG&S) Team give expert advice to NHS Fife staff, GPs, and partners about how to use, access, and share data safely and legally.

4.9 Information Security Manager

The Information Security Manager is responsible for ensuring that all data processing conducted by NHS Fife meets security protocols and standards. The role involves performing regular security assessments, implementing security measures, monitoring data transfers for security breaches, and coordinating with the IT and Cybersecurity departments to bolster data security and implements clear policies regarding Information Security.

4.10 NHS Fife Corporate Records Manager

The Corporate Records Manager is responsible for the provision of professional expert advice and strategic development and maintenance of corporate records throughout their lifecycle. This applies to all NHS Fife staff, GP Contractors and other partners regarding the lifecycle management of storage, transport, retention and destruction of corporate and some Health and Social Care Partnership information stored by NHS Fife. 

4.11 Executive and Senior Leaders

NHS Fife’s Executive Leadership Team (ELT), Heads of Service/Departments and Health and Social Care Partnership (HSCP) are responsible for ensuring that this policy and any associated policies and procedures are followed within their services and to ensure the compliant processing of patient and confidential information and that their staff undertake their mandatory Information Governance Training every three years or earlier at the DPO’s recommendation.

5. OPERATIONAL PROCEDURE

5.1 Information Governance is an overarching framework of legislation and relevant guidance and best practice that relates to Personally Identifiable Information (PII) which we, as an organisation, are required to adhere to.

5.2 All NHS Fife staff, and people working on our behalf, have a responsibility to keep all personal and sensitive information secure at all times by:

• Adhering to all NHS Fife policies, procedures and guidelines.
• Protecting information physically.
• Practicing secure password management.
• Transferring information securely.
• Reporting all actual and attempted data breaches and/or data loss immediately.

5.3 NHS Fife adheres to the following seven UK General Data Protection Regulation Principles:

5.3.1 Lawfulness, Fairness & Transparency - Data will be processed lawfully, fairly and in a transparent manner in relation to individuals.

5.3.2 Purpose Limitation - Data will be collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.

5.3.3 Data Minimisation - Data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

5.3.4 Accuracy - Data will be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

5.3.5 Storage Limitation - Data will be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purpose for which the personal data are processed; personal data may be stored for longer periods in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the legislation in order to safeguard the rights and freedoms of individuals.

• Integrity & Confidentiality - Data will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

• Accountability - NHS Fife takes responsibility for and will demonstrate compliance with all applicable data protection and security regulations and guidelines

5.4 Caldicott Principles - NHS Fife also has a responsibility to adhere to the Caldicott Principles. Each Caldicott Principle is implemented to ensure information is kept confidential. The Caldicott Guardian has responsibility at Board level for protecting patient identifiable data. NHS Fife have three Caldicott Guardians who cover Corporate, Acute and the Health and Social Care Partnership.

The Caldicott Principles are:

1. Justify the purpose for which the information is required.
2. Do not use patient-identifiable information unless it is absolutely necessary.
3. Use the minimum necessary patient-identifiable information.
4. Access to patient-identifiable information should be on a strict need-to-know
5. Everyone with access should be aware of their responsibilities.
6. Everyone should understand and comply with the law.
7. The duty to share information can be as important as the duty to protect patient confidentiality
8. Inform patients about how their data is used.

5.5 Legal Basis for Processing Data – NHS Fife is required to have a legal basis when processing personal information. NHS Fife considers that performance of our tasks and functions are in the exercise of our official authority provided by the NHS (Scotland) Act 1978, therefore our main legal basis is Public Task and Health and Social Care Purposes.

5.6 Information Governance & Security Implementation Approach

NHS Fife is committed to the responsible and ethical management of personal data in line with all applicable legislation. To support this commitment, NHS Fife will embed information governance and security into everyday practice by fostering a culture of accountability, transparency, and continuous improvement. This includes:

• Integrating information governance requirements into operational planning, service delivery, and digital transformation initiatives
• Ensuring leadership oversight and clear lines of responsibility across all departments and services
• Providing accessible, role-specific guidance and support to staff, contractors, and partners
• Promoting proactive risk management and early identification of vulnerabilities in data handling
• Encouraging open reporting of incidents and near misses to support learning and improvement
• Aligning governance activities with national standards and NHS Scotland strategic frameworks
• Reviewing and updating governance arrangements in response to legislative changes, emerging threats, and organisational developments

5.7 This approach ensures that information governance is not just a compliance exercise, but a core component of safe, effective, and person-centred care. Access to systems and information will be through recognised procedures and processes and providing that NHS Fife security controls can be upheld.

5.8 NHS Fife reserves the right to exclude or revoke access where it put the Board’s data at risk

5.9 Information Governance and Security Commitments

NHS Fife is dedicated to maintaining the highest standards of information governance and data security. These commitments underpin the organisation’s approach to safeguarding personal and sensitive information, ensuring compliance with legal and ethical obligations, and supporting the delivery of safe and effective care.

The following table outlines NHS Fife’s core commitments:

NHS Fife is committed to maintaining the highest standards of confidentiality, information governance, and information security.

5.10 Information Assets

5.10.1 Regulations require NHS Boards to identify key information assets and to record this in an Information Asset Register (IAR) (GPD3 A9). Impact on information assets must be assessed in terms of confidentiality, integrity and availability. This is the responsibility of the Information Governance and Security IAR Lead.

5.10.2 Information Asset Owners are senior members of staff whose business areas use an information asset. Their role is to understand what information is held, what is added, what is removed, how information is moved, who has access and why. As a result, they are able to understand and address risks to the information and ensure that it is fully used within the law for the public good.

6.  RISK

6.1 Failure by NHS Fife staff, contractors, or partners to adhere to the provisions outlined in this policy presents a significant risk to the confidentiality of patient information, compliance with legislation, and the organisation’s reputation.

6.2 Misuse or mishandling of personal data— whether through the use of unauthorised devices, inadequate security measures, or insufficient training—may result in data breaches, legal sanctions, reputational harm, and potential distress or harm to affected individuals. NHS Fife could also face regulatory action from the Information Commissioner’s Office (ICO) and be required to report incidents publicly.

6.3 In mitigation, NHS Fife has implemented robust governance procedures, routine audits, and mandatory training programmes to ensure that all personnel understand and fulfil their responsibilities in safeguarding personal data. The protection of sensitive information is a shared responsibility and a fundamental requirement for maintaining public trust and legal compliance.

7.  REFERENCES

NHS Fife’s legislative framework includes all applicable international, national, and local data protection laws. The Policy complies with the following acts, regulations, and best practice standards:

National Legislation

• UK General Data Protection Regulation (UK GDPR)
• EU General Data Protection Regulation (GDPR): As part of EU legislation, which the UK has chosen to maintain post EU departure, GDPR principles govern the use and sharing of personal data under the UK GDPR.
• Data Protection Act 2018
• Public Health (Scotland) Act 2008
• Network & Information Systems Regulation 2018:
• Computer Misuse Act 1990
• Freedom of Information (Scotland) Act 2002
• Public Records (Scotland) Act 2011
• National Health Service (Scotland)Act 1978

• Data (Use and Access) Act 2025

National Policy and Guidance

• NHS Scotland Information Security Policy Framework
• Caldicott Principles

• Protecting Patients Confidentiality (The Common Law Duty of Confidentiality in Practice – 2023)
• General Medical Council Good Medical Practice
• Nursing and Midwifery Code of Practice

APPENDICES

Related NHS Fife Policies:

• GP/I9 Adverse Events Policy
• GP/D2 Data Subject Access Request Policy
• GP/R4 Records Management Policy
• GP/A4 - Acceptable Use Policy
• GP/C10 - Clear Desk Clear Screen Policy
• GP/D6 - Data Encryption Policy
• GP/H6 - eHealth Equipment Home Working Policy
• GP/S8 - eHealth Incident Management Policy
• GP/I4 - eHealth Procurement Policy
• GP/B2 - IT Remote Access Policy
• GP/E6 - Email Policy
• GP/R9 - Health Records 
• GP/R8 - Health Records Retention and Destruction
• GP/I5 - Information Security Policy
• GP/I3 - Internet Policy
• GP/I6 - IT Change Management Policy
• GP/V2 - IT Virus Protection Policy
• GP/R4 – Records Management Policy
• GP/M5 - Device Management Policy
• GP/E7 - Non-NHS Fife Equipment
• GP/O2 - Online Communications
• GP/P2 - Password Policy