Information Governance

GP Resource Guide

This guide aims to summarise key information governance legislation and policies in an easy to understand way, in order to assist you comply with the law, whilst undertaking your daily duties.

It is advised that you keep an electronic copy of this document so that you can use it as a reference tool as and when you need to.

Applicable to all Staff, including:Employees, Bank, Locum, AgencyWorkers & Contractors

Current version: v1, Nov 2019Next review: Nov 2021

ContentsWhat is Information Governance?...................................................................................................................3

Information Governance in the NHS................................................................................................................3Types of information........................................................................................................................................3

Personal / Person Identifiable Data (PID)....................................................................................................3Personal Confidential Data (PCD)...............................................................................................................3

Special Category Data.................................................................................................................................4Pseudonymised data....................................................................................................................................4

Anonymous Information...............................................................................................................................4Your Data Protection Officer............................................................................................................................5

Key IG Roles & Responsibilities......................................................................................................................5IG Law & Legislation........................................................................................................................................6

Breaches of IG Law & the Role of the Information Commissioner’s Office (ICO)...........................................7Responsibilities of the ICO...........................................................................................................................7

Enforcement Action......................................................................................................................................7Data Security and Protection Toolkit...............................................................................................................7

DSPT Incident Reporting (serious incidents)...............................................................................................8IG Policies and Procedures.............................................................................................................................8

Caldicott Principles..........................................................................................................................................8Data Protection Principles...............................................................................................................................9

Confidentiality & Best Practice.......................................................................................................................10Hoax Calls and Spam Emails........................................................................................................................11

Social Media..................................................................................................................................................11Instant Messaging Apps................................................................................................................................12

Parental Responsibility..................................................................................................................................12Who has Parental Responsibility?.............................................................................................................12

What about Non-Parents?..........................................................................................................................13Proof of Parental Responsibility.................................................................................................................14

Consent from People with Parental Responsibility....................................................................................14Other considerations for Children’s rights..................................................................................................14

Legal basis.....................................................................................................................................................14Article 6......................................................................................................................................................14

Article 9......................................................................................................................................................15What Legal Basis you need to use.............................................................................................................15

Other Legal Bases.....................................................................................................................................15The National Data Opt-Out............................................................................................................................16

When does the national data opt-out apply?..............................................................................................16When does the national data opt-out not apply?........................................................................................16

Information Sharing.......................................................................................................................................17Safeguarding.................................................................................................................................................18

Individual rights..............................................................................................................................................18The right to be informed.............................................................................................................................18

The right to access (Subject Access Requests).........................................................................................19

The right to rectification..............................................................................................................................19

The right to erasure....................................................................................................................................19The right to restrict processing...................................................................................................................19

The right to portability.................................................................................................................................20The right to object......................................................................................................................................20

Rights related to automated decision making including profiling...............................................................20Secondary uses of information......................................................................................................................20

Research & Planning and other Non-Care Purposes................................................................................20Sharing Personal Information with the Police............................................................................................21

Information Governance and Cyber Security Breaches................................................................................21Mandatory Reporting of Serious Personal Data Breaches........................................................................21

Mandatory Duty of Candour.......................................................................................................................22Monitoring Access to Personal Confidential Data..........................................................................................22

Information and Cyber Security.....................................................................................................................22Use of Email..................................................................................................................................................23

Sending Confidential Information Securely................................................................................................23Auto-Forwarding of Email...........................................................................................................................24

Managing Emails as Records....................................................................................................................24Photography and Recordings........................................................................................................................25

CCTV.........................................................................................................................................................25Patients recording consultations................................................................................................................25

Information Governance Mandatory Training................................................................................................25Records Management...................................................................................................................................26

Information Asset Register.........................................................................................................................26Data Flow Mapping....................................................................................................................................26

Freedom of Information Requests.................................................................................................................26Establishing the correct response mechanism...........................................................................................26

Obligations under the FOIA........................................................................................................................27Receiving a request...................................................................................................................................27

Clarifying a request....................................................................................................................................27Responding to a request............................................................................................................................28

Applying an exemption...............................................................................................................................28Appeals......................................................................................................................................................28

Data Protection Impact Assessments / Privacy Impact Assessments...........................................................28Business Continuity.......................................................................................................................................29

Smartcards....................................................................................................................................................29Line Manager Responsibilities...................................................................................................................29

Staff Smartcard Code of Practice...............................................................................................................30Data Quality...................................................................................................................................................30

What is Information Governance?Information Governance (IG) is how we manage the use of information. In simple terms, it is how we obtain, create, process, use, store, share and dispose of information. IG is a series of best practice guidelines and principles of the law to be followed when handling information.

Information Governance covers: Data Protection & Confidentiality Records management & information lifecycle Information sharing Information and cyber security Access to information requests Transparency and individual’s rights Risk management Incident management & resolution Business continuity

Information Governance in the NHSNHS organisations hold vast amounts of sensitive information relating to patients. As such, all staff should be able to provide assurance that the IG rules and legislation are complied with and incorporated within their working practices.

Sensitive information may also be present in corporate documents, such as, contracts, minutes and finance documentation.

All staff are required to keep all patient, staff and commercially sensitive information confidential both during and post-employment (unless disclosure is expressly authorised by the GP).

Knowingly misusing of or a failing to properly safeguard any confidential data will be regarded as a disciplinary offence.

Types of information General Practitioners (GP’s) and the NHS as a whole have access to a wide range of information. Information can be grouped into the following types:

Personal / Person Identifiable Data (PID)Relates to living individuals (or ‘natural persons’) who can be identified from the information.Either directly, in cases where you have sufficient information to distinguish them from another person (such as, if you have their full name). Alternatively, indirectly, in cases where information can be combined (perhaps with information you already hold or with information someone you are sharing with already has access to) in order to positively identify someone (such as, if you have their initials and address and combine them with their first name and date of birth).

Examples of Personal Data: Name (Including Forename, Surname, Signature and Initials) Address (Including postcode, room number, building name) Date of Birth Numbers and References (NHS, Passport, National Insurance,

Employee, Pension) Online Identifiers (Including IP addresses, Cookie identifiers)

Personal Confidential Data (PCD)Often information classified as confidential relates to sensitive matters or anything that if divulged inappropriately could cause harm and/or distress to the individual concerned, their reputation or others.

Examples of Personal Confidential Data (PCD): Personal information combined with-

Medical condition(s) or medical records Staff details and payroll information Criminal records Financial records

In some circumstances you will not require personal information in order to identify someone, for example details of a rare medical condition on its own may be enough for you to establish the identity of the individual without any identifiers such as name, NHS number, address, date of birth etc.

Special Category DataSpecial Categories of Personal Data relates to personal data considered to be sensitive, and so needs more protection. In particular, this type of data could create more significant risks to a person’s fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination.Examples of Special Categories of Personal Data: Personal information combined with-

race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; or sexual orientation.

It does not include personal data relating to criminal offences and convictions, as there are separate and specific safeguards for this type of data, although it is still sensitive information.

Pseudonymised dataPseudonymisation of data means replacing any identifying characteristics of data with a pseudonym, or, in other words, a value which does not allow the data subject to be directly identified. Those entitled to know the individual’s identity will be aware of whom the pseudonym relates to.

Example of Pseudonymised information:Unique code replaces patient identifiers on CHC funded patient invoices- the CHC team know who the code relates to and so do the Provider that submitted the invoice, but anyone else that comes into contact with the invoice would just have a unique code with no clue as to whom it relates.

Anonymous Information Where all identifiers have been removed from the information and there are no means to re-identify the individual.

Examples of Anonymous information: Statistics, Figures

Your Data Protection Officer

Your Data Protection Officer is Paul Cook and he works within the IG Team who work on behalf of Ipswich & East CCG, West Suffolk CCG and North East Essex CCG. The IG Team are hosted by Ipswich and East CCG.

Predominantly the team are based at the Ipswich and East CCG offices (address below), but regularly attend meetings, deliver training and occasionally work from other Suffolk and North East Essex CCG offices as and when required.

How to Contact Us

Ipswich and East CCGEndeavour House8 Russell RoadIpswichIP1 2BX

If you have an IG related query the best way to contact us is by email.

There are three different emails depending on which are you are situated in:

Ipswich and East Suffolk: Iesccg.gp.dpo@nhs.net

West Suffolk: Wsccg.gp.dpo@nhs.net

North East Essex: Neeccg.gp.dpo@nhs.net

You can also telephone on 01473 770297 or 07908127193

Key IG Roles & ResponsibilitiesEach of the below roles require specialist training. If you have someone new taking up any of the below please let the IG Team know.

Role Responsibilities

Caldicott Guardian

GP’s must appoint a Caldicott Guardian to: Ensure personal information is used legally, ethically and appropriately Maintain confidentiality Make information sharing decisions Sign off Privacy Impact Assessments, Information Sharing Protocols and Data Flow

Mapping.

Senior Information Risk Officer

A Senior Information Risk Owner (SIRO) has overall responsibility / accountability for the GP’s information risk. The role covers: Owning the organisations Information Risk Policy and register Sign off of Privacy Impact Assessments where risks identified Sign off & management of Serious Incidents and Information Asset RegistersPlease note that not all GP’s will have a SIRO. This generally depends on your size.

Data Protection Officer

GP’s are required to appoint a Data Protection Officer (DPO) to: Monitor internal compliance Inform & advise on data protection issues and obligations Provide advice for and sign off Privacy Impact Assessments Act as a point of contact for Data Subjects and Supervisory Authorities

IG Law & LegislationInformation and how it is used, is protected by the law. In the UK, we must comply with the following legislation and laws when processing information:

Breaches of IG Law & the Role of the Information Commissioner’s Office (ICO) When the law and legislation mentioned above is breached, the ICO may investigate and take enforcement action.

The Information Commissioners Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by Public Bodies and data privacy for individuals.

One of the ICO’s many roles is taking enforcement action when the law is broken.

Your practice needs to be registered with the ICO and you need to ensure that your registration is kept up to date.

Responsibilities of the ICO To keep and maintain a register of organisations the process personal data in the UK Handling of enquiries, complaints and concerns (both from organisations and data

subjects) Audits, spot checks and monitoring of IG compliance Producing Code of Practice and Guidance in line with the law Investigating breaches of data protection law and taking the necessary enforcement

action Working alongside European and International Partners overseeing the protection of

individual’s personal information

Enforcement ActionThe ICO can issue:

Monetary penalties Enforcement notices Undertakings Prosecutions Decision notices Monitoring reports Audits

Data Security and Protection Toolkit

Formerly known as the IG Toolkit, the Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that enables organisations to measure and publish their performance against the National Data Guardian's ten data security standards and in-line with current Data Protection law, such as Data Protection Act 2018.

All organisations that have access to NHS patient data and systems must complete this toolkit annually to provide assurance that they are practising good data security and that personal information is handled correctly.

There are 61 requirements to be answered / evidenced, these are known as Assertions. Completing the assessment is a year-long IG compliance work programme (which runs each financial year). The IG Team at the CCG will be able to offer guidance on what you need to meet each of the assertions.

A summary of the assessment results is accessible on the DSPT website for the public and partner organisations to view. When Providers are bidding for services, being commissioned by CCG’s, their DSPT compliance is always checked as it is a way of demonstrating good IG practice within the organisation.

Organisations responses to the DSPT and evidence to demonstrate compliance with legal requirements and central guidance are subject to both internal and external audit and available to NHS Digital,

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy for all individual citizens of the European Union (EU) and the European Economic Area (EEA)

General Data Protection Regulation

Controls how organisations, businesses or the government, use personal information. The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR)

Data Protection Act 2018

If information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent. Common law is derived from case law- not written.

Common Law Duty of

Confidentiality

Article 8 of the Human Rights Act provides a right to respect for one's "private and family life, his home and his correspondence", subject to certain restrictions that are "in accordance with law" & "necessary in a democratic society"

Human Rights Act 1998

Provides public access to information held by public authorities. It does this in two ways: public authorities are obliged to publish certain information about their activities; and members of the public are entitled to request information from public authorities

Freedom of Information Act

2000

Brought about the largest reform in the NHS since its inception in 1948. It transferred the responsibility for citizen’s health from the Secretary of State for Health to CCG’s

Health and Social Care Act 2012

Is designed to protect computer users against wilful attacks and theft of information. Offences under the act include hacking, unauthorised access to computer systems and purposefully spreading malicious and damaging software (malware), such as viruses

Computer Misuse Act 1990

Department of Health and Care Quality Commission for monitoring purposes.

DSPT Incident Reporting (serious incidents)The DSPT also provides the ability for health or social care organisations to record and report the details of serious data security incidents that breach GDPR / DPA 18.

Serious incidents reported through the DSPT automatically go to the Information Commissioners Office (ICO) electronically.

This also discharges the contractual and policy responsibility to report to NHS Digital, NHS England, NHS Improvement and Department of Health simultaneously.

Incidents relating to information should always be reported to the IG team who will assess the seriousness of the incident and advise reporting using the DSPT to the organisations mentioned above as necessary within the 72-hour deadline.

IG Policies and ProceduresTo ensure all staff comply with the law when processing personal information, there are a number of policies that you need to have in place. You need to have policies in place that cover the below topics:

Data Protection including individual rights Confidentiality Incident Reporting Records Management IT Security including data security and network security Information Sharing Data quality Freedom of Information

You may already have policies in place that your staff work to. The IG Team are available to review these policies or provide you with new ones if that is what is required.

Adherence to IG policies ensures compliance with the law, best practice and embeds processes that help staff manage information appropriately. It must also be noted that embedding IG processes enables patients and service users to have greater confidence in your practice and enables effective working across partner organisations.

Caldicott PrinciplesIn 2013, the Caldicott Principles, named after their author Dame Fiona Caldicott, were updated. There are now seven Caldicott Principles to be considered when using patient PCD:

1 Justify the purpose(s)2 Don’t use PCD unless it is absolutely necessary3 Use the minimum necessary PCD4 Access to PCD should be on a strict need to know basis5 Everyone with access to PCD should be aware of their responsibilities6 Comply with the law7 The duty to share information can be as important as the duty to protect patient

confidentiality

In 2016, Dame Fiona Caldicott did a review of Data Security, Consent and Opt Outs. Ten Data Security Standards were introduced focused on People, Processes & Technology. Organisations within health and social care should strive to achieve compliance with the 10 standards. These form the basis of the DSPT.

1 All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes

2 All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches.

3 All staff complete appropriate annual data security training and pass a mandatory test, provided through the revised Information Governance Toolkit.

4 Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals.

5 Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security

6 Cyber-attacks against services are identified and resisted and CareCERT security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection.

7 A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management.

8 No unsupported operating systems, software or internet browsers are used within the IT estate.

9 A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually.

10

IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian’s Data Security Standards.

Data Protection PrinciplesFrom May 2018, when the law changed, all organisations in the UK have had to comply with the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18), both of which are enforced in the UK by the Information Commissioner’s Officer (ICO). The ICO has the power to fine organisations up to the equivalent of €20m or 4% of turnover (whichever is higher) for Data Protection breaches.

It is unlawful to obtain or disclose personal data or unlawfully sell / offer to sell it on, as happened in 2013 when a pharmacist from a CCG was accessing Medical Records of family members, work colleagues and local health professionals. The ICO fined the pharmacist.

Staff could face disciplinary proceedings which may result in dismissal or being struck off a

professional register.

There are seven GDPR principles that must be followed when handling PCD:

1 Use it lawfully, fairly and transparently2 Use if only for the purpose it was collected3 Use the minimum amount of data necessary for the purpose4 Ensure it is accurate5 Do not keep it longer than needed.6 Keep it secure7 Retain records of decisions made to demonstrate accountability

Data Subjects also have increased rights under the GDPR, compared to the previous legislation. These are:

1 The right to be informed how their data is used2 The right to access copies of their data3 The right to rectification of data when it is incorrect4 The right to be forgotten (although this is rarely possible in healthcare)5 The right to restrict processing unless the Data Subject allows it6 The right to move electronic information to another organisation7 The right to object to processing of their data8 The right to appropriate electronic decision-making

With the exception of the right of access, most requests regarding application of these rights will initially be assessed on a case-by-case basis using the precedent of the CCG’s developing experience of the new legislation, along with relevant case law over time. Please go to page 19 for more in individual’s rights.

Full guidance regarding the GDPR is available on the ICO’s website and DPA18 is available on the government’s Legislation website.

Confidentiality & Best PracticeThe Confidentiality NHS Code of Practice (2003) has been guiding confidentiality in the NHS for the last 15 years. Despite its age, this is still a current document that sets out required standards of practice concerning confidentiality.

Everyone working in or for the NHS has the responsibility to use personal data in a secure and confidential manner. Staff who have access to information about individuals (whether patients, staff or

others) must use it effectively, whilst maintaining appropriate levels of confidentiality. This section sets out the key principles and main ‘Do’s and Don’ts’ that everyone should follow to achieve this for both electronic and paper records.

The Common Law of Duty of Confidentiality, requires that information that has been provided inconfidence may be disclosed only for the purposes that the subject has been informed about and has consented to, for safeguarding reasons, or where there is a statutory or Court Order to do so.

Following some basic principles, helps keep information secure and confidential:

Limit unnecessary access to personal information Ensure authorised access only Take steps to ensure that records are accurate Make sure that you only keep records for as long as you required as per the records retention

schedule Ensure that when the records are destroyed, they are destroyed securely Make sure you do not take patient records off-site unless you absolutely have to and if you do need

to make sure it is kept secure at all times If you receive a request for records make sure that you follow the correct process and if you have

any queries make sure you speak to the IG Team at the CCG Make sure that your staff members know their responsibilities when it comes to confidentiality When legitimately disclosing PID to other organisations make sure you are only disclosing the

absolute minimum they require to undertake their task Unless you have an agreement to do so do not leave messages containing PID on answerphones When transferring PID ensure you use a secure method and take care that you are sending the

correct information. Take a second to check attachments and that you have the correct recipient Always destroy confidential waste in a confidential bin

If you would like more guidance on the above, we have a suite of factsheets at your disposal.

Hoax Calls and Spam EmailsBe aware of telephone calls being received pretending to be from either internal departments or external companies, trying to obtain information from the Practice about members of staff.

Often calls will sound like they are being made from call centres but the caller usually claims to be working on behalf of the IT Support Service.

When asked for their contact number or email address, the callers often try to provide a reason why they cannot supply these details, e.g. they are new and do not have email/telephone extension yet. They then often try to pressurise the member of staff into giving out the information saying they need it urgently.

You may also receive potentially hoax / suspicious emails from various sources, into your NHS email accounts that instruct you to either click on a link or open up an attachment.

If you were to either click on the link or open up the attachment, it is more than likely that a virus/malware will be downloaded onto the computer.

These emails usually come from genuine email addresses, that could have potentially been victim themselves to a virus and there is not much that IT can do to prevent these actually arriving into staff inboxes.

If this does happen, attach the spam email to another email and send to spamreports@nhs.net. It is very important that you do not forward the email. It must be attached to a new email.

Social MediaSocial media has become a worldwide phenomenon. According to statistics website Statista, the UK’s most popular social networks in 2018 are Facebook, Twitter, Pinterest, YouTube, Instagram, Tumblr, reddit and LinkedIn. On a general level, some simple advice, to keep yourself safe is to never:

Make friends with people of whom you are unsure. Reveal personal confidential data (PCD), including photos,

about patients or colleagues Moan about your employer, patients or colleagues. Discuss sensitive information Upload compromising photos of yourself

Plus, be extra careful if mixing work and private life on social media.

Even putting opinions, observations or general feelings about your employer, day at work or work experiences can land you in trouble. So best not to comment!

It is important to note that if someone exercises their rights via Facebook this is a relevant request so someone needs to be checking for such requests so that they can be processed in line with the usual procedure.

Instant Messaging AppsInstant messaging apps are useful and efficient if used correctly, and there is full encryption in place. However, apps such as WhatsApp, have many concerns, especially if they are used from Android devices, as information sent is backed up on the user’s unencrypted cloud-based storage.

Additionally, if a member of staff leaves the organisation they can take PCD with them, meaning there is no organisational ownership of data that has been sent, which raises significant Data Protection concerns.

There is also the issue that many apps are owned by technology organisations that are not, based on recent news stories, renowned for placing their privacy and Cyber Security as a high priority.

However, this is the twenty-first century and messaging apps, such as WhatsApp, are here to stay and their benefits are great if used appropriately when needing to communicate speedily, such as during major incidents. But what is appropriate? It is more than acceptable to use messaging apps, such as WhatsApp, for business purposes such as those just mentioned, along with group planning and education. However:

They must not be used as a work around for healthcare referrals / advice within or between organisations.

The inclusion of PCD of any sort is unacceptable.

Advice and guidance is available from the IG Team as to what is considered appropriate.

Parental ResponsibilityIt is essential to be able to demonstrate who has Parental Responsibility whenever a child is being treated or information is being shared about them. It is important that this is able to be demonstrated, should the decisions or sharing be challenged at a later date.

Parental Responsibility is defined in law by the Children Act 1989 as ‘all the rights, duties, powers, responsibilities and authority which by law a parent of a child has in relation to the child and his property’.

People with parental responsibility are entitled to have a say in major decisions about the child such as:

Where the child should live Where they should go to school What religion they should practice What name they should have Giving or withholding of medical treatment Dealing with their money or property

Parental responsibility lasts until the child reaches 18 or marries between the ages of 16-18.

Who has Parental Responsibility?Individuals have parental responsibility automatically if they are:

The biological mother of the child The biological father of the child (see below for conditions) The adoptive parents once an adoption order has been made Have a Parental Order in place

Both father and mother will continue to have parental responsibility, even if the marriage breaks down.

Unmarried fathers did not have the same rights and responsibilities as married fathers until the Adoption and Children Act 2002 came into force on 1 December 2003. This is not retrospective and therefore:

Children born before 1 December 2003, unmarried fathers can only get parental responsibility by:

o Obtaining a parental responsibility order via the courts, oro Completing a Parental Responsibility agreement form with the mother of the child and taking it to a

solicitor

Children born on or after 1 December 2003, unmarried fathers can only get parental responsibility by:

o Obtaining a parental responsibility order via the courts,o Completing a Parental Responsibility agreement form with the mother and taking it to a

solicitor, oro If they are named on the child’s birth certificate.

Civil partners of mothers and married lesbian couples; if the child was conceived by artificial insemination on or after 6 April 2009 and the mother was in a civil partnership, the civil partner will automatically have Parental Responsibility for the child. Similarly, if the mother is married to their same-sex spouse and the child was conceived by artificial insemination the spouse will automatically have Parental Responsibility for the child. Both names should be added to the birth certificate and the child would have no legal father.

What about Non-Parents?Other people can also acquire Parental Responsibility for a child. These might include step-parents, grandparents or same-sex partners. Non-biological parents can acquire Parental Responsibility if:

They adopt the child – when an adoption order is made the adoptive parent or parents gain Parental Responsibility for the child and the biological parents lose it. If the adoption is a joint adoption between a biological parent and her or his partner, the person they are adopting with gains Parental Responsibility and any other person who had it loses it.

They are appointed as a guardian of the child – a person or persons with Parental Responsibility can appoint another person or persons to be the child’s guardian after his or her death. The appointment can be made in writing (and must be signed and dated) or in a will. The appointment of a guardian will only take affect if:

o There is no other person with Parental Responsibility for the child, oro If the parent who made the appointment was named as the person with whom the child lives

in a child arrangement order at the time of their death and the surviving parent was not also named as a parent with whom the child shall live; or

o If the parent who made the appointment was the child’s only special guardian. The court makes a child arrangements order stating that the child is to reside with him or her –

in the situation the named person will acquire Parental Responsibility (if they don’t already have it). They will have Parental Responsibility for the duration of the child arrangements order but would lose it if the order is brought to an end by the court.

The court makes a special guardianship order – when the court makes a special guardianship order in favour of a non-parent, this person or persons will acquire Parental Responsibility for the child. The order provides the child with a legally secure family home but unlike adoption the parents do not lose Parental Responsibility. A special guardian, however, can overrule the Parental Responsibility of the parents when making decisions about the child.

Married step parents and civil partners acquire Parental Responsibility for a step child or child of the family by either entering into a Parental Responsibility agreement or by asking the court to make a Parental Responsibility order. Parental Responsibility agreements required signed consent from all parents with Parental Responsibility.

Local Authorities can acquire Parental Responsibility for a child if the court makes a care order, emergency protection order or interim care order in respect of that child. The Local Authority will then share Parental Responsibility with anyone else who has Parental Responsibility for the child but the Local Authority can overrule any decisions that they do not feel are in the child’s best interests.

Proof of Parental ResponsibilityTo enable someone to prove that they have parental responsibility they need to provide proof of their identity (e.g. passport, their birth certificate and photo ID) together with a copy of one of the following

documents:

The child's Birth Certificate – To acquire parental responsibility the father and mother must have registered the child's birth together on or after 1 December 2003, or

Marriage Certificate, or Parental Responsibility Agreement entered into by birth parents, or Copy of a Court Order giving Parental Responsibility

Consent from People with Parental ResponsibilityIn cases where a child is unable to give informed consent themselves, people with parental responsibility are entitled to give consent for medical treatment on their behalf. There are limits on what parents are entitled to decide and they are not entitled to refuse treatment which is in the child’s best interests. Staff should take further advice, as appropriate in their area of work.

Other considerations for Children’s rightsIf a child wishes to exercise their own rights, they are able to do so as long as they are competent to do so. The ICO states that ‘In Scotland, a person aged 12 or over is presumed to be of sufficient age and maturity to be able to exercise their data protection rights, unless the contrary is shown. This presumption does not apply in England and Wales or in Northern Ireland, where competence is assessed depending upon the level of understanding of the child, but it does indicate an approach that will be reasonable in many cases. A child should not be considered to be competent if it is evident that he or she is acting against their own best interests’.

Another consideration is that once the child reaches a certain age their parents contact details must be removed from their record. There isn’t a set age and when you do this will depend on the child’s capacity. If the parents are calling up for information you need to be weighing up the parental responsibility with the confidentiality of the child e.g. if a 16-year-old is visiting the doctor for contraceptives.

You will also have patients whereby the children do not have capacity but are adults now. In this situation you need to have some sort of flag on the records to say that the parents can act on behalf of their adult children.

Legal basisUnder the General Data Protection Regulation, you need a legal basis to process personal data. More specifically you need a legal basis under Article 6 to process personal data and a legal basis under Article 9 to process Special Category data. The difference between the two being that personal data identifies an individual whereas Special Category data tells you something about that person. For example personal data might be their name and address whereas Special Category will be their medical records.

Article 6Below is the legal basis’ for processing personal data:(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).(d) Vital interests: the processing is necessary to protect someone’s life.(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Article 9Below is the legal basis’ for processing Special Category Data (previously known as official sensitive data)

(a) Explicit consent

(b) Employment, social security and social protection (if authorised by law)(c) Vital interests(d) Not-for-profit bodies(e) Made public by the data subject(f) Legal claims or judicial acts(g) Reasons of substantial public interest (with a basis in law)(h) Health or social care (with a basis in law)(i) Public health (with a basis in law)(j) Archiving, research and statistics (with a basis in law)

What Legal Basis you need to useWithin health care we will be using Article 9 (h) for the majority of our processing. This means that for the purposes of direct care we do not need consent.

There has historically been some confusion around the need for consent to treatment and consent for information sharing. When it comes to information sharing and data processing we have a basis in law so we do not require patient consent. What we do need to do legally though is inform the patient of everything we do. One of the individual rights is to be informed and this forms part of that.

Other Legal BasesS.251The NHS Act 2006 and the Regulations enable the common law duty of confidentiality to be temporarily lifted so that confidential patient information can be transferred to an applicant without the discloser being in breach of the common law duty of confidentiality.

In practice, this means that the person responsible for the information (the data controller) can, if they wish, disclose the information to the applicant without being in breach of the common law duty of confidentiality. They must still comply with all other relevant legal obligations e.g. the Data Protection Act 2018.

Approval also provides reassurance that that the person(s) receiving the information has undergone an independent review of their purposes and governance arrangements.

This is the legal basis for various NHS organisations undertaking risk stratification. S.251’s are approved by the Clinical Advisory group.

The National Data Opt-OutThe national data opt-out is a new service announced on 25 May 2018 by NHS Digital that allows patients to opt out of their confidential patient information being used for research and planning.

Patient information about the programme, including how to set their opt-out choice is available here.

Staff can download leaflets, posters and other resources, including the poster to the left, to use when informing patients here.

The national data opt-out was introduced to allow patients to opt-out from the use of their data for research or planning purposes. This is provided in line with the recommendations of the National Data Guardian, Dame Fiona Caldicott, in her Review of health and social care Data Security, Consent and Opt-Outs. The service is currently in a process of continual development.

By 2020 all health and care organisations will be required to apply national data opt-outs where confidential patient information is used for research and planning purposes.

NHS Digital have been applying national data opt-outs since 25 May 2018.

The national data opt-out replaces what were previously known as ‘Type 2’ opt-out, which required NHS Digital not to share a patient’s confidential patient information for purposes beyond their individual care. Any patient that had a Type 2 opt-out had it automatically converted to a national data opt-out from the launch date, and have received a letter with further information.

When does the national data opt-out apply?

When does the national data opt-out not apply? When the processing is for the purposes of direct care When the data has been anonymised in line with the ICO code of practice on anonymisation When undertaking risk stratification for case finding, where carried out by a provider involved in an

individual’s care (or data processor)

Information SharingWho can you share information with, and what information can you share? These are not simple questions to answer, but the GDPR and IG are not barriers to appropriate sharing. For example, in 2013 a new Caldicott principle was added that promoted the principle that ‘The duty to share information can be as important as the duty to protect patient confidentiality’. This is the guiding principle when considering the sharing of patient information.

It is important to ensure that there is a balance between sharing information with partners for the purposes of quality of care and keeping information secure and confidential. The CCG must ensure that mechanisms are in place to enable reliable and secure exchange of data within the legal limits.

Guidance on Information Sharing for Safeguarding Practitioners updated by the Department for Education in July 2018 has Seven Golden Rules of Information Sharing which are broadly applicable to all instances of sharing personal and sensitive data:

1. Remember that the GDPR, DPA18 and human rights law are not barriers to justified information sharing, but provide a framework to ensure that personal information about living individuals is shared appropriately.

2. Be open and honest with the individual (and/or their family where appropriate) from the outset about why, what, how and with whom information will, or could be shared, and seek their agreement, unless it is unsafe or inappropriate to do so.

3. Seek advice from other practitioners, or your IG lead, if you are in any doubt about sharing the information concerned, without disclosing the identity of the individual where possible.

4. Where possible, share information with consent, and where possible, respect the wishes of those who do not consent to having their information shared. Under the GDPR and DPA18 you may share information without consent if, in your judgement, there is a lawful basis to do so, such as where safety may be at risk. You will need to base your judgement on the facts of the case. When you are sharing or requesting personal information from someone, be clear of the basis upon which you are doing so. Where you do not have consent, be mindful that an individual might not expect information to be shared.

5. Consider safety and well-being: base your information sharing decisions on considerations of the safety and well-being of the individual and others who may be affected by their actions.

6. Necessary, proportionate, relevant, adequate, accurate, timely and secure: ensure that the information you share is necessary for the purpose for which you are sharing it, is shared only with those individuals who need to have it, is accurate and up-to-date, is shared in a timely fashion, and is shared securely (see principles).

7. Keep a record of your decision and the reasons for it – whether it is to share information or not. If you decide to share, then record what you have shared, with whom and for what purpose.

The ICO’s Data Sharing Code also highlights the factors that should be considered before any information sharing proceeds:

What is the sharing meant to achieve? What information do we need to share? Could we achieve the objective without sharing the data or by anonymising it? What risks does the information share pose to the individuals? Is it right to share the data in this way? What would happen if we did not share the data? Are we allowed to share the information? Who requires access to the shared personal data? When should we share it? How should we share it? How can we check the sharing is achieving the objectives? Do we need to review the DPIA?

If you have been approached with a request to share information and if you are unsure as to whether you can share or not, speak to the IG Team. They will also be able to advise as to whether you need an Information Sharing Agreement or any other documentation.

SafeguardingThere are various different legal basis’ for sharing when it comes to safeguarding however there are still considerations that need to be made. A few things to think about are:

You can share with the teams that need the information even if you are concerned that the information is very sensitive; however

You don’t need to share a whole record when all the requestor needs is information relating to the safeguarding

If someone phones for some information, get them to send you the request in an email so that there is an audit trail

You also need to be mindful of supplying the information within the given timeframe

Individual rightsBelow are each of the rights available to individuals under the GDPR. Some rights are absolute whilst others are not absolute and depend on other factors such as your legal basis for processing. Please see the table below. There are other reasons for some rights not being available to all though. All the rights and when they are available are detailed below.

Right to erasure Right to portability Right to objectConsent X (but right to withdraw

consent)Contract XLegal Obligation X X X

Vital Interests XPublic Task X XLegitimate Interests X

If you are unsure what legal basis you are using and want advice around what rights are available to the data subject, contact the IG Team.

Please note that each of the below rights, if exercised by the patient, need to be acknowledged and responded to within one calendar month even if the response is that their request cannot be granted. If you need more guidance speak to the IG Team at the CCG.

The right to be informedThe public have a right to know what data is being collected, what it is being used for, how long it is being kept for and who it might be shared with. This forms a key part of the organisations requirement to be transparent. The main way this is done is via a Privacy Notice which should be made available to the public. It also needs to be made available at the point you collect personal data or if data is collected from other sources the subject needs to be made aware within a reasonable period but no later than a month.

You can also provide resources about specific processing if more detail is required. Regardless of how this information is delivered, it must be concise, transparent, intelligible, easily accessible and it must use clear, plain language.

There are multiple ways you can communicate your Privacy Notice with patients. Firstly, on your website; here you can have the whole notice in full. You can also display shorter, more succinct notices on the wall in the practice.

If you have something specific you want to notify your patients of then you can create specific notifications.The right to access (Subject Access Requests)

Under the GDPR, all living individuals have the rights outlined above (within Data Protection Principles), which includes access to their information, generally known as a Subject Access Request (SAR).

SAR’s need to be dealt with in line with the statutory requirement of one calendar month.

It is also important to note that Subject Access Requests can come in from sources that you might not always expect. They can be verbal (although it is helpful to have them followed up in writing) and they can quite often be buried in a complaint or through social media.

Staff also have a right to access their employment records and any information held within the CCG that identifies them.

Certain exemptions apply to releasing information such as if it identifies a third party, could potentially cause harm or distress to an individual or contains sensitive information about others or that is commercially sensitive.

Staff must be aware that absolutely anything they write about a patient, colleague etc. wherever it is stored, could be released when a request is received, as all information technically forms part of their wider Record. This includes information about them written in, for example, a diary, on a Post-It note, in emails or on a scrap of paper stored in a drawer.

Some limited people are also able to access records of the deceased under the Access to Health Records Act 1990. Please contact the IG Team at the CCG for advice on this.

Processing a requestEach Subject Access Request will be very different, so it is difficult to go into great detail here however there are a few top-level fundamental rules that need to be followed. Please use the table below to help you.

Requestor Pre-checks RedactionIndividual on behalf of themselves

ID How they want to receive the records

3rd party data and any harmful information

Individual on behalf of another adult

ID of both Consent for the requestor to act on behalf of the subject

or confirm that the subject does not have capacity and the requestor is acting in their best interests

how they want to receive the records

3rd party data and any harmful information

Individual on behalf of a child

ID of requestor and birth certificate/proof of parental responsibility

Depending on the age of the child you may seek their opinion on the release, if not you must be happy that the requestor is acting in the child’s best interests

how they want to receive the records

3rd party data and any harmful information

Solicitor request detailing what it is they need and the patient's consent

check with the patient what the solicitor needs and only provide specifically what they are after

how they want to receive the records

3rd party data and any harmful information

Insurance company

if they ask for medical records you need to return the request and remind them that they can only have report

request they send you their set of questions to inform the report

ensure they include the patients consent to release

N/A

Police please see Sharing Personal Information with the Police 3rd party data

The right to rectificationIndividuals have the right to have inaccurate personal information rectified. They also have the right to get incomplete personal data completed which may include providing a supplementary statement to the incomplete data.

This right is closely linked to the accuracy principle and whilst you will already be taking steps to ensure accuracy this enables inaccuracies to be correct upon request.

The right to erasureThe right to erasure is also known as the right to be forgotten however as you can see from the table above this right is not available to everyone.

If the right is available this means that the requestor can ask for all of their personal data held by the data controller be permanently erased. Requests can be made verbally or in writing and you have one month to respond.

The right to restrict processingThis is another right that is not automatically available however this time it is not to do with the legal basis of processing. Individuals have the right to request the restricting of processing if:

The individual contests the accuracy of the data and you are in the process of verifying the data The data has been unlawfully obtained and the individual opposes erasure and requests restriction

instead You no longer need the data but the individual needs you to keep it in order to establish, exercise or

defend a legal claim

The individual has objected to the processing and you are considering whether your legitimate grounds override those of the individual

As you can see this right is linked with others (rectification and objection).

The right to portabilityThis right enables individuals to obtain their personal data and reuse it for their own purposes across services. It enables them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way without affecting its usability.

This right only applies if your legal basis is consent or for the performance of a contract and you are carrying out the processing by automated means (i.e. not using paper files). It also only applies to information provided to you by the subject themselves and not to information provided by other parties.

The right to objectUnder certain circumstances individuals have a right to object to the processing of their personal data. They have an absolute right to stop their data being used for direct marketing and in other cases, where the right applies, you may be able to continue processing if you can show that you have a compelling reason for doing so.

Requests can be made verbally or in writing.

Rights related to automated decision making including profilingGDPR has introduced these rights to restrict the use of decisions being made without human intervention and there are only certain situations that automated decision making and profiling can happen. They are:

necessary for entering into or performance of a contract between an organisation and the individual; authorised by law (for example, for the purposes of fraud or tax evasion); or based on the individual’s explicit consent

If you are using special category data, you can only carry out the processing in this way if: you have the individual’s explicit consent; or the processing is necessary for reasons of substantial public interest

If you think you are processing any personal data in this way contact the IG Team for advice.

Secondary uses of information Research & Planning and other Non-Care Purposes

Information that is to be used or shared for non-care purposes, for the benefit of the community, should generally be anonymised. This is defined by the ICO as the process of turning the data into a form which does not identify individuals and where identification is not likely to take place. This may include research, commissioning and assessing the quality and efficiency of services. If the purposes can be achieved with anonymised information, then they must be. This means that the information will have all identifiable information that may identify an individual permanently removed from it.

If the need to use the information cannot be achieved by either anonymisation or pseudonymisation, then patient consent is generally required. The only

exemption to this is if there is an overriding and statutory basis for breaching confidentiality. These include, but are not limited to:

Compliance with a Court Order Notifiable Diseases to Public Health England To support the prevention or detection of serious crime Under s251 of the National Health Service Act 2006 when ordered by the Secretary of State for

Health and Social Care NHS Digital has powers to request information which are binding on health bodies, although such

powers may not be enforced where a patient has objected

Sharing Personal Information with the PoliceUnder the law, no matter what is shown on television dramas, the Police and other law enforcement agencies do not have automatic right to see PCD about patients or staff, although you should do your best to cooperate with them when it is legal to do so.

When requests are received, even with a Police Officer in attendance, each one must be dealt with based on its own merit; PCD must not be released without careful consideration.

On receipt of a request from the Police, the Officer must be requested to complete a Police Personal Data Request Form (could be known as a Schedule 2(1)2 form, or A101 form).

Most requests are likely to be urgent.

If the police do not have a court order or warrant they may ask for a patient’s health records to be disclosed voluntarily under section 35 of the DPA 2018. However, while health professionals have the power to disclose the records to the police, there is no obligation to do so. In such cases health professionals may only disclose information where the patient has given consent, or there is an overriding public interest.

In this context a disclosure in the public interest is a disclosure that is essential to prevent a serious threat to public health, national security, the life of the individual or a third party, or to prevent or detect serious crime. This includes crimes such as murder, manslaughter, rape, treason, kidnapping and abuse of children or other vulnerable people. Serious harm to the security of the state or to public order and serious fraud will also fall into this category. In contrast, theft, minor fraud or damage to property, where loss or damage is less substantial, would generally not justify the breach of confidence necessary to make the disclosure.

Information Governance and Cyber Security BreachesEach member of staff has the responsibility to ensure that information is handled, stored and transferred in a safe, secure and appropriate way. The implementation of the GDPR has brought with it a new regime around incident reporting. This creates two new obligations, the mandatory reporting of serious personal data breaches and the need for a Duty of Candour where individuals’ rights and freedoms have been harmed.

Mandatory Reporting of Serious Personal Data BreachesThis must occur when the breach is likely to have a significant impact on the rights and freedoms of the individuals concerned. These include:

Loss of control over their personal data Limitation of Data Protection rights (see Chapter 3) Discrimination Identity theft or fraud Financial loss Unauthorised reversal of pseudonymisation Damage to reputation Loss of confidentiality of personal data protected by professional secrecy Any other significant economic or social disadvantage

If such an impact is believed to have taken place you must report the incident to the ICO within 72 hours of becoming aware of it. This awareness is the point that:

Any member of GP staff has become aware of it, rather than when it was reported internally or to the IG Team as there is often a delay between an individual being aware and it being reported thus, and

There is real reason to believe there would likely be one of the listed impactsPlease report any incident to your Data Protection Officer as soon as possible so they can assist you in the decision to report to the ICO and any further investigation needed.

Fines for personal data breaches can, in principle, be as high as 4% of the organisation’s turnover, or €20m, whichever is higher. This is a massive increase from the £½m cap under the previous, and now-replaced, Data Protection Act 1998.

In addition, organisations that fail to report an incident when they should have done can be further fined 2% of turnover or the equivalent of €10m, whichever is higher. An organisation is permitted to notify the initial findings to the ICO and then provide additional information as the investigation progresses.

If ever information is sent to the wrong destination physically it is essential that a member of staff from the sending department attends the recipient location to retrieve it, rather than asking them to dispose of it.

Mandatory Duty of CandourThe GDPR also mandates that if the personal data breach has indeed harmed the rights and freedoms of an individual, the Controller must undertake a Duty of Candour using clear and plain language, including:

An explanation of what occurred Contact details for the DPO and right to complain to the ICO Possible consequences of the breach How the Controller has mitigated the breach

Generally, the Duty of Candour must be undertaken by the department with responsibility for the process / activity where the breach occurred, potentially with the guidance of the IG Team.

Staff must always:

Report any IG incident of concern to the IG Team immediately Think carefully before sharing PCD

It is better that a potential incident is reported and discounted later, rather than not being reported and becoming more serious by not being known about.

It is essential that incidents are robustly investigated so that lessons can be learned from them, both within the team that it occurred and to benefit the whole GP Practice.

It is important not to tell the recipients of incorrect info to destroy it. This is because the GP needs:

It back to help with the investigation To know for certain that it has been destroyed, and by doing this we only have the recipient’s word for it

Sometimes the recipient of the information may not be willing or able to return it by post or by dropping it back to the GP. In these situations, it is appropriate that someone from the GP goes to collect it.

If in any doubt regarding the reporting or management of IG and cyber security incidents, ask your line manager, or the IG Team.

Monitoring Access to Personal Confidential DataStaff access to electronic systems which access, process or transfer PCD is monitored and audited. Where care records are held electronically, audit trail details about such access to a record can be made available to patients concerned upon request.

Any breach of security or infringement of confidentiality may be regarded as serious misconduct, which would lead to disciplinary action or dismissal in accordance with disciplinary procedures. In addition, unauthorised disclosure of PCD is an offence and could lead to criminal prosecution.

There are a number of assertions within the Data Security and Protection Toolkit to do with different spot-checks, one of which is to evidence that you have undertaken user account audits. The IG Team have a template for this if you need one.

Information and Cyber SecurityInformation and Cyber Security is not solely related to IT and computers; in many ways it reflects the whole

of IG covered in this Resource Guide. It concerns every member of staff doing their utmost to maintain the Confidentiality, Integrity and Availability of patient and staff information, to ensure it is available to the right people at the right time.

With such reliance on electronic data systems, and with the portability of data that comes with it, come new vulnerabilities to cyber security risks. There have been several high profile cyber-attacks and incidents against various organisations including the “WannaCry” ransomware attack against one-fifth of NHS Organisations in May 2017.

Another example is a computer virus that affected the Northern Lincolnshire and Goole NHS Foundation Trust in autumn 2016 for five days, meaning that thousands of routine operations and outpatient

appointments had to be cancelled. This was because the virus caused the computer network to crash.In addition to this sort of disruption, it has been suggested that a person’s Medical Record is much more valuable than credit card numbers on the black market.

Some very basic principles to support this in healthcare include: Ensuring patients’ Medical Records are not left unattended Maintaining a clear desk policy when away from your workstation Locking cabinets and drawers containing confidential information Securely storing NHS Smartcards Securing key-padded rooms Wearing ID badges Not leaving confidential papers or waste lying around Locking PCs when not using them Not writing passwords down Not installing or download software onto CCG computers

The IG Team can advise on further steps you can take on such topics as: Protecting your IT Networks Remote working and portable devices best practice USB good practice Destruction and wiping of USB’s

Use of EmailEmail is used by virtually everyone within a practice to communicate with colleagues, as well as communicating externally with other colleagues in the extended NHS, social care and other sectors. There are some basic guidelines to ensure that it is used effectively, safely, and does not breach IG rules.

Sending Confidential Information SecurelyWhen it is appropriate to transfer PCD, the use of an NHSmail account is necessary. For sake of clarity, NHSmail is the @nhs.net domain, sometimes NHSmail is called NHS.net. Ideally, the sender should use NHSmail.

If the recipient does not have access to an NHSmail account or one of the below, you will need to use the [secure] function to encrypt the email.

Emails that end in the below domains are secure:NHS NHS.netCriminal Justice cjsm.netMinistry of Defence mod.ukPolice pnn.police.ukLocal and Central Government gov.uk

Organisations also have the option of demonstrating to NHS Digital that their email services are compliant with the secure email standard – these are then known as ‘accredited’ for one year. After the 12 months expire they need to be re-accredited.

For the current list of accredited organisations please go to: https://digital.nhs.uk/services/nhsmail/the-

secure-email-standard To use the [secure] function all you need to do is put the word secure in square brackets in the subject line of the email and the email will be encrypted like any other secure email. Please note that you need to be sending from an NHS.net account. The benefit of this is that any email trail after this will continue to be encrypted. The recipient will need to create an account and password but they will only have to do this once. Further guidance can be found here.

As with all communication of PCD, the Caldicott Principles must be adhered to at all times when sending PCD. It is important that you consider carefully if it is necessary to transmit the information at all. Information should only be communicated to people who have a justified reason for receiving the information and no more than absolute minimum of information necessary should be communicated e.g. NHS number rather than name and address.

The recipient’s email address should be an appropriate one, preferably, it should be sent to either of an individual or a team email to which only appropriate individuals have access. Sending PCD to a generic admin email addresses is not generally acceptable, even by secure NHSmail.

Auto-Forwarding of EmailStaff are not permitted to set auto forward rules on their mailboxes to any other destination, as this can result in data being sent insecurely and potential breaches of Data Protection legislation.

Managing Emails as RecordsEmails can be, and often are, formal business records which provide evidence of important transactions. This highlights the need to manage emails as records. An email record must be managed according to content and not based on the fact that it happens to be an email. It is every staff member’s responsibility to do this regularly and effectively.

Given the volume of emails sent and received each day, it is neither practical nor desirable to manage each and every one as a formal business record. The skill is to be able to identify and capture that small percentage of emails that need managing as records. This can include those which deal with or contain:

Information which needs to be retained for compliance reasons e.g. as part of a medical record or business audit trail

Formal agreements, e.g. approval of contracts, project plans, policies. Decisions / confirmation of actions, e.g. approval to spend money or carry out an activity. Confirmation of completion, e.g. project sign off, receipts of goods etc.

For those emails which are identified as being records it is important that they are managed in context with the other records to which they relate, i.e. transferred from the user's inbox to the appropriate storage location, which could include either printing it and storing it in hard copy, such as in a Medical Record, or saving it to an appropriate network folder.

To ensure authenticity and completeness it is important that all sender and recipient information is carried over with the email record, including all parties receiving the email as a carbon copy (CC) or blind carbon copy (BCC).

To ensure integrity it is important to ensure and be able to demonstrate that no element of the email has been or can be altered in any way after being saved as a record. This includes changes to the content, but also to the transmission data and the content of any attachments transferred with the original message. This may be variously achieved by altering the properties of the file to a 'read only' status, or modifying the permissions within the specific area of the record keeping system to prevent further amendment.

Photography and RecordingsIn this highly technological world it is easy to capture a special moment using a camera, mobile phone or tablet, that taking photographs and recordings (both video and audio) has become almost second nature and done without thought to the wishes of those whose images are being captured.

Generally, it is unacceptable to take photographs or record any images or audio of anyone without their explicit consent.

In a setting such as a hospital ward or department, care must be taken to ensure that the privacy of patients and staff is not compromised. Similarly, those in an office or attending an event may not expect (nor wish) for recordings and photographs to be taken.

Whilst many people will feel entirely comfortable with being photographed or recorded it should be recognised that this will not apply to all.

Data Protection law does not specifically prohibit the taking of photographs and videos for personal use and for the vast majority of people their images will fall into this category.

Giving due regard to the privacy of the patients and / or staff can be a difficult call to make but usually a polite request to the individual to delete the photograph or video or to possibly reframe it so that no-one else is captured will usually be sufficient.

Posting of photographs at work and of patients or their information on social media is clearly unacceptable, especially if the patient or member of staff had previously refused consent to be photographed. There is in reality little that can be done ‘after the event’ to get photographs or video removed once they appear on social media sites, unless they can be considered libellous.

If a patient or member of staff feels sufficiently strongly about the use of their image on a social media site, they may need to get legal advice on the options open to them.

Photographs or videos taken with the intention of publication, for which payment may or may not be received, must have the explicit consent of the subject.

CCTVIf you use CCTV you must have sufficient notices up in your practice so that your patients know that you are using CCTV. You must also include this in your Privacy Notice

Patients recording consultationsPatients may wish to make a recording of their appointment for their own records. They are allowed to do so however, considerations need to be made to ensure that patients only record their own information. If you have any concerns speak to your Data Protection Officer.

Information Governance Mandatory TrainingEvery member of staff is required to complete mandatory annual IG training. This includes all new starters, existing staff, temporary workers, volunteers and contractors. The GP has a responsibility to ensure that those working with your patients’ and staff information are aware of the IG principles and the risks to the reputation of the GP, which may occur if processes are not followed.

E-learning for Health hosts the Data Security Awareness level 1 training which is recommended by the Data Security and Protection Toolkit. However, if you use Bluestream, please ensure your staff complete both the GDPR (full) module and the Information Governance module

Staff within key IG roles are also required to complete specialist training relevant to their role, e.g. Caldicott Guardian must complete accredited Caldicott Guardian training every 2 years.

Records ManagementRecords Management is the process by which an organisation manages all the aspects of records whether internally or externally generated and in any format or media type, from their creation, all the way through their lifecycle to their eventual disposal. It is the aim of the organisation to ensure that records are accurate and reliable, can be retrieved swiftly and kept for no longer than necessary.

The NHS has at least two categories of records, medical and corporate:

Medical Records contain all of the patient’s health information for all specialties and include, but are not limited to, private patients, x-ray and imaging reports, registers, etc.

Corporate Records are administrative records including, but not limited to, those for personnel, estates, financial and accounting records, and notes associated with complaints.

Records within the NHS can be held in paper (manual) or electronic form and all NHS organisations

will have a duty to ensure that their patient record systems, policies and procedures comply with the requirements of the Care Record Guarantee.

Management of the GP’s records are guided by the Records Management Code of Practice for Health and Social Care,

Information Asset RegisterAll information assets must be logged on an Information Asset Register. This helps an organisation identify and manage the information assets they have, where they are stored, how they are secured, assess potential risks associated with them and establish what assets are business critical. Information Asset Registers (IAR’s) should be reviewed annually.  An organisation should fully understand what information it holds in order to protect it.

Data Flow MappingData Flow Mapping should be carried out and reviewed annually. Data Flow Mapping is a log / maps showing how information flows into and out of the organisation, how it is stored and secured, and the method used for transfer and assesses associated risks.

Freedom of Information RequestsThe Freedom of Information Act 2000 (FOIA) gives members of the public access to any recorded information held by public authorities including the NHS. It promotes transparency and allows the public to hold public bodies to account, both on how their money is being spent and how decisions are made which may affect their lives. Access is given in two ways:

Anyone worldwide is entitled to request any information held The publication of certain information about public sector

organisations’ activities on their website, known as a Publication Scheme

Whilst you may not receive many Freedom of Information requests you still have to respond appropriately. Use the below guidance and if you still require help the IG Team can advise you.

Establishing the correct response mechanismYou may get various requests for information and the onus is on the Practice to establish which response mechanism is required. In the first instance use the below table to establish which should be used.

Is the request for information part of your daily provision of information

Not all requests for information need to go through official channels. If you would usually provide the information as part of your regular disclosure then go ahead and provide like you would normally

Is the request asking for information about a person?

If they have quoted the FOIA, you need to respond to say that any release of personal information is exempt under the FOIA, however the request can be processed under the DPA

Is the request asking for information about the environment?

Regardless of what piece of legislation they have quoted, if any, this request needs to be dealt with under the Environmental Information Regulations 2004. Requests like these will be rare but if you suspect you have one please speak to the IG Team

Is the request for official information which doesn’t form part of your normal business?

Anything that falls out of your routine disclosure, that isn’t relating to personal information must be processed under the FOIA

Obligations under the FOIAYou have various obligations under the Act and they are:

Respond to requests promptly; you have 20 working days counting from the first working day after the request has been received. This time is counted from when the request is received into the organisation, not from when it reaches the FOI lead or team

Confirm whether you have any of the information; and then provide the information. You may need to ask clarification first before you can fully answer the question

Redirect; if you do not hold the information they are asking for but you know where does, you have a duty to aid and assist the requestor in finding that information

Receiving a requestA valid request under the Freedom of Information Act must:

Be in writing but they do not have to mention the Act for it to be processed under it. If you have a designated individual / team that deal with Freedom of Information requests then it is good practice to either provide their details or pass the request on to them. You cannot ignore or refuse a request because it has been addressed to the wrong person

Include the requestor’s real name; if it is not clear who is requesting you can refuse the request until they can supply you with a name

Include an address for correspondence; this can be a postal address or email address Describe the information requested; a genuine attempt to describe what is being asked for is

enough to trigger the Act, even if the request is vague or too broad

Clarifying a requestBefore you begin to respond read the request carefully and ensure you know what it is they are asking. Don’t answer with what you think they know, but answer exactly what it is they are asking.

If it is not clear what they are asking then you can ask for clarification. This must be done as soon as possible. You must think about how you ask for clarification very carefully. You must ensure that the clarification question you ask is specific enough that once you receive the response you will be able to answer the request. There is no point asking the question if you are fairly certain that you will not be able to answer. You can provide some clarification yourself as to what you can answer when asking for clarification as this may help the requestor narrow down what it is they want.

If you have gone back for clarification on the whole request the clock stops for the whole request until the clarification is received at which point it reverts back to the 20 days.

If however, you are only asking clarification about one part of the request then the hold is only put on the one part you are asking clarification on. The rest must be responded to in the original timeframe.

The requestor has 20 days to respond to the clarification. If no clarification is forthcoming then the part/s of the request awaiting clarification can be closed and response is not required.

Responding to a requestOnce you have a request and are clear what the requestor is asking for you can gather the requested information. This may mean gathering it yourself or delegating someone else to do this. Either way they information must be presented in a clear and concise way. Regardless of who this request is going to you

must write the response in a way that will make sense to anyone. All FOIA responses should be published so you must bear that in mind when writing a response.

Once the response is collated it must be sent back to the requestor before the 20 working day deadline.

Applying an exemptionThere are several exemptions that can be used under FOIA. Below are some of the more common ones you might use:

Section ExemptionSection 12

If the time to respond would exceed 18 hours

Section 21

The information is already available in the public domain

Section 22

The information is intended for future publication

Section 36

Release would prejudice the conduct of public affairs

Section 38

Release would impact on health and safety

Section 40

Information requested is personal information of either the requestor or someone else

Section 43

The information is commercially sensitive

If you think that any of the information you have been requested to release shouldn’t be released then speak to the IG Team and they will help you establish if you can apply and exemption and if so, which one.

AppealsThe requestor might not agree with your request, or think that you have not answered it correctly. If they come back with a challenge you must conduct an internal review to establish whether or not the request was answered correctly. You must respond to the requestor with either, the correct answer or an explanation as to why you cannot answer it the way that they were expecting.

After this the requestor is entitled to complain to the ICO who may conduct their own investigation. It is very important that you therefore respond correctly in the first instance. If you think you need help responding appropriately then contact the IG Team.

Data Protection Impact Assessments / Privacy Impact Assessments

It is the responsibility of all staff to incorporate IG into their working practices and to also make partner organisations provide assurance that information will be handled in a secure and appropriate manner. As part of the IG framework, responsible managers and staff must consider IG implications when starting new or updating existing projects. It is essential to include the IG Team at the earliest possible opportunity to advise of the IG elements which will need to be considered.

A Data Protection Impact Assessment (DPIA) - sometimes referred to as a Privacy Impact Assessment (PIA), is a risk assessment tool mandated by the GDPR to help

establish IG implications at the start of a proposal, programme or project. The ICO recommend that you carry out a DPIA even when you are not legally obliged to do so.

Identifying IG elements at an early stage will help ensure:

The aims of the project are met wherever possible Compliant operations Necessary information sharing protocols are in place

IG and Data Protection risks are minimised

It will also eliminate the potential of failing to comply with the GDPR and subsequent fines from the ICO.

Business ContinuityBusiness Continuity Management is a process used to identify key services which, if interrupted for any reason, would have the greatest impact upon the community, the health economy and the organisation. To identify and reduce the risks and threats to the continuation of these key services and to develop plans which enable the organisation to recover and / or maintain core services in the shortest possible time.

The fundamental element of business continuity is to ensure that whatever impacts the CCG, the organisation continues to operate. Business Continuity Plans (BCP) will help shape organisational resilience to ‘threats’, plan counteractions and minimise interruptions to the CCG activities from the effects of major failures or disruption to its Information Assets (e.g. data, data processing facilities and communications).

A BCP is the documented collection of procedures and information that is developed and maintained in readiness for use in an incident to enable the organisation or department to continue to deliver its critical activities at an acceptable predefined level.

SmartcardsSmartcards are required to use and access IT systems essential to healthcare provision. Primary Care Clinicians need to use Smartcards in order to gain access to patient information, including those who provide the NHS e-Referral Service and the Electronic Prescription Service.

Individuals are granted access to a Smartcard by the organisation’s Registration Authority (RA) lead. It is up to the RA Team to verify the identity of all healthcare staff that need to have access to PCD. Individuals are granted access based on their role and their level of involvement in patient care.

All staff issued with a Smartcard and passcode must be aware that they must comply with the terms and conditions of issue. Failure to do so will be dealt with as a serious disciplinary matter.

Staff must not share or allow usage of their Smartcards by colleagues, including managers, peers or IT personnel, for any reason.

The use of Smartcards leaves an audit trail detailing access and usage, including only having viewed a record. This audit information may be used in disciplinary procedures regarding inappropriate or unauthorised access to systems.

Line Manager Responsibilities To identify all roles within their area of responsibility which require access to the system and ensure that

staff, including employees, bank, locum, agency workers, contractors, volunteers and office holders, are provided with appropriate access.

To ensure for all roles that involve access to the system that job descriptions and any recruitment materials make reference to the need to be registered and the role’s responsibilities in relation to using the system.

To ensure that all new starters within their area of responsibility, including agency / temporary employees, receive training in order to be able to access the system.

To ensure that all staff are aware of IG policies associated documentation and their responsibilities in relation to use of and access to the system.

To ensure the leavers’ policy is followed when a member of staff leaves the organisation.

Staff Smartcard Code of Practice Use your Smartcard responsibly and in line with your access rights. Report the loss, theft or misuse of your Smartcard. Replacement cards can be obtained Ensure that you keep your Smartcard and log-in details confidential. In particular, you must not leave

your PC logged in and you must not share or provide access to your Smartcards or passwords. All members of staff using Smartcards must follow the IG policies and procedures, and adhere to the

Data Protection and Caldicott Principles.

Data QualityData quality is vital to the decision-making processes of any organisation. This is particularly important for a public service such as the NHS where financial integrity and public responsibilities of care need to be ingrained in the services provided.

Data Quality can be defined as captured information that is consistently fit for its intended use in representing real world figures and situations to help inform operational decision making and planning, risk assessment and financial transactions.