Information & eHealth (IT)
DATA PROTECTION AND CONFIDENTIALITY POLICY
|Policy Manual/System||General Policy|
|Author||Data Protection Officer||Version No||5|
|Reviewer||eHealth Security Manager; IG Advisor; IG&S Group||Implementation Date||01/07/2012|
|Signed By||Senior Information Risk Owner (SIRO)||
Last Review Date
Next Review Date
The aim of this Policy is to ensure that NHS Fife complies with Data Protection legislation, such as GDPR, UK Data Protection Act 2018, Networking and Information Systems Regulations 2018 (NIS) and other guidelines designed to protect the privacy and confidentiality of patients, staff and other members of the public.
This policy aims to clarify the principles that govern all uses (any processing) of NHS Fife information assets, in particular (but not exclusively) patient identifiable and confidential information and to ensure that certain practices are adhered to.
NHS Fife expects the provisions of this policy to lay the foundation for the NHS Fife ISMS (Information Security Management System) and the alignment to the International Standard ISO 27001 as required by the NHSS Information Governance and Security Framework (DL (2015) 17).
For further information on the NHS Fife ISMS, refer to the NHS Fife Information Security Manual available on the Intranet at NHS Fife Information Security Staff Handbook.
1.2 Statutory Requirements
There are legal and ethical requirements for NHS Fife to protect identifiable and confidential information processed by or on behalf of NHS Fife. This includes any technical and organisational security measures required to preserve the confidentiality, integrity and availability of the information on which its operations depend.
This requirement is reflected in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679); Data Protection Act 2018, the Caldicott2 report March 2013 (previously Caldicott 1997), the ICO guidelines and the most recent NHSScotland Information Security Policy Framework 2015/17 (The Scottish Government 2015).
‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;’
The GDPR seeks to strike a balance between the privacy rights of the individual whose information is being used (known as the data subject) and the sometimes competing interests of those with legitimate reasons for using personal information.
The legislation gives people rights regarding information held about them and places obligations on those who process the data.
The Data Protection Principles are:
Personal information must be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and, where necessary, kept up to date
- Retained only for as long as necessary
- Processed in an appropriate manner to maintain security
- The Data Controller must be responsible for and be able to demonstrate
‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
This policy is applicable to all staff, contractors, partner agencies, students and volunteers working within NHS Fife or processing data on behalf of NHS Fife, on NHS Fife premises or elsewhere.
This policy applies to all personal or confidential information processed in the course of the provision of NHS Fife services and the fulfilment of its functions, irrespective of its nature (health and non-health related), how it is held or who is processing the data.
It is the responsibility of all staff, contractors, partner agencies, students and volunteers processing data on behalf of NHS Fife to comply with this policy.
- Acknowledgement of this obligation is recorded in:
- employment contracts,
- confidentiality statements (see Appendices 1a and 1b) and contractual documentation with third parties (e.g. information sharing agreements, data processor contracts, service level agreements, etc.).
The NHS Fife SIRO (Senior Information Risk Owner) has the Corporate accountability for the application of this policy supported by the Information Governance structure explained in Appendix 2. The following roles and responsibilities are described in Appendix 2:
- Chief Executive and Executive Directors Group (EDG).
- Senior Information Risk Owner (SIRO)
- Caldicott Guardians
- Information Governance and Security Group
- Data Protection Officer
- Information Security Manager
- Information Governance Advisor
- eHealth Board
- Information Asset Owners and Data Custodians
- Records Managers
- Subject Access Request (SAR) handlers
- Patient Relations
- Information Services
- Legal Services Department
- Auditors (Internal and External)
- Line Managers
- General Manager - eHealth & IMT
- Everyone processing information and data
- Coordinators of information systems or data sharing projects (e.g. project managers, systems administrators, change managers)
4 OPERATIONAL SYSTEM
The NHS holds large amounts of confidential information, most of which relates to and identifies patients and employees of the service. This information should be treated with respect to ensure confidentiality, integrity and availability of the information, so it is accessible when and where needed by those with a legitimate need for it.
4.1 Obtaining corporate approval to access or use personal or confidential data
When data is processed by or on behalf of NHS Fife in a new way, approval is required before processing begins. This also applies when significant changes are made to previously approved processes.
Processing of data is defined in the Data Protection Act, as detailed in Section 1.2 above.
Refer to Appendix 3a for details on the specific forms and process for obtaining corporate approval to access or use personal or confidential data. Examples of these are:
- Introduction of new IT systems (or changes in systems);
- A different method of processing – paper to electronic;
- Audits using person identifiable information;
- Health care planning and forecast collating new categories of data;
- Any situation where personal identifiable information is being processed in a new or different way;
A summary of where to find the Procedures is detailed in Appendix 3a.
4.2 Sharing information.
By sharing information (or “data sharing”) we mean:
- the disclosure of data from one or more organisations to a third party organisation or organisations
- the sharing of data between significantly different parts of an organisation that may have different primary purposes’.
Data sharing can take the form of:
- a reciprocal exchange of data;
- one or more organisations providing data to a third party or parties;
- several organisations pooling information and making it available to each other;
- several organisations pooling information and making it available to a third party or parties;
- significantly different parts of the same organisation making data available to each other – the “difference” must be established in terms of the original purpose for which the data was initially collected and the level of compatibility between those purposes.
- third parties or subcontractor processing data on behalf of NHS Fife, in which cases a “Data Processor Agreement” (DP Agreement) or equivalent clauses must be added to the commercial written contract or SLA (Service Level Agreement). (This includes software providers who will have access to the data for maintenance of the software.) For this purpose, contact the Data Protection Office for advice and support with the specific data processor clauses.
When there is a need for systematic sharing of NHS Fife data with other parties outwith NHS Fife, it must be done in compliance with the NHS Scotland Information Governance Toolkit. Templates and guidelines are available here http://www.informationgovernance.scot.nhs.uk/is-toolkit/. The Information Sharing Toolkit replaces any previous version of the SASPI (Scottish Accord for the Sharing or Personal Information) and is mandatory for NHS organisations in Scotland. Information Sharing Agreements (ISA) must be coordinated by NHS Fife Data Protection Office.
Data that does not explicitly identify individuals (e.g. statistical fully anonymised aggregated data) may be shared without the need for a formal ISA (Information Sharing Agreement), however may still require Data Protection approval, especially if it is classified as personal or confidential or could potentially become identifiable personal data at a later stage.
Exceptional, one-off disclosures of data in unexpected or emergency situations do not require an ISA, but still require an adequate level of approval. In life/death situations approval must be assumed. Other unexpected situations may require decisions based on professional judgement. For this purpose, staff must be trained in accordance with the level of Information Governance decisions expected from them. Refer to section ‘empowering and training people who process NHS Data’ (Appendix 4) for further details. Deciding upon one-off disclosures requires knowledge and understanding of regulations and specific legal exceptions applicable, but also the need to minimise unwarranted distress for the individual whose data is shared. In situations where there are serious doubts about the need to disclose data urgently or there are concerns about significant unwarranted distress, the recommendation is to escalate and search for expert advice from line managers or the Data Protection Office; some scenarios have their own specific guidelines, for example as explained in Procedure GP/D3-14 for sharing information with Police.
4.3 Managing information as a valuable and confidential Corporate Asset
The NIS Regulations and GDPR require NHS Boards to identify key information assets and their owners and record this in a high-level Information Asset Register (IAR). Impact on information assets needs to be assessed in terms of confidentiality, integrity and availability as described in Section 5 below.
The SIRO has the ultimate responsibility for the Information Asset Register (IAR) assisted by the Information Asset Owners and the Data Protection Office.
An “Information Asset” is a defined valuable set of information for NHS Fife that can be understood, shared, protected and exploited effectively independently from other sets of information (e.g. a new database or a new collection of data in paper forms or spreadsheets).
Any information that is organised enough to be found by a search criteria (e.g. organised by date, name, location or CHI number etc) other than flicking through electronic or paper pages is considered a “structured information asset” and is considered an Information Asset.
Information assets have recognisable and manageable value, risk, content and lifecycles.
For NHS Fife, Information Assets can take the form of information systems, datasets, databases, groups of key information related to a particular matter (e.g. a project, service or initiative) regardless of the format used to collect or record the information (e.g. paper, electronic, sound, film etc.).
New Information Assets must be registered and protected as part of the NHS Fife ISMS (Information Security Management System), in accordance with the eHealth change and configuration management processes. All Information Assets must have an identified Information Asset Owner.
An Information Asset Owner (IAO) is an individual responsible for ensuring that the risks to and the opportunities for using the asset are monitored and mitigated where necessary. The IAO must understand the value of the asset to the organisation.
Collecting and processing data using manual or electronic or combined information systems requires approval from the SIRO advised by the Data Protection Officer, the Information Asset Owner and a Caldicott Guardian. All information systems and datasets must be registered within the Data Protection Office (see Appendix 6). The Information Asset Register must be kept up to date with changes in information systems and data sets that may affect the confidentially, integrity or availability of the information, including moving or transferring data storage from one system to another with different levels of risk.
4.4 Security of the information: organisational and technical security measures.
Appropriate technical and organisational security measures shall be taken against unauthorised or unlawful processing of personal and confidential data and against accidental loss or destruction of, or damage to such data.
NHS Fife is required (NHSScotland Information Security Policy Framework) to establish, implement, maintain and continually improve an Information Security Management System (ISMS) based on circular improvement cycles to improve information governance and security.
Information Assets must have appropriate security measures based on a risk assessment approach.
NHS Fife will preserve the right to monitor the use of Information Assets by using a variety of means.
The functions and responsibilities of the key elements of the NHS Information Governance and Security structure are described in Appendix 2. Further details are available in the corresponding role and remit of the relevant groups.
Effective IG practice is a feature of high quality health services in the NHS. Ensuring that information is obtained, held, used and shared securely and appropriately underpins professional and patient confidence in services. Almost all staff working within the NHS have access to sensitive data of various types and therefore have a role in information governance. Line managers are responsible for ensuring staff handling personal or confidential information are reliable and well trained. The training requirement on IG matters is explained in Appendix 4 (Empowering and training people who process NHS Data). This plan is monitored and reviewed at IG&SG (Information Governance and Security Group) on a regular basis.
Information must not be retained beyond need in line with the NHS Scotland Records Management Code of Practice and the corresponding NHS Fife records management policies.
Management, Retention, Storage and Destruction of all Business and Administrative Information and Records - Policies ; Health Records Retention and Destruction – Policies
The disposal of information and supporting media must follow NHS Fife information security policies.
Information must not be transferred outwith the EU without adequate protection. Approval should be sought from the Data Protection Office prior to sending the data (e.g. by email, by post, by storing or passing data via websites hosted outside the EU, etc.). In life or death situations the data must be sent using the safest means available with no delays followed by an immediate notification to the Data Protection Office.
4.5 Fairness and transparency (Fair Processing and Data Protection Notices).
Processing personal and confidential NHS Fife data must above all else be fair as well as compliant with regulations. Fairness requires NHS Fife to be transparent, clear and open with individuals about how their information will be used. NHS Fife provides this information in different ways, including:
National and local NHS leaflets available via GPs, Dental Practices, NHS Hospitals and services; alternatively it can be download from http://www.nhsinform.co.uk, and NHS Fife website. The main leaflets and factsheets available are:
- How to see your health records (NHS Inform))
- NHS Fife online Data Protection Notice (NHSFife.org.uk website) (Appendix 5a)
- NHS Fife - Accessing Records - Data Protection Notice
Offering specific Data Protection notices for specific projects, services and collectives as appropriate.
NHS Fife Data Protection Notice for Staff (Appendix 5b).
Data Protection notices must be meaningful and effective and must comply with the ICO Data Protection Notices code of practice (https://ico.org.uk/about-the-ico/privacy-notices-transparency-and-control/). The Data Protection Office will provide advice in this regard.
All Data Protection notices, regardless the format (leaflets, websites, professional guidelines for verbal information, etc.) must be registered and approved by the Data Protection Office.
5 INFORMATION RISKS AND INCIDENT MANAGEMENT
Managing information risk is a core responsibility of the SIRO (Senior Information Risk Officer) by delegation from the Chief Executive Officer.
NHS Fife Information Assets must have an up to date Data Protection Impact Assessment (DPIA). Data Protection Impact Assessments must be conducted by those service or project managers looking for new ways of handling personal or confidential Information. The assessment must follow the ICO privacy impact assessments code of practice and must be reviewed and approved by the Data Protection Officer. (See Appendix 6).
During the assessment the DPIA, a risk assessment and an information security questionnaire (for external suppliers) must be completed before procurement of the IT system.
The business context must be fully understood prior to assessment.
Risk owners and asset owners must be identified.
Plausible worst case scenarios and business impact must be understood and documented.
Vulnerabilities and likelihood must be assessed.
As part of the approval process a risk assessment will be carried out.
Analysed risks must be prioritised and summarised into a format that can be easily understood for risk owners to agree subsequent risk treatment.
NHS Fife shall perform information security risk assessments at planned intervals when significant changes are proposed to occur or where recommended in wake of significant information security incidents. Such assessments can be at corporate-level, departmental-level, project or service specific level. It is the role of the Information Security Manager to facilitate the coordination of these assessments. It is the responsibility of the SIRO to ensure active collaboration is provided for this purpose by service managers, Information Asset Owners, Project Managers, eHealth specialists, engineers and any other relevant parties involved in the delivery of manual or electronic information systems.
Reporting information incidents and risks.Incidents related to NHS Fife information and its security (e.g. data loss, unauthorised disclosure of data, breach of confidentiality, unsafe or unreliable IT systems, etc.) will be reported using NHS Fife corporate incident management system (DATIX).
- If the situation requires eHealth support for fixing or investigating the issue, a service request should also be logged with the eHealth Service Desk for that purpose. The Data Protection Office will regularly monitor information incidents and risks and will report to the IG&S Group accordingly which informs the Clinical Governance Committee and Executive Directors Groups.
- Information incidents with high impact to the data subject (e.g. patient or staff) or NHS Fife (e.g. reputational damage) (for example - patient or staff personal information being unlawfully disclosed outwith NHS Fife) must be reported within 24 hours and escalated to the SIRO via the Data Protection Office. The incident should be recorded on DATIX at the earliest opportunity and the DPO should be contacted by phone when possible to avoid delays in the escalation process.
- Data protection breaches with high impact must be reported to the supervisory authorities within 72 hours of awareness. Because of this, the incident reporter must contact the DPO by phone immediately and complete a DATIX incident report at the earliest opportunity within the first 24 hours, whether or not all details are available. Further details can follow as the investigation progresses.
- All staff directly involved in information governance incidents and their line managers must provide evidence in DATIX of the most recent IG training undertaken, as this information will be required by the supervisory authorities in the event of an investigation or a future audit. The need for this evidence is also a new requirement under GDPR. Details of training requirements are available in Appendix 4.
6 RELATED DOCUMENTS
- Appendix 1(a) - NHS Fife Confidentiality Statement – Employees
- Appendix 1(b) - NHS Fife Confidentiality Statement - Contractors
- Appendix 2 - NHS Fife Information Governance structure, roles & responsibilities
- Appendix 3a - Obtaining corporate approval to access, use or process NHS Fife personal or confidential data
- Appendix 3b(i) - Tier 0 Caldicott Application Form (for Research / Academic studies)
- Appendix 3b(ii) - Guidance for Tier 0 Applicants
- Appendix 3b(iii) - Tier 0 Single Board Application Review Record
- Appendix 3b(iv) - Tier 0 Guidance for Reviewers
- Appendix 3c - Data Protection Impact Assessment template
- Appendix 4 - NHS Fife IG & Security training plan
- Appendix 5 - NHS Fife online Data Protection Notice
- Appendix 6 - Registration of Information Assets (IA)
- DL (2015) 17 - Information Governance and Security Improvement Measures
- Data Protection Act. 2018
- General Data Protection Regulation
- Human Rights Act 1998
- Computer Misuse Act (1990)
- Access to Health Records Act (1990)
- Freedom of Information (Scotland) Act 2002
- Public Records (Scotland) Act 2011
- NHS Code of Practice on Protecting Patient Confidentiality
- NHS Fife Information Security Handbook
- Caldicott Report (1997)
- General Medical Council Code of Practice
- Nursing & Midwifery Council Code of Practice
- ICO Privacy Impact Assessments Code of Practice https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf
- ICO Information Sharing Code of Practice https://ico.org.uk/media/for-organisations/documents/1068/data_sharing_code_of_practice.pdf
- ICO Subject Access Code of Practice
- ICO Employment Practices Codes of Practice https://ico.org.uk/media/for-organisations/documents/1064/the_employment_practices_code.pdf
- ICO Anonymisation Code of Practice https://ico.org.uk/media/1061/anonymisation-code.pdf
- ICO Personal Information Online Code of Practice https://ico.org.uk/media/for-organisations/documents/1591/personal_information_online_cop.pdf
- IS Toolkit: instructions and templates http://www.informationgovernance.scot.nhs.uk/is-toolkit/.
- NHSS Information Security Policy Framework http://www.informationgovernance.scot.nhs.uk/isframework/
- Public Benefit and Privacy Panel templates and instructions http://www.informationgovernance.scot.nhs.uk/pbpphsc/
- GP/A4 - Acceptable Use Policy
- GP/D3-2 - Access Controls for Information Systems
- GP/C10 - Clear Desk Clear Screen Policy
- GP/D6 - Data Encryption Policy
- GP/H6 - eHealth Equipment Home Working Policy
- GP/S8 - eHealth Incident Management Policy
- GP/I4 - eHealth Procurement Policy
- GP/B2 - eHealth Remote Access Policy
- GP/E6 - Email Policy
- GP/D1 - Fife Wide Decommissioning of Fife Premises Policy
- GP/D3-7 - Good Practice Guide - Using Office Equipment & Machinery
- GP/D3-14 - Guidance for staff on information sharing with police
- GP/R9 - Health Records
- GP/R8 - Health Records Retention and Destruction
- GP/I5 - Information Security Policy
- GP/I3 - Internet Policy
- GP/I6 - IT Change Management Policy
- GP/V2 - IT Virus Protection Policy
- GP/I1 - Management of Intellectual Property Policy
- GP/R4 - Management, Retention, Storage and Destruction of all Business and Administrative Information and Records
- GP/M4 - Media Handling Policy
- GP/M5 - Mobile Device Management Policy
- GP/E7 - Non NHS Fife Equipment
- GP/O2 - Online Communications
- GP/P2 - Password Policy
- GP/C9-6 - Procedure for Use and Transfer of Data via Removable Device
- GP/R3 - Research Fraud and Misconduct
- GP/R7 - Risk Register and Risk Assessment
- GP/D3-12 - Subject Access to Health Records
- GP/D3-11 - SUPPLIER RELATIONSHIPS PROCEDURE
- GP/D3-13 - System Access Provisioning Procedure
- GP/V3 - Volunteering Policy
- GP/W1 - Waste Management
- GP/W4 - Window Management