Implementation of Security Implementation of Security and Confidentiality in GP and Confidentiality in GP

PracticesPractices

Security and ConfidentialitySecurity and Confidentiality

Definition of SecurityDefinition of Security Means used to protect against unauthorised use Means used to protect against unauthorised use

of and access to informationof and access to information

Definition of ConfidentialityDefinition of Confidentiality The protection of information so that someone The protection of information so that someone

not authorised to access or use the information not authorised to access or use the information cannot do socannot do so

Security and ConfidentialitySecurity and ConfidentialityHuman Rights Act (HRA) – Article 8 Right to Human Rights Act (HRA) – Article 8 Right to PrivacyPrivacyConfidentiality of Person Identifiable Information is a basic Confidentiality of Person Identifiable Information is a basic human righthuman right

Common Law Duty of ConfidentialityCommon Law Duty of ConfidentialityAll personal information given in confidence must be treated All personal information given in confidence must be treated with the utmost confidentiality and can only be released with the utmost confidentiality and can only be released withoutwithout the consent of the person under ‘enactment‘ or if it is the consent of the person under ‘enactment‘ or if it is deemed to be ‘in the wider public interest’deemed to be ‘in the wider public interest’

All named Patient information within the NHS is All named Patient information within the NHS is subject to this definitionsubject to this definition

Legislation and GuidanceLegislation and Guidance

Enacted LawEnacted Law The Data Protection Act 1998The Data Protection Act 1998

NHS GuidanceNHS Guidance The Caldicott ReportThe Caldicott Report Acceptable Use Policy/Information Security Acceptable Use Policy/Information Security

Management SystemManagement System

The Data Protection Act 1998 The Data Protection Act 1998

8 Principles8 Principles Personal data of living individuals must be:Personal data of living individuals must be:

1.1. Fairly and lawfully processed with consent Fairly and lawfully processed with consent 2.2. Obtained for specific and lawful purposesObtained for specific and lawful purposes3.3. Adequate, relevant and not excessiveAdequate, relevant and not excessive4.4. Accurate and up to dateAccurate and up to date5.5. Not kept longer than necessaryNot kept longer than necessary6.6. Processed in accordance with the individual’s rights Processed in accordance with the individual’s rights 7.7. Secure (technical and organisational measures)Secure (technical and organisational measures)8.8. Not transferred outside the EEA unless a country Not transferred outside the EEA unless a country

has adequate protection for the individualhas adequate protection for the individual

Practice DPA RequirementsPractice DPA Requirements The Practice creates and processed PII and The Practice creates and processed PII and

must notify the Information Commissioners must notify the Information Commissioners Office annually:Office annually:

This commits the Practice to Principle 7This commits the Practice to Principle 7

• Personal Data of living individuals must be SECURE Personal Data of living individuals must be SECURE (technical and organisational measures)(technical and organisational measures)

The notification must include the classes of PII and The notification must include the classes of PII and any disclosures – including the types of any disclosures – including the types of organisations to whom it discloses PIIorganisations to whom it discloses PII

The Practice is the Data Controller of the PII it The Practice is the Data Controller of the PII it processes; the Data Protection Officer should be the processes; the Data Protection Officer should be the Senior Partner/Clinician supported by the Practice Senior Partner/Clinician supported by the Practice ManagerManager

The Caldicott Report 1997The Caldicott Report 1997

The Caldicott Principles for managing Patient The Caldicott Principles for managing Patient Identifiable Data in the NHSIdentifiable Data in the NHS

1.1. Justify the purposes for using confidential Justify the purposes for using confidential informationinformation

2.2. Only use it when absolutely necessaryOnly use it when absolutely necessary

3.3. Use the minimum that is requiredUse the minimum that is required

4.4. Access should be on a strict need-to-know basisAccess should be on a strict need-to-know basis

5.5. Everyone must understand his or her responsibilitiesEveryone must understand his or her responsibilities

6.6. Understand and comply with the lawUnderstand and comply with the law

Main recommendationsMain recommendations Appoint a Caldicott Guardian to:Appoint a Caldicott Guardian to:

• Map the flows of Patient Data within the PracticeMap the flows of Patient Data within the Practice• Identify PII exchanges into and out of the PracticeIdentify PII exchanges into and out of the Practice• Risk assess and question every flow and only Risk assess and question every flow and only

allow the flows that meet genuine needallow the flows that meet genuine need• Allow access only when there is a genuine needAllow access only when there is a genuine need• Set up Information Sharing Protocols with all Set up Information Sharing Protocols with all

organisations with whom the Practice shares dataorganisations with whom the Practice shares data• Develop a Practice annual improvement plan to Develop a Practice annual improvement plan to

compliment the LHB plancompliment the LHB plan• Accept an audit of the process (LHB and HIW)Accept an audit of the process (LHB and HIW)

The Caldicott Report 1997The Caldicott Report 1997

Person Identifiable Information (PII) Person Identifiable Information (PII) – A Summary– A Summary

Uses must be defined, justified and lawfulUses must be defined, justified and lawful Consent is needed to use it ‘widely’Consent is needed to use it ‘widely’ Only record what is necessaryOnly record what is necessary Keep it accurate and up-to-dateKeep it accurate and up-to-date Keep it secureKeep it secure Keep it confidentialKeep it confidential Restrict access to a ‘need to know’ basisRestrict access to a ‘need to know’ basis Control sharing, but share where needed/justifiedControl sharing, but share where needed/justified Don’t keep it longer than necessaryDon’t keep it longer than necessary There is a legal right of accessThere is a legal right of access

Acceptable Use Policy (AUP)Acceptable Use Policy (AUP)

Acceptable Use Policy introduced to Acceptable Use Policy introduced to Practices in 2000 and updated in 2002Practices in 2000 and updated in 2002

Policies and procedures to support Policies and procedures to support demonstration of Information Securitydemonstration of Information Security

All Practices signed a declaration stating All Practices signed a declaration stating compliance with AUPcompliance with AUP

Information Security Management Information Security Management System (ISMS)System (ISMS)

Model ISMS introduced to support GMPs Model ISMS introduced to support GMPs in 2006/7in 2006/7

ISMS - Ongoing process incorporating ISMS - Ongoing process incorporating policies, procedures and implementation of a policies, procedures and implementation of a support structure to deliver Information support structure to deliver Information Security, along with regular review/auditSecurity, along with regular review/audit

Enables Practices to meet the requirements Enables Practices to meet the requirements of AUPof AUP

• ISMS includes a revision and update of AUP ISMS includes a revision and update of AUP

Roles within the PracticeRoles within the Practice

Who is the Practice’s Data Protection Who is the Practice’s Data Protection Officer?Officer?

Who is the Caldicott Guardian within the Who is the Caldicott Guardian within the Practice?Practice?

Who is the lead for Information Security Who is the lead for Information Security and ISMS within the Practice?and ISMS within the Practice?

Information Security Website for Information Security Website for GMP StaffGMP Staff

http://howis.wales.nhs.uk/gmsimt/ishttp://howis.wales.nhs.uk/gmsimt/is