Data Protection Coordinator
Head of Information Services
Director of Finance
01 August 2009
01 August 2013
01 August 2016


1.1       To provide general guidance to staff when dealing with Police Scotland enquiries.


2.1       Throughout NHS Fife.


3.1      This procedure applies to all staff and contractors working for NHS Fife. It is offered as advice to independent GP, Dental, Pharmacy and Optometry Contractors. It is acknowledged that the accountability arrangements of these independent contractors differ from those of NHS Fife employees, and  therefore this Policy is to be seen as good practice guidance and used in conjunction with the requirements of their own professional body.


In line with the Scottish Accord on the Sharing of Personal Information (SASPI) NHS Fife  staff are required to share information in a manner which satisfies both legal and professional  obligations and the legitimate expectations of service users. Where information is shared in good faith and in accordance with procedure, staff can expect to be fully supported by the Organisation. Staff are also reminded to consult NHS Fife Confidentiality Policy.
The usual way police request information from NHS Fife staff is in person or by telephone. Staff must therefore:
  • check the identity of the person making the request. If there is any doubt, telephone the Police Scotland (tel: 101)
  • be clear about what is being requested
  • ascertain the reason for the request and be satisfied that the police have a legitimate reason to obtain the information. 
 Where staff are in any doubt about the release of the information, they should discuss the matter with colleagues and/or senior staff, thus ensuring that information being released (or withheld) is in accordance with the Caldicott Principles. Where a response is required urgently and out of hours, the Executive on Call may be reached via the switchboard.
Caldicott Principles –                                                                   Implications for Staff

Justify the purpose
The information requested should be proportionate to reason for request
Only use person identifiable information where absolutely necessary
Patient identifiable information should not be included unless essential for purpose.
Use the minimum necessary person identifiable information at all times
Individual items of information should be considered and justified so that the minimum amount necessary is released.
Access to person identifiable information must be on a strict need to know basis
Staff must only access person identifiable information needed to do their job
Staff accessing patient identifiable information must be aware of their responsibilities
  • only access information on a need-to-know basis
  • ensure physical safety of records and equipment
  • log out of systems when interrupted or finished
  • never share passwords
  • send information securely (person to person, email, phone, letters etc)
  • destroy confidential information appropriately by shredding or in confidential waste.
Understand and comply with the law
Every use of person identifiable information must be lawful

 Where there is a risk of harm to patients, staff, any other individual or a threat to public safety, staff are expected to share information with the Police. If you are in any doubt, you must make your concerns known to and discuss with senior colleagues. Where a patient is subject to Multi Agency Public Protection Arrangements, please see Appendix 2.
The flowchart Appendix 1 overleaf describes how information may be shared where staff suspect a patient has been involved in a crime.
Most information will be exchanged verbally, but very occasionally the police will present a  written request to disclose personal information. In this event, while it is not mandatory that  information be released, there must be significant, justifiable reasons for withholding. Staff are therefore expected to seek the advice of their line manager and file a copy of the request  (or enter details of a verbal request) in the patient’s notes along with details of information  disclosed or withheld, the justification for disclosure or withholding and the names of those  involved in reaching the decision. The entry must be dated and signed, and name printed.  


This procedure is an integral part of NHS Fife’s system for managing risk as described in NHS Fife Risk Register & Risk Assessment Policy GP/R7.


            NHS Fife Data Protection Policy GP/D3
            NHS Fife Confidentiality Policy GP/C9
            SASPI Accord Agreement




            Data Protection Act (1998) http://www.opsi.gov.uk/ACTS/acts1998/19980029.htm
            Human Rights Act (1998) http://www.opsi.gov.uk/ACTS/acts1998/19980042.htm
            Common Law of Confidentiality http://www.sehd.scot.nhs.uk/publications/ppcr/ppcr-03.htm
            NHS Scotland, Information Governance Standards, December 2005 http://www.igrep.scot.nhs.uk/IG_Standards_FINAL_22122005.pdf
           NHS Code of Practice on Protecting Patient Confidentiality. Available from: http://www.confidentiality.scot.nhs.uk/publications/6074NHSCode.pdf