Data Protection Policy

Introduction

NHS East Midlands has a legal obligation to comply with all appropriate legislation in respect of Data, Information and IT Security.  It also has a duty to comply with guidance issued by the Department of Health, the Information Commissioner, other advisory groups to the NHS and guidance issued by professional bodies.

Penalties could be imposed upon NHS East Midlands, and/or employees for non-compliance with relevant legislation and NHS guidance.

Aim

This Data Protection Policy details how NHS East Midlands will meet its legal obligations and NHS requirements concerning confidentiality and information security standards.  The requirements within the Policy are primarily based upon the Data Protection Act 1998 as that is the key piece of legislation covering security and confidentiality of personal information.

Legislation

For the purpose of this Policy other relevant legislation and appropriate guidance may be referenced.  The legislation listed below also refers to issues of security and or confidentiality of personal identifiable information/data:

• Data Protection Act 1998
• Access to Health Records 1990 
• Access to Medical Reports Act 1988
• Human Rights Act 1998
• Freedom of Information Act 2000
• Regulation of Investigatory Powers Act 2000
• Crime and Disorder Act 1998
• Computer Misuse Act 1990
• Criminal Justice and Immigration Act 2008

NHS & Related Guidance

The following are the main publications referring to security and or confidentiality of personal identifiable information/data (see section A for more information):

• Confidentiality: NHS Code of Practice
• Records Management: NHS Code of Practice
• Information Security: NHS Code of Practice
• Employee Code of Practice (Information Commissioner)

Responsibilities

The Chief Executive Officer has overall responsibility for the Data Protection Policy within NHS East Midlands.  The implementation of, and compliance with, this Policy is delegated to the Data Controller and the Data Protection Lead.  The Data Protection Lead will report to the Information Governance Steering Group who will have responsibility for bringing data protection issues to NHS East Midlands Executive Board. 

The Data Protection Lead role includes:

• Maintaining registrations
• Facilitating training sessions
• Dealing with subject access requests
• Acting as initial point of contact for any data protection issues which may arise within NHS East Midlands
• Being an active member of the Information Governance Steering Group
• Providing reports to the NHS East Midlands Executive Team as required
• Auditing data protection compliance
• Facilitating action in areas identified as being non-compliant
• Assisting with complaints concerning data protection breaches
• Acting as the interface between data protection and freedom of information

This Policy will be reviewed annually, or more frequently if appropriate, to take into account changes to legislation that may occur, and/or guidance from the Department of Health, the Information Commissioner or any relevant case law.

The day to day responsibilities for enforcing this Policy will be devolved to application/system managers and other nominated personnel.  In order to fulfil their roles, the Data Protection Lead in conjunction with the Data Controller will ensure that regular training is provided to remind these personnel of these responsibilities and the most effective way of ensuring adequate information security and confidentiality. 

Security & Confidentiality

All information relating to identifiable individuals and any information that may be deemed sensitive, must be kept secure at all times.  NHS East Midlands will ensure there are adequate polices and procedures in place to protect against unauthorised processing of information and against accidental loss, destruction and damage to this information.  

Database Management

NHS East Midlands Data Protection Lead will ensure that all databases that require registration are registered in accordance with the Act’s requirements and these registrations are reviewed on a regular basis.  Each computer system/database will have a designated manager.  A list of these nominated personnel will be maintained by the Data Protection Lead.

For the purposes of this policy the term “Database” refers to a structured collection of records or data held electronically which contains person identifiable information. In the event that further guidance is needed in respect to what constitutes a database please contact the Data Protection Lead.

Back-ups

Each application/system manager will have responsibility for ensuring there is a procedure which outlines the media, frequency and retention period for back-ups of the data and programs for the systems within their control. 

Those systems which are “run” for the users by Derwent Shared Services will have their systems backed up on a regular basis as defined by the IM&T Service Level Agreement. 

Disclosure of Information & Information in Transit

It is important that information about identifiable individuals (such as the general public, patients and/or staff) should only be disclosed on a strict need to know basis.  Strict controls governing the disclosure of patient identifiable information is also a requirement of the Caldicott recommendations. 

All disclosures of computer held identifiable information should be included in the relevant data protection registration document for the database the disclosure may be made from.

Some disclosures of information may occur because there is a statutory requirement upon NHS East Midlands to disclose e.g. with a Court Order, because other legislation requires disclosure (for staff to the tax office, pension agency and for patients to the Department of Health if the patient has a notifiable disease).

If person identifiable information/records needs to be transported in any media such as: disc, memory stick or manual paper records, this should be carried out to maintain strict security and confidentiality of this information. For further information transporting, sending and receiving person identifiable information please refer to NHS East Midlands Transportation of Records and Safe Haven Procedures.

Contracts between NHS East Midlands and third parties must include an appropriate confidentiality clause that must be disseminated to the third parties employees.

Disclosure of Information Outside the EEA

Personal data, even if it would otherwise constitute fair processing, must not, unless certain exemptions apply or protective measures taken, be disclosed or transferred outside the European Economic Area to a country or territory which does not ensure an adequate level of protection for the rights and freedoms of data subjects.

In the event that any member of staff wishes to process personal information outside of the United Kingdom, NHS East Midlands Data Protection Lead must be consulted prior to any agreement to transfer or process information.

Training

The Data Protection Lead has overall responsibility for maintaining awareness of confidentiality and security issues for all staff.  This is carried out at regular training sessions covering the following subjects:

• Personal responsibilities
• Confidentiality of personal information
• Relevant NHS EM Policies and Procedures e.g. Record Management Lifecycle Protocol
• Compliance with the Data Protection Principles
• Registration of automated databases
• Individuals rights (access to information and compliance with the principles)
• General good practice guidelines covering security and confidentiality
• Contact information relating to who is the Data Protection Lead and how they can be contacted for all problems which may occur in the areas of security and confidentiality of personal information
• A general overview of all Information Governance components
• General common sense issues such as locking doors and avoiding gossip in open areas
• Letting all staff know about relevant policies, procedures and good practice guidance and where this can be found
• A brief overview of how the data protection and freedom of information acts work and the differences

Induction

All new starters to NHS East Midlands will be given Information Governance training, to include compliance with the Data Protection Act and general IT security training, as part of the induction process.  Extra training in these areas will be given to those who need it such as application/systems managers and those dealing with requests for information.  A register will be maintained of all staff attendance at training sessions.  Non-contract staff and those on short fixed term contracts will also be asked to attend induction sessions.  These people will include temporary, agency staff and student placements.  Training should also be open to external organisations carrying out functions for NHS East Midlands such as security guards (where they are not contracted NHS East Midlands employees).

All staff will be made aware of what could be classed as an information security incident or breach of confidentiality.  They will be made aware of the process to follow and the forms to complete, so that incidents can be identified, reported, monitored and investigated.

Contracts of Employment

Staff contracts of employment are produced and monitored by NHS East Midlands Human Resources department.  All contracts of employment include a data protection and general confidentiality clause.  Agency and non-contract staff working on behalf of NHS EM must be subject to the same rules.

All NHS East Midlands employees will be made aware of their responsibilities in connection with the Acts mentioned in this Policy through their Statement of Terms and Conditions, and targeted training sessions carried out by application/system managers and/or other trainers/specialists.

Disciplinary

A breach of the Data Protection requirements could result in a member of staff facing disciplinary action.  A copy of NHS East Midlands Disciplinary Procedure is available from the Human Resources Department.

Monitoring & Audit

This policy will be monitored by the Information Governance Steering Group on a regular basis.  In addition, application of this policy will also be reviewed by Internal and External Audit.

Subject Access Requests

Current Data Protection legislation allows an individual who is the subject of personal information processed by NHS East Midlands to access their information. In the event that an individual wishes to have a copy of their information under the subject access provision of the Data Protection Act a request must be made in writing to the Data Protection Lead.

NHS East Midlands is obliged to respond to requests promptly within 40 days of a request being made for access to records containing person identifiable information.  Failure to do so is a breach of the Act and could lead to a complaint to the Information Commissioner. If it is anticipated that a request will take longer than the 40-day period, NHS East Midlands will inform the applicant giving an explanation of the delay and agree a new deadline.

In addition, NHS East Midlands will charge for any subject access requests made in line with legislative guidelines.

Disclosure of Personal Information

There are Acts of Parliament that govern the disclosure of personal information. Some of these Acts make it a legal requirement to disclose and others that state that information cannot be disclosed.  These Acts are detailed below:

• Public Health (Control of Diseases) Act 1984 & Public Health (Infectious Diseases) Regulations 1985
• Education Act 1944 (for immunisations and vaccinations to NHS SHAs from schools)
• Births and Deaths Act 1984
• Police and Criminal Evidence Act 1984

• Human Fertilisation and Embryology (Disclosure of Information) Act 1992
• Venereal Diseases Act 1917 and Venereal Diseases Regulations of 1974 and 1992
• Abortion Act 1967
• The Adoption Act 1976

In the event that a request for disclosure is made referencing any of these Acts NHS East Midlands Data Protection Lead must be notified prior to any information being released.