NHS Fife acknowledges and agrees with the importance of regular and timely review of policy/procedure statements and aims to review policies within the timescales set out.
New policies/procedures will be subject to a review date of no more than 1 year from the date of first issue.
Reviewed policies/procedures will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.
If a policy/procedure is past its review date then the content will remain extant until such time as the policy/procedure review is complete and the new version published, or there are national policy or legislative changes.
1.0 Aim, Purpose and Outcomes
1.1 To ensure that Information Governance and Data Protection is maintained this policy will ensure the following:
- Confidentiality and integrity of personal and sensitive information is maintained.
- Information is available to authorised users only.
- Information is not disclosed to unauthorised individuals.
- To prevent the unauthorised destruction of information.
- To advise staff of their obligations to maintain information confidentiality, integrity, and availability.
1.2 This policy forms part of NHS Fife's Digital Information Security Management System (ISMS) and should be read in conjunction with the NHS Fife Information Security Policy and all other applicable NHS Fife Information Security (IS) policies.
1.3 This policy has been written in line with the best practice for Information Security (IS) standards. The policy will be reviewed annually to meet future changes to these standards.
1.4 This policy has been written to comply with current legislation and the policy will be updated appropriately to suit new and/or modified legislation. The reference appendix at the end of this policy will be updated to reflect this legislation.
2.1 This policy is intended for all NHS Fife staff to maintain information security.
2.2 References to “staff” include all staff within NHS Fife and all staff who are employed, engaged or partners within each GP practice (contracted to NHS Fife).
3.0 NHS Fife Stakeholders
3.1 The stakeholders are NHS Fife employees and contractors, full and part-time. It includes patients and the representatives of other statutory authorities, public bodies, and voluntary groups.
3.2 NHS Fife will ensure personal information is only accessible to authorised individuals.
3.3 NHS Fife has a legal and contractual duty to keep personal health information and sensitive business information secure and confidential.
3.4 The NHS Fife Data Protection Notice is available at:
4.0 NHS Fife Data Protection Principles and Rights
4.1 Information Governance and Data Privacy are a series of best practice guidelines and laws relating to Personally Identifiable Information (PII) that NHS Fife is required to adhere to. The guidelines are subject to oversight from NHS Fife Board and relevant Committees.
4.2 Every member of staff has a responsibility to keep all personal and sensitive information secure at all times by:
- Adhering to all NHS Fife policies, procedures and guidelines.
- Protecting information physically.
- Practicing secure password management.
- Transferring information securely.
- Reporting all actual and attempted data breaches and/or data loss immediately.
4.3 NHS Fife adheres to the following seven key Data Protection Principles:
Lawfulness, Fairness and Transparency - Data will be processed lawfully, fairly and in a transparent manner in relation to individuals.
Purpose Limitation - Data will be collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
Minimisation - Data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy - Data will be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Storage Limitation - Data will be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purpose for which the personal data are processed; personal data may be stored for longer periods in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the legislation in order to safeguard the rights and freedoms of individuals.
Integrity and Confidentiality - Data will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Accountability - As a Controller of data, NHS Fife is responsible for and will demonstrate compliance with all applicable data protection and security regulations and guidelines.
4.4 NHS Fife also has a responsibility to adhere to the Caldicott Principles. The Caldicott Guardian has responsibility at Board level for protecting patient identifiable data. The NHS Fife Caldicott Guardian is the Medical Director. The Caldicott Principles are:
1. Justify the purpose for which the information is required.
2. Do not use patient-identifiable information unless it is absolutely necessary.
3. Use the minimum necessary patient-identifiable information.
4. Access to patient-identifiable information should be on a strict need-to-know basis.
5. Everyone with access should be aware of their responsibilities.
6. Everyone should understand and comply with the law.
7. The duty to share information can be as important as the duty to protect patient confidentiality.
4.5 UK Data Protection laws provide the following eight inviolable rights for individuals. They are
The Right to be Informed - NHS Fife uses multiple ways to communicate how personal information is used, including:
- A Data Protection Notice is published internally and externally
- Information leaflets for staff and patients.
- Staff providing care who communicate verbally with patients and carers.
- The Right to Access Your Data - Individuals have the right to access their own personal information. This right includes making an individual aware of what information we hold along with the opportunity to satisfy them that we are using their information fairly and legally.
The Right to Rectification - If the personal information we hold about an individual is factually inaccurate or incomplete, they have the right to have this corrected.
The Right to Erasure - Individuals have the right to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’. However, there are circumstances where this right may not apply.
The Right to Restrict Processing - Individuals have the right to request the restriction or suppression of their personal data. However, this is not an absolute right and only applies in certain circumstances.
The Right to Data Portability - The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. However, this right may not apply in certain circumstances.
The Right to Object - When NHS Fife is processing personal information for the purpose of the performance of a task carried out in the public interest or in the exercise of official authority, individuals have the right to object to the processing and also seek that further processing of the personal information is restricted. Provided NHS Fife can demonstrate compelling legitimate grounds for processing the personal information, for instance; patient safety or for evidence to support legal claims, the right will not be upheld.
Rights in Relation to Automated Decision Making and Profiling - Data Subjects have a right to be informed about the use of Automated Decision Making and Profiling. This may include Robotic Process Automation (RPA), the use of Artificial Intelligence (AI), Machine Learning (ML) and automation processes.
NHS Fife takes a Strategic Approach to RPA. The approach ensures the implementation of adequate safeguards and executive oversight to ensure automated processes, with or without human intervention, cause no harm and Personally Identifiable Information (PII) remains safe and secure.
5.0 Legal Basis for Processing Data
5.1 NHS Fife, as a Data Controller, is required to have a legal basis when using personal information. NHS Fife considers that performance of our tasks and functions are in the public interest. When using personal information, our legal basis is usually that its use is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us.
5.2 In some situations, we may rely on a different legal basis. For example, when we are using personal information to pay a supplier, our legal basis is that its use is necessary for the purposes of our legitimate interests as a buyer of goods and services.
5.3 Another example would be for compliance with a legal obligation to which NHS Fife is subject to, for example under the Public Health etc (Scotland) Act 2008 we are required to notify Health Protection Scotland when someone contracts a specific disease.
5.4 When we are using more sensitive types of personal information, including health information, our legal basis is usually that the use is necessary:
- for the provision of health or social care or treatment or the management of health or social care systems and services; or
- for reasons of public interest in the area of public health; or
- for reasons of substantial public interest for aims that are proportionate and respect people’s rights, for example research; or
- in order to protect the vital interests of an individual; or
- for the establishment, exercise or defence of legal claims or in the case of a court order.
5.5 On rare occasions we may rely on explicit consent as our legal basis for using personal information. When we do this we will explain what it means to the individual, and the rights that are available to them.
6.0 Data Protection Statement
NHS Fife will obey all applicabale data protection laws and guidelines and will ensure that the organisation continues to treat personal information with due care and diligence.
7.0 Implementation (General)
NHS Fife will:
- 7.1 Observe conditions regarding the fair collection and use of information.
- 7.2 Meet its legal obligations to specify the purposes for which information is used within the Board’s Information Asset Register, assigning the legal basis for processing personal data for each information asset in line with current data protection legislation.
- 7.3 Collect and process appropriate information, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements.
- 7.4 Ensure the quality and accuracy of information used.
- 7.5 Apply strict checks to determine the retention periods for information held.
- 7.6 Ensure that the rights of people about whom information is held can be fully exercised under current data protection legislation. This information is available within our Data Protection Notice on our public website for patients and visitors, and on the NHS Fife internal communications platform 'Blink'.
- 7.7 Ensure that personal information is not transferred out with the United Kingdom and the European Economic Area (EEA) without suitable safeguards being in place.
- 7.8 Take appropriate technical and organisational security measures to safeguard personal information.
8.0 Organisational Issues
8.1 NHS Fife will ensure that a full, correct and up-to-date notification is lodged in its name with the Information Commissioner's Office (ICO).
8.2 The Data Controller for NHS Fife will be the Chief Executive who delegates day-to day responsibility for the operation of data protection legislation to the Executive Directors.
8.3 NHS Fife will observe the Caldicott principles and ensure that there is a nominated Caldicott Guardian (MEL 1999/19).
8.4 The NHS Fife Head of Information Governance and Security has specific responsibility for advising on and monitoring information governance and security practice including data protection within the organisation.
8.5 The NHS Fife Head of Information Governance and Security is the NHS Fife, ICO registered, Data Protection Officer (DPO). Additional Information Governance and Security Officers may act as NHS Fife Deputy Data Protection Officers at the discretion of the Head of Information Governance and Security.
9.0 NHS Fife will ensure that:
9.1 Confidentially statements are a component of employment contracts for all staff.
9.2 Staff are appropriately trained in information governance and security and are supervised.
9.3 Information and guidance relating to Information Governance and Security will be made available for all staff in a central online digital resource. Methods of handling personal information will be clearly described.
9.4 Anyone wishing to make enquiries about handling personal information knows who to approach.
9.5 Queries about handling personal information are promptly and courteously dealt with.
9.6 Methods of handling personal information are clearly described.
9.7 A regular review and audit is conducted of personal and sensitive information management and security.
9.8 Personal information and security management performance is regularly evaluated.
10.0 Roles and Responsibilities
10.1 All staff working within NHS Fife are bound by a legal duty of confidence to protect and keep up to date personal information that they may come into contact with during the course of their work. This is both a legal and contractual responsibility and also requirement under the common law duty of confidence.
10.2 In order to ensure both new and current staff continue to receive appropriate training in data protection and confidentiality, NHS Fife Information Governance and Secuirty and NHS Fife Training will communicate with line managers to ensure there is a comprehensive training and awareness programme in place for employees to use in order to ensure they are educated and aware of their individual responsibilities.
10.3 Person identifiable information is anything which contains the means to identify an individual, such as name, address or CHI number.
10.4 Confidential information within the NHS is commonly thought of as health data and can include information that is private and not public knowledge, or information that an individual would not expect to be shared. It can take many forms including patient level health information, employee records and occupational health records.
10.5 Information can relate to patients and staff, including temporary staff, however stored. Information may be held in many formats including paper, portable drives, CD/DVDs, computer file or printout and mobile devices.
10.6 The use of insecure and/or non-NHS Fife’s Digital and Information approved portable memory devices such as USB sticks or Hard Drives is prohibited. A secure approved device is a device that has been approved and registered with NHS Fife’s Digital and Information team has appropriate security controls in place to ensure the device can store and transfer sensitive health information safely and securely.
10.7 The use of insecure and/or non-NHS Fife Digital and Information Security Approved mobile devices is prohibited. A secure approved mobile device is a device that has been approved and registered with NHS Fife’s Digital and Information teams and has appropriate security controls in place to ensure the device can store and transfer sensitive health information safely and securely.
10.6 The following staff within NHS Fife have a responsibility to protect data:
Chief Executive - The NHS Fife Chief Executive is the Accountable Officer for all of the organisation’s information assets and its security, including but not restricted to any personal (staff and patient) or confidential information.
Senior Information Risk Owner - NHS Fife’s Senior Information Risk Owner (SIRO) has overall responsibility for NHS Fife's information risk policy. The SIRO is accountable and responsible for information risk across the organisation. They ensure that everyone is aware of their personal responsibility to exercise good judgement, and to safeguard and share information appropriately.
Caldicott Guardian - The NHS Fife Caldicott Guardian has responsibility at Board level for protecting patient identifiable data. In NHS Fife, the Caldicott Guardian is the Medical Director.
Associate Director of Information and Digital Technology - The NHS Fife’s Associate Director of Digital and Information sets the conditions for the operation of a Data Protection Function for the organisation as a whole. The role also ensures that the Data Protection Function abides by Corporate Governance rules and ensure that it is adequately resourced and supported.
Head of Information Governance and Security - The NHS Fife Head of Information Governance and Security is responsible for delivering the highest standards of Information Governance and Security and that NHS Fife complies with all legal requirements including the Data Protection Act, GDPR Regulations, Records Management Standards, Freedom of Information and all other relevant standards, laws and regulations.
Data Protection Officers (DPOs) - NHS Fife Data Protection Officers (DPOs) are statutory, independent data protection experts who are responsible for:
- Monitoring an organisation’s data protection compliance.
- Informing it of and advising on its data protection obligations.
- Providing advice on Data Protection Impact Assessments and monitoring
- DPOs are a contact point for Data Subjects and the relevant Supervisory
Authority, the Information Commissioner's Office (ICO).
The registered NHS Fife DPO is the NHS Fife Head of Information Governance and Security. Additional Information Governance and Security Officers may act as NHS Fife Deputy Data Protection Officers at the discretion of the Head of Information Governance and Security.
Information Governance and Security (IG&S) Operational Group - The Information Governance Operational Group is a management committee reporting to the Information Governance Steering Group. Its purpose is to support and drive the broader operational delivery of the Information Governance agenda and provide the Steering Group with the assurance that effective Information Governance best practice mechanisms are in place within the organisation.
Information Governance and Security (IG&S) Steering Group - The Information Governance Steering Group is a standing committee chaired by the Senior Information Risk Officer and reports direct to the Clinical Governance Committee via the Executive Directors’ Group. This allows assurance on IG&S matters to be provided to the Clinical Governance Committee, with a route of escalation to NHS Fife’s Board.
Information Governance and Security Assurance Manager - The NHS Fife Information Governance and Security Assurance Manager leads and develops Information Governance and Security for both national and local frameworks ensuring IG&S best practice and Data Quality Assurance.
Information Security Manager - The Information Security Manager provides technical expertise on the security of Information systems and equipment. This includes internal or external access to NHS Fife data, systems and platforms.
Corporate Records Manager - The Corporate Records Manager is responsible for the governance, safeguarding and delivery of information held by NHS Fife and manages physical and digital record holdings in line with relevant legislation, defines clear policies for use of related systems, and ensure business continuity.
Health Records Manager - The Health Records Manager is responsible for the governance, safeguarding and delivery of clinical health information (Acute sector) held by NHS Fife and manages physical and digital record holdings in line with relevant legislation, defines clear policies for use of related systems, and ensure business continuity.
Information Governance and Security Team - The Information Governance Team conducts Information Governance and Security Risk Assessments and provides advice and guidance on compliance with current data protection legislation as well as associated information governance regulatory requirements, policies and guidelines.
NHS Fife Staff - All staff have a responsibility to ensure that they comply with the principles of data protection and Caldicott. This must be done by adhering to Information Governance and Information Security policies.
11.0 Information Assets
11.1 Regulations require NHS Boards to identify key information assets and to record this in an Information Asset Register (IAR). Impact on information assets must be assessed in terms of confidentiality, integrity and availability. This is the responsibility of the Information Security Manager.
11.2 Information Asset Owners are senior members of staff whose business areas use one or more registered information asset. Their role is to understand what information is held, what is added, what is removed, how information is moved, who has access and why. As a result, they are able to understand and address risks to the information and ensure that it is fully used within the law for the public good.
12.0 Resource Implications
There are no resource implications.
13.0 Communications Plan
This policy will be managed through the corporate policies published internally and externally and will be announced through regular staff briefings.
14.0 Quality Improvement – Monitoring and Review
This policy and compliance will be reviewed at regular intervals by NHS Fife Information Governance and Security.
15.0 Equality and Diversity Impact Assessment
This policy aligns with NHS Fife’s Equality, Diversity and Inclusion Policy.
- DL (2015) 17 - Information Governance and Security Improvement Measures
- Data Protection Act. 2018
- General Data Protection Regulation
- Human Rights Act 1998
- Computer Misuse Act (1990)
- Access to Health Records Act (1990)
- Freedom of Information (Scotland) Act 2002
- Public Records (Scotland) Act 2011
- NHS Code of Practice on Protecting Patient Confidentiality
- NHS Fife Information Security Handbook
- Caldicott Report (1997)
- General Medical Council Code of Practice
- Nursing & Midwifery Council Code of Practice
- ICO Privacy Impact Assessments Code of Practice https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf
- ICO Information Sharing Code of Practice https://ico.org.uk/media/for-organisations/documents/1068/data_sharing_code_of_practice.pdf
- ICO Subject Access Code of Practice
- ICO Employment Practices Codes of Practice https://ico.org.uk/media/for-organisations/documents/1064/the_employment_practices_code.pdf
- ICO Anonymisation Code of Practice https://ico.org.uk/media/1061/anonymisation-code.pdf
- ICO Personal Information Online Code of Practice https://ico.org.uk/media/for-organisations/documents/1591/personal_information_online_cop.pdf
- IS Toolkit: instructions and templates http://www.informationgovernance.scot.nhs.uk/is-toolkit/.
- NHSS Information Security Policy Framework http://www.informationgovernance.scot.nhs.uk/isframework/
- Public Benefit and Privacy Panel templates and instructions http://www.informationgovernance.scot.nhs.uk/pbpphsc/
- GPD3 - Appendix 1a NHS Fife Confidentiality Statement – Employees
- GPD3 Appendix 1b - NHS Fife Confidentiality Statement – Contractors
- GPD3 Appendix 2 - NHS Fife Information Governance structure, roles & responsibilities
- GPD3 Appendix 3a - Obtaining corporate approval to access, use or process NHS Fife personal or confidential data
- GPD3 Appendix 3b (i) Tier 0 - Caldicott Application Form (for Research / Academic studies)
- GPD3 Appendix 3b (ii) - Guidance for Tier 0 Applicants
- GPD3 Appendix 3b (iii) - Tier 0 Single Board Application Review Record
- GPD3 Appendix 3b (iv) - Tier 0 Guidance for Reviewers
- GPD3 Appendix 3c - Data Protection Impact Assessment template
- GPD3 Appendix 3d(i) -- Caldicott form (Academic)
- GPD3 Appendix 3d(ii) - Caldicott form
- GPD3 Appendix 4 - NHS Fife IG & Security training plan
- GPD3 Appendix 5 - NHS Fife online Data Protection Notice
- GPD3 Appendix 5b - Data Protection Notice for Staff
- GPD3 Appendix 6 - Registration of Information Assets (IA)
- GPD3 EQIA Form
- GPD3 List of who was consulted
- The NHS Scotland Complaints Handling Procedure (Updated Aug 17)
- GP/A4 - Acceptable Use Policy
- GP/C10 - Clear Desk Clear Screen Policy
- GP/D6 - Data Encryption Policy
- GP/H6 - eHealth Equipment Home Working Policy
- GP/S8 - eHealth Incident Management Policy
- GP/I4 - eHealth Procurement Policy
- GP/B2 - eHealth Remote Access Policy
- GP/E6 - Email Policy
- GP/D1 - Fife Wide Decommissioning of Fife Premises Policy
- GP/R9 - Health Records
- GP/R8 - Health Records Retention and Destruction
- GP/I5 - Information Security Policy
- GP/I3 - Internet Policy
- GP/I6 - IT Change Management Policy
- GP/V2 - IT Virus Protection Policy
- GP/I1 - Management of Intellectual Property Policy
- GP/R4 - Management, Retention, Storage and Destruction of all Business and Administrative Information and Records
- GP/M4 - Media Handling Policy
- GP/M5 - Mobile Device Management Policy
- GP/E7 - Non NHS Fife Equipment
- GP/O2 - Online Communications
- GP/P2 - Password Policy
- GP/R3 - Research Fraud and Misconduct
- GP/R7 - Risk Register and Risk Assessment
- GP/V3 - Volunteering Policy
- GP/W1 - Waste Management
- GP/W4 - Window Management