Post on 19-Dec-2015
Confidentiality Breaches
• Accessing records you have no legitimate reason to see, for example your own, your relatives and friends health records, even with their consent (unless it is within your job role to deal with such requests)
• Displaying or leaving records open, unattended or insecure
• Giving out information over the telephone, by fax or email to inappropriate people
• Holding conversations about individuals where others are likely to overhear
Reporting and AccountabilityThe Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals
The Information Commissioner governs the provisions of the Data Protection Act 1998 and the Freedom of Information Act 2000. The ICO has the power to serve monetary penalties of up to £500,000 on data controllers (such as Barts Health)
Potential Penalties
• Penalty fines issued for: Brighton and Sussex University Hospitals NHS Trust:
10,000s of highly sensitive personal patients and staff found on hard drives bought off the Internet in Autumn 2010 - £325,000
Belfast Health and Social Care Trust: serious breach of 1000s of patients’ and staff sensitive personal data being compromised. Failure to report the incident to the ICO - £225,000
Stockport Primary Care Trust: new purchaser found 1000 highly sensitive records regarding 200 patients left in decommissioned NHS building - £100,000
• Deliberate actions – staff disciplined• Loss of patient trust and public confidence
Information GovernanceIncident and Risk Reporting
• Please immediately report Information Governance incidents to your Line Manager/senior person on duty and the Information Governance Team, and enter the incident on Datix.
• If you identify an Information Governance risk please discuss this with your Line Manager and risk assess if appropriate.
Senior Information Risk Owner (SIRO)
Barts Health NHS Trust SIRO:Ian Walker, Director of Corporate Affairs and Trust Secretary• Oversees all aspects of Information Governance, promoting a culture that
fosters good values in protecting and using information
• Reviews and agrees action plans in respect of identified information risks
• Ensures that the Trust’s approach to information risk is effective in terms of resource, commitment and execution and that this is communicated to all staff
• Provides a focal point for the resolution and/or discussion of information risk issues
• Ensures the Board is adequately briefed on information risk issues
1. Justify the purpose of2. Only use it when absolutely necessary3. Use the minimum required4. Allow access only on a strict need-to-know basis5. Understand your responsibility6. Understand and comply with the law7. The duty to share may be as important as the
duty to protect confidentiality (NEW)
Caldicott Confidentiality Guidelines
Caldicott Guardian and Confidentiality
Barts Health NHS Trust Caldicott Guardian:Dr Steve Ryan, Medical Director
• Responsible for protecting the confidentiality of patient and service user information
• Enabling appropriate information sharing
• Ensuring high standards when handling patient identifiable information
Data Protection Act 1998Legal obligations
• Inform people how we use information• Comply with individuals rights – Subject
Access• How data is used and shared
Practical obligations• Accurate• Up to date• Not kept longer than necessary• Keep secure
Data Protection Act 1998
“Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes”
What is your justification or reason for using personal data?
Where are you getting the data from? Have you sought informed consent?
Freedom of Information (FoI) requests:• Can be made to any member of staff; all staff have a
legal duty to assist individuals to obtain information
• Can require the release of emails
• Do not need to refer to or mention the FoI Act
• Must be made in writing giving a name and address
The Trust must respond within 20 working days
If you receive an FoI request, please immediately contact the FOI Coordinator
Freedom of Information Act 2000
Information Security Issues
Data disclosed to the wrong people Check entitlement and identity. If unsure, neither
confirm or deny and take callers contact details
Staff accessing data about their relatives, colleagues or friends
There must be a work-related justification
Data/files/equipment not disposed of correctly Follow the Records Retention and Disposal Policy
Information Governance spot checks
Unauthorised access to confidential data Lock unattended computers and keep passwords private
Personal Identifiable Data (PID) discovered on personal devices (home PC or mobile phone)
Only use Trust encrypted laptops, VPN or USB drives for opening or storing patient data
ICT Related Information Security Issues
Risks of Transferring Information Loss of data/files/equipment while travelling
between sites Keep information on your person within a marked
envelope in inconspicuous and secure bag Transport information by secure email, courier, Safe
Haven FAX, post or internal mail
Emails/faxed documents sent to the wrong place Send securely, minimise, password protect, encrypt
and check recipient details. Use email rather than fax and Secure File Transfer
Records Management Ensure that records are:
Clearly titled and given logical names Stored in secure structured manual or electronic central filing
systems Secured and easy to locate (tracked)
The Trust’s Records Retention and Disposal Policy provides record management guidance and states the length of time records must be kept.
The Corporate Records Team can advise on general record management issues.
The Trust’s Corporate Records Centre provides storage for some types of corporate/administrative records.
Further Information
• Information Governance Code of Conduct
• Information Governance Email Guidance
• Barts Health Intranet Sites:
• Information Governance
• Records Management
• Freedom of Information Act
Your InformationGovernance Team
Information Governance
Matthew HallInformation Governance Manager
Martyn SteersDeputy Information Governance Manager
James CookInformation Governance Officer
Corporate Records
Daniel Scott-DaviesCorporate Records Manager
Laura HyndsAssistant Corporate Records Manager
Pam WoodFreedom of Information Coordinator