Document Title Information Sharing Policy…Document Title Information Sharing Policy Reference...

Document Title Information Sharing Policy

Reference Number CNTW(O)62

Lead Officer

Lisa Quinn, Executive Director of Performance and Assurance

Dr. Rajesh Nadkarni, Executive Medical Director (Caldicott Guardian)

Author(s) (name and designation)

Angela Faill, Head of Information Governance and Medico Legal.

Ratified by Business Delivery Group

Date ratified Dec 2019

Implementation Date Dec 2019

Date of full implementation

Dec 2019

Review Date Dec 2022

Version number V05

Review and Amendment

Log Version

Type of Change

Date Description of Change

This Policy supersedes the following document which must now be destroyed:

Document Number Title

NTW(O)62 – V04.4 Information Sharing Policy

Information Sharing Policy

Section Contents Page No.

1 Introduction 1

2 Purpose 2

3 Duties, Accountability and Responsibilities 3

4 Definition of Terms 4

5 Procedure / Process 6

6 Identification of Stakeholders 13

7 Training 14

8 Implementation 14

9 Fair Blame 14

10 Fraud, Bribery and Corruption 14

11 Monitoring 14

12 Associate Documents 15

13 References 15

Standard Appendices – attached to Policy

A Equality and Diversity Impact Assessment 16

B Training Checklist and Training Needs Analysis 18

C Audit Monitoring Tool 20

D Policy Notification Record Sheet - click here

Appendices – listed with the Policy

Appendix No:

Description

Appendix 1 DPA Principles

Appendix 2 Caldicott Approval Form

https://www.cntw.nhs.uk/about/policies/appendix-d-policy-notification-record-sheet/

CNTW (O) 62

Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19

1

1 Introduction. 1.1 This Information Sharing Policy has been developed for Cumbria,

Northumberland, Tyne and Wear NHS Foundation Trust (the Trust / CNTW) but may be used by all public sector organisations within the United Kingdom and any other organisation that would benefit from this guidance in managing information sharing arrangements.

The Information Sharing Policy comprises the common principles and procedures to be adopted;

The Information Sharing Policy sets out the basis for agreement between agencies to govern the sharing of personal information about service users and facilitate the development of information sharing agreements;

The Information Sharing Policy will be supplemented by the Information Sharing Agreement as attached at Appendix 1 and the Practice Guidance Note;

Whilst personal information held by NHS Organisations should be properly protected, there is also a growing expectation that information will be shared between health bodies, public and local authorities and the Police service where it is appropriate to do so. Sharing information is a key element in the delivery of high quality, cost effective and seamless public services;

The Health Act 1999 has expanded the statutory obligations on public service agencies to work together in the planning and delivery of health and social care services. Implicit in performing this duty is the need to share information;

The Data Protection Act 2018 places an emphasis on the protection of patient identifiable information which has, in the past, made agencies very reluctant to share information for fear of breaking the Law. It also meant, however, that information which should have been shared was kept within one agency. There is a need to share information within a framework of clear understanding between agencies

The Department of Health Guidance 'Information Sharing and Mental Health - Guidance to Support Information Sharing by Mental Health Service (DOH 2009) emphasises the importance of information sharing in order to deliver effective public services and to enable early intervention and protection where necessary;

The Caldicott Guardian Manual 2006 recommended that Policies should be developed to protect the exchange and disclosure of patient identifiable information;

CNTW (O) 62


2

The Trust therefore recognises the importance of information sharing within a framework of appropriate controls to protect confidential and sensitive information.

2 Purpose. 2.1 The purpose of this Policy is to:

Ensure common understanding exists between the agencies within the United Kingdom as to the importance of information sharing, confidentiality and information security;

Set out the basis for the secure transfer and use of person identifiable information across traditional organisational boundaries;

Provide a robust framework for the legal, secure and confidential sharing or joint processing of personal data;

Define the key principles which will facilitate the sharing of personal data with partner organisations;

Establish a common standard to which all partner organisations will aspire in respect of the treatment of personal data;

Assist professionals to feel confident that personal information is being shared in the right ways for the right reasons.

2.2 This Policy will:

Set out the legal framework and basis for information sharing

Define the responsibilities of the organisation and individuals within the organisation for information security and sharing

Establish the key principles inherent in all aspects of information sharing

Establish the process for data flows and Caldicott Approval

Establish the use and format of the Information Sharing Agreement

CNTW (O) 62


3

3 Duties, Accountability and Responsibilities:

3.1 The Trust

Ensuring that staff, volunteers and contractors are provided with the necessary training to be aware of, and comply with, their responsibilities in regard to the confidentiality of information.

3.2 Chief Executive

Overall responsibility for implementation of and compliance with this Policy.

3.3 Trust Senior Information Risk Owner (SIRO)

Co-ordinating development and maintenance of information risk management policies, procedures and standards for the Trust. The SIRO is the Executive Director of Performance and Assurance

The ongoing development and day to day management of the Trust's Information Risk Management Programme

3.4 Caldicott Guardian

Overseeing the establishment of procedures governing access to, and the use of personal information and where appropriate, the transfer of that information to other bodies

Upholding the Caldicott principles, taking account of the codes of conduct provided by professional bodies

3.5 Information Governance and Medico Legal Department

Dealing with enquiries, providing advice and guidance to support the appropriate use of sharing personal information;

Supporting the Data Protection Officer, Caldicott Guardian and Senior Information Risk Owner (SIRO)

Supporting staff in obtaining Caldicott approval for information sharing.

Reviewing the data flows within the Organisation on a regular basis

CNTW (O) 62


4

3.6 Caldicott and Information Governance Group

Developing and supporting the implementation of Information policies/procedures and supporting the appropriate sharing of information.

3.7 Group Directors

Ensuring implementation throughout their respective Locality Care Groups.

3.8 Trust Information Asset Owners (IAO’s)

Ensuring that information risk assessments are performed routinely on all information assets where they have been assigned 'ownership' following guidance from the SIRO on assessment, method, format, content and frequency

Authorising / controlling system administration.

3.9 Line Managers

Line managers are responsible for ensuring staff in their service area implement the requirements of this Policy, including providing appropriate advice and support. Line Managers should bring to the attention of the Trust-wide Caldicott and Health Informatics Group any issues related to information risk or policy implementation.

3.10 All Employees

All Employees of the Trust, Temporary Staff, Volunteers, Contract and Agency Staff and any other persons working on behalf of the Trust are bound by this Policy and should be aware that any breach of confidentiality could be a matter for disciplinary action.

4 Definition of Terms.

Risk: The chance of something happening, which will have an impact upon objectives. It is measured in terms of consequence and likelihood

Risk Assessment: The overall process of risk analysis and risk evaluation

Risk Management: The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effect

CNTW (O) 62


5

Risk Management Process: The systematic application of management Policies, Procedures and Practices to the tasks of establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risk.

Personal Data

Data which relates to a living individual who can be identified from those data and other information which is, or is likely to come into the possession of the data controller, and includes any expression of opinion and any indication of the intention of the data controller, or any other person, in respect of the individual. Personal information that is held by The Trust and subject to the provisions of the Data Protection Act includes information about employees and organisations, as well as clients of the Trust.

Special Categories of Personal Data

Special category data is personal data which is more sensitive, and so needs more protection. For example, information about an individual’s:

race

ethnic origin

politics

religion

trade union membership

genetics

biometrics (where used for ID purposes)

health

sex life; or

sexual orientation

Information Sharing Agreement: An over-arching framework for sharing information between the Trust and one or more other agencies. It is not contractually binding but is used to set good practice standards that the parties need to meet in order to fulfil any duty of care which exists in relation to the regular / routine sharing of personal information;

Anonymised information: Information that cannot identify an individual;

CNTW (O) 62


6

Pseudonymised information: Information that has had any data making the data personally identifiable replaced by another non-identifiable data e.g. the NHS number replaced with a random ID Number;

Access to records requests: The process by which the Trust responds to patient / service users who are entitled to see their records.

5 Procedure/Process: 5.1 Legal Framework 5.1.1 It is important that practitioners are aware of the legal framework which

governs the sharing of personal information. 5.2 Administrative Law

A public authority derives its powers from statute and must not act out of or in excess of those powers. Any act that is in excess of its powers is said to be ultra vires and may be subject to Judicial Review

It is necessary to consider legislation that relates to the Policy or service that the sharing of data supports.

5.3 The Data Protection Act 2018 (DPA)

The DPA regulates the processing of person identifiable information. Person identifiable information can be split into personal and special category of information. (Explanation of differences under Section 4 Glossary of terms.)

The DPA should not be used as a barrier to sharing information if lawfully permitted;

The DPA requires that the processing of information must comply with the seven Data Protection Principles (attached at Appendix 2) and be in accordance with the rights of the data subject;

The Data protection Act 2018 provides that information can be shared even where consent has not been obtained, where conditions for processing under the Act can be relied upon (other than consent as a condition for processing) and common law duty of confidentiality, where appropriate, has been considered and satisfied. Further information regarding condition for processing and common law duty can be found in (link to DPA policy).

CNTW (O) 62


7

5.4 The Human Rights Act 1998 (HRA).

The HRA gives effect to the principles conferred by the European Convention on Human Rights (ECHR). It is unlawful for any public authority to act inconsistently with any of the Convention rights;

Article 8 of the ECHR provides the right to respect for private and family life. This right can only be interfered with when it is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country for the prevention of disorder or crime, for the protection of health or morals or for the protection of the rights and freedoms of others.

5.5 The Common Law Duty of Confidentiality.

Medical records and information constitute confidential information;

Confidential information cannot be disclosed to a third party without lawful authority. A breach of this duty of confidence may result in an entitlement to damages

The duty of confidentiality requires that unless there is a statutory requirement or other legal basis for disclosure, confidential information should only be used for the purpose for which the patient disclosed it

Exceptions to the duty of confidentiality include where information is already in the public domain, where consent is sought and received, where disclosure is required by statute or Court Order, or where the public interest in disclosure outweighs the public interest in maintaining confidentiality.

5.6 The Caldicott Report and Caldicott 3.

Dame Fiona Caldicott first investigated issues surrounding confidentiality when she chaired a review in 1996-97 on the use of patient data in the NHS. The review recommended that the NHS adopt six principles for the protection of confidentiality, which became the known as the ‘Caldicott principles’. The review also recommended that NHS organisations appoint someone to take responsibility for ensuring the security of confidential information. These people become known as ‘Caldicott Guardians’;

CNTW (O) 62


8

Following a request from the Secretary of State for Health, Dame Caldicott carried out the latest independent review of information sharing to ensure that there is an appropriate balance between the protection of patient information and the use and sharing of information to improve patient care

In April, 2013, the Caldicott 2 report was published. The reach of Caldicott 2 is far wider than the 1997 report. Its recommendations affect all organisations working in the health and social care sector – including local authorities. The Department of Health has endorsed the 26 recommendations of Caldicott 2 and revised Caldicott principles

In respect of every use of patient identifiable information, the Caldicott Principles require public authorities to:

o Justify the purpose for using confidential

information

o Only use confidential information when absolutely necessary

o Use the minimum that is required

o Ensure that access is on a need to know basis

o Ensure that everyone understands their responsibilities

o Understand and comply with the law

o Duty to share information can be as important as the duty to protect patient confidentiality.

5.7 National and Local Guidance. 5.7.1 Compliance with relevant government and professional guidance is also

important in ensuring that information is managed appropriately. Importance guidance includes:

NHS Confidentiality Code of Practice – Department of Health 2003

NHS Information Governance – September 2007

Information sharing and mental health – guidance to support information sharing by mental health services. Department of Health 2009

NMC Confidentiality Guidance 2009

CNTW (O) 62


9

GMC Confidentiality Guidance 2009 5.8 Summary of the Legal Framework. 5.8.1 In order to ascertain whether there is a legal basis for information sharing

the following should be considered:

Whether there is a power to carry out the function to which the information Sharing relates

Whether there are express statutory restrictions on the data sharing activity proposed, or any restrictions which may be implied by the existence of other statutory, common law or other provisions

Whether the data sharing would be in accordance with the Data Protection Act 2018, in particular the Data Protection Principles

Whether the sharing of the data would breach any obligation of confidence

Whether the sharing of the data would interfere with rights under Article 8 of the European Convention on Human Rights in a way which would be disproportionate to the achievement of a legitimate aim and unnecessary in a democratic society;

Whether the Caldicott Principles are complied with in any sharing of information.

5.9 Key Principles of Information Sharing: 5.9.1 Commitment to share personal data

To recognise that multi-agency initiatives require a commitment to sharing personal information about service users in compliance with national guidance and legislation.

5.9.2 Compliance with Legislation

To ensure that personal information is only shared in accordance with statutory duties, including the requirements of the Data Protection Act 2018.

5.9.3 Compliance with Caldicott Principles

Caldicott approval is required for all new routine data flows and also all 'one off' or ad hoc requests for release of health, social care or other personal information where consent is not available or is refused. The Caldicott Approval Form can be found at Appendix 2.

CNTW (O) 62


10

5.9.5 Consent

To obtain the consent of the service user to share personal information where there are no alternative conditions for processing under data protection legislation which can be relied upon

To make service users aware of any information which will be shared and the purposes for which it will be used

To not share information where consent is refused and the only available condition for processing is consent

To keep records of the efforts made to obtain consent and details of whether consent was obtained or refused

Consideration must be given to the provisions of the Mental Capacity Act 2005 (MCA).

5.10 Justification/Purpose for Sharing

To clearly define the purpose and justification for information sharing. To ensure that when sharing personal information only the minimum required for the purpose is shared.

5.11 Fairness and Transparency

To ensure that the public are informed of the purposes for processing their personal information and to whom it will be disclosed.

5.12 Information Standards

Personal information will only be disclosed where it is legally justified

Personal information will be anonymised/pseudonymised where appropriate.

5.13 Requesting Data 5.13.1 In accordance with the Caldicott Principles, any request for data should

include:

The purpose for which the information is to be used

The data items needed i.e. name, diagnosis etc. (only the

CNTW (O) 62


11

requested);minimum data required to undertake the task should be

If relevant, who the data may be shared with

The time period for which the data will be held

An assurance that the data will be kept in a secure environment e.g. that data will be kept in a password protected database

An assurance that access to the information will be restricted and that the staff who have access to the data understand their responsibility to keep the data secure;

An assurance that the organisation is registered with the Information Commissioner to hold and use the data they are requesting.

5.14 Complaints Procedure

Procedures should be in place to address complaints relating to the disclosure of information;

All complaints and issues relating to information sharing must be dealt with in accordance with the Trust’s Policy, CNTW (O) 07 - Comments, Compliments and Complaints.

Next paragraph: Data Subject Rights – acknowledge the obligations on organisation in safeguarding/providing access in respect of data subject rights. Link to individual rights policy.

5.15 Data Flows

A data flow is any transfer of data between the Trust and a third party

All new routine data flows for the purposes of a contract must be agreed by the Caldicott Guardian / SIRO

Consideration will be given as to whether it is appropriate to enter an Information Sharing Agreement for a particular flow

Data flows will be mapped on an annual basis.

5.16 Caldicott Approval 5.16.1 Caldicott approval is required for all new routine data flows and also all ‘one

off’ or ad hoc requests for release of health, social care which require appropriate escalation and consideration by the Caldicott Guardian. The IG

CNTW (O) 62


12

& Medico Legal Department can support staff in considering routine data flows, and ‘one off’ or ad hoc requests.

5.16.2 When a request to share information is made the IG & Medico Legal Department will:

Consider whether sufficient information has been provided by the requestor

Consider whether the anonymous or pseudonymised data could be used

Maintain a log of all requests and decisions

Report requests to the Trust-wide Caldicott Information Governance Group.

5.17 Information Sharing Agreement

5.17.1 Where a request for information is a request for a routine data flow or where large amounts of information are to be regularly shared, Caldicott Approval should be sought for the parties to enter an Information Sharing arrangement.

Legislation does not require an Information Sharing Agreement document to be used. The detail around confidentiality, security and governance of personal data can be included within other relevant documentation i.e. a contractual arrangement, a service level agreement, a Memorandum of Understanding etc.

5.17.2 Where an ISA required, an ISA template is attached to this policy at

Appendix 1. 5.17.3 Each Individual Information Sharing Agreement (ISA) or appropriate

provisions will set out the detailed arrangements relevant to that particular application. All individual Information Sharing Agreements /provisions will need to be fully compliant and consistent with this Policy.

5.17.4 The ISA/provisions are not contractually binding and information may be

shared without these in place, but should be used where appropriate to set good practice standards.

5.17.5 The ISA or provisions will include details of, the parties to the Agreement:

What Information is to be shared

For what purpose information is to be shared

On what legal basis the information is to be shared

CNTW (O) 62


13

Arrangements in place for applicable data subject rights i.e. Right to Access Information.

How frequently information will be shared

How information security will be maintained

What methods of recording, holding, retaining and disposing of information will be used

For what period the information will be retained for. Retention period guidance can be found within (https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-and-social-care-2016) however information should not be held where there is no longer a purpose to holding it. Further information available within Record Management Policy CNTW(O) 09

A Multi-agency protocol re information sharing in place across the North East Region. If staff need any information in relation to the protocol please contact the Information Governance (IG) Team.

5.18 Retention and Security of Shared Information

All agencies should put in place policies or procedures governing the secure storage of all personal information retained in their manual or electronic systems

All agencies will ensure that retention and disposal processes for personal information are agreed and adhered to in line with organisational requirements

All agencies will recognise the importance of restricting access to personal information and maintain standards for technical security to protect shared information during transfer and within partner organisations.

6 Identification of Stakeholders. 6.1 This is an existing policy which has only minor changes that do not relate to

operational and/or clinical practice therefore did not require a full consultation process

North Locality Care Group

North Cumbria Locality Care Group

Central Locality Care Group

https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-and-social-care-2016





CNTW (O) 62


14

South Locality Care Group

Corporate Decision Team

Business Delivery Group

Safer Care Group

Communications, Finance, IM&T

Commissioning and Quality Assurance

Workforce and Organisational Development

NTW Solutions

Local Negotiating Committee

Medical Directorate

Staff Side

Internal Audit

7 Training 7.1 Training for this Policy is incorporated into the annual Information

Governance Training mandated to all staff. 7.2 Where additional training is required it is the responsibility of both managers

and staff to ensure that this is undertaken and that attendance is verified and recorded.

8 Implementation 8.1 Taking into consideration all the implications associated with this reviewed

policy, it is considered that a target date of December 2019 is achievable for the contents to be implemented across the Trust.

9 Fair Blame 9.1 The Trust is committed to developing an open learning culture. It has

endorsed the view that, wherever possible, disciplinary action will not be taken against members of staff who report near misses and adverse incidents, although there may be clearly defined occasions where disciplinary action will be taken.

10 Fraud, Bribery and Corruption 10.1 In accordance with the Trust’s Policy CNTW (O) 23 – Fraud, Bribery and

Corruption Policy / Response Plan, all suspected cases of fraud and corruption should be reported immediately to the Trust’s Local Counter Fraud Specialist or to the Executive Director of Finance Effective methods of seeking redress in respect of money defrauded.

11 Monitoring 11.1 Responsibility for monitoring compliance with this Policy locally lies with

Directors and Line Managers.

CNTW (O) 62


15

11.2 The Information Governance Team will monitor compliance with this policy through observation, spot checks and through incident management in line with the Trust Incident reporting process.

11.3 All incidents involving the loss of data whether encrypted or unencrypted

must be reported immediately to the Information Governance department and dealt with in accordance with the Trust’s Policy and Practice Guidance Notes, CNTW(O)05 – Incident Policy; Incident Reporting Procedure.

12 Associated Documents

CNTW(O)05 - Incident Management Policy and Procedures

CNTW(O)07 - Comments, Compliments and Complaints Policy

CNTW(O)09 - Management of Records Policy

CNTW(O)23 - Fraud, Bribery and Corruption Policy / Response Plan

CNTW(O)26 - Data Quality Policy

CNTW(O)28 - Information Governance Policy

CNTW(O)29 - Confidentiality Policy

CNTW(O)30 - Removable Media Encryption Policy

CNTW(O)33 - Risk Management Policy

CNTW(O)35 - Information Security Policy

CNTW(O)36 - Data Protection Policy

CNTW(O)43 - Freedom of Information Policy

CNTW(O)44 - Acceptable use of Email Policy

CNTW(O)46 - Security on use of Data and Private Practice Policy

CNTW(O)55 - Information Risk Policy

CNTW(O)56 - Forensic Readiness Policy

CNTW(O)57 - Registration Authority Policy

CNTW(O)65 - Acceptable use of Intranet and Internet

Staff IT Handbook. 13 References:

https://digital.nhs.uk/

https://digital.nhs.uk/

CNTW (O) 62


16

Appendix A

Equality and Diversity Impact Assessment Screening Tool

Equality Analysis Screening Toolkit

Names of Individuals involved in Review

Date of Initial Screening

Review Date Service Area / Locality

Angela Faill December 2019 December 2022

Trust wide

Policy to be analysed Is this policy new or existing?

NTW(O)62 Information Sharing Policy V05 Existing

What are the intended outcomes of this work? Include outline of objectives and function aims

To ensure that Person Identifiable and confidential Data shared with partner organisations is dealt with in accordance with the Data Protection Act 1998 and Caldicott principles, and that all staff are made aware of their personal responsibilities.

Who will be affected? e.g. staff, service users, carers, wider public etc

Staff, service users, carers and the wider public.

Protected Characteristics under the Equality Act 2010. The following characteristics have protection under the Act and therefore require further analysis of the potential impact that the policy may have upon them

Disability Not applicable

Sex Not applicable

Race Not applicable

Age Not applicable

Gender reassignment

(including transgender)

Not applicable

Sexual orientation. Not applicable

Religion or belief Not applicable

Marriage and Civil Partnership

Not applicable

Pregnancy and maternity

Not applicable

Carers Not applicable

Other identified groups Not applicable

How have you engaged stakeholders in gathering evidence or testing the evidence available?

Through standard policy consultation mechanisms.

How have you engaged stakeholders in testing the policy or programme proposals?

CNTW (O) 62


17


For each engagement activity, please state who was involved, how and when they were engaged, and the key outputs:


Summary of Analysis Considering the evidence and engagement activity you listed above please summarise the impact of your work. Consider whether the evidence shows potential for differential impact, if so state whether adverse or positive and for which groups. How you will mitigate any negative impacts. How you will include certain protected groups in services or expand their participation in public life.

Not applicable

Now consider and detail below how the proposals impact on elimination of discrimination, harassment and victimisation, advance the equality of opportunity and promote good relations between groups. Where there is evidence, address each protected characteristic

Eliminate discrimination, harassment and victimisation

Not applicable

Advance equality of opportunity Not applicable

Promote good relations between groups Not applicable

What is the overall impact? Not applicable

Addressing the impact on equalities Not applicable

From the outcome of this Screening, have negative impacts been identified for any protected characteristics as defined by the Equality Act 2010? No

If yes, has a Full Impact Assessment been recommended? If not, why not?

Manager’s signature: Angela Faill Date: December 19

CNTW (O) 62


18

Appendix B

Communication and Training Check List for Policies

Key Questions for the accountable Committees designing, reviewing or agreeing a new Trust Policy

Is this a new policy with new training requirements or a change to an existing policy?

No this is an existing Policy

If it is a change to an existing policy are there changes to the existing model of training delivery? If yes specify below.

Not applicable

Are the awareness/training needs required to deliver the changes by law, national or local standards or best practice?

Please give specific evidence that identifies the training need, e.g. National Guidance, CQC, NHS Resolutions etc.

Please identify the risks if training does not occur

Awareness and Guidance concerning safe sharing of data with partner organisations

Ensure that appropriate training and support are provided to assist staff in safe sharing of information

Please specify which staff groups need to undertake this awareness/training. Please be specific. It may well be the case that certain groups will require different levels e.g. staff group A requires awareness and staff group B requires training.

Trust-wide

Is there a staff group that should be prioritised for this training / awareness?

It is essential that all staff groups working with confidential / personal data are made aware of the policy and the personal responsibilities associated with it

Please outline how the training will be delivered. Include who will deliver it and by what method. The following may be useful to consider: Team brief/e bulletin of summary Management cascade Newsletter/leaflets/payslip attachment Focus groups for those concerned Local Induction Training Awareness sessions for those affected by the new policy Local demonstrations of techniques/equipment with reference documentation Staff Handbook Summary for easy reference Taught Session E Learning

Team brief, CEO Bulletin, Intranet, face to face training, E learning, Staff IT Handbook

Please identify a link person who will liaise with the training department to arrange details for the Trust Training Prospectus, Administration needs

Head of Information Governance and Medico Legal.

CNTW (O) 62


19

Appendix B – continued

Training Needs Analysis

Staff/Professional Group

Type of training Duration of Training

Frequency of Training

All staff sharing service user, staff or confidential information with partner agencies or other third parties

Part of Information Governance training

1 hour Annual

All General awareness of safe Information Sharing is part of Information Governance Training

1 hour

Annual

Copy of completed form to be sent to:

Training and Development Department, St. Nicholas Hospital

Should any advice be required, please contact: - 0191 245 6777 (internal 56777)

CNTW (O) 62


20

Appendix C

Monitoring Tool Statement The Trust is working towards effective clinical governance and governance systems. To demonstrate effective care delivery and compliance, Policy Authors are required to include how monitoring of this policy is linked to Auditable Standards / Key Performance Indicators will be undertaken using this framework.

CNTW(O)62 – Information Sharing Policy - Monitoring Framework

Auditable Standard / Key Performance Indicators

Frequency / Method / Person Responsible

Where results and any associated action plan will be reported to, implemented and monitored; (this will usually be via the relevant governance group)

1. The Trust must ensure that detailed procedures notes are in place in respect of the sharing and disclosure of data

All DPA Procedures / Policies will be reviewed and agreed on a yearly basis through the Caldicott and Information Governance Group ( CIGG).Policies will be ratified by BDG

Caldicott and Information Governance Group (CIGG) / BDG

2. The Trust must ensure that all staff are aware of their responsibilities under the Data Protection Act 2018

The Information Governance Team will provide a bi-monthly highlight report covering DPA incidents to the CIGG.

Caldicott and Information Governance Group (CIGG).

3. Information Sharing Agreements to be set up for all routine data flows or where large amounts of information are to be regularly shared, to be fully compliant and consistent with this Policy

All Information Sharing agreements will be taken to the CIGG for discussion. All Policies / Procedures to be reviewed annually through CIGG.

Caldicott and Information Governance Group (CIGG).

The Author(s) of each Policy is required to complete this monitoring template and ensure that these results are taken to the appropriate Quality and Performance Governance Group in line with the frequency set out.

CNTW (O) 62


21

HOME

Appendix 1

THE DATA PROTECTION ACT 2018 PRINCIPLES

(SUMMARY) The following principles must be applied to all processing of personal data: 1. The first data protection principle is that the processing of personal data for any of the law enforcement purposes must be lawful and fair. 2. The second data protection principle is that—

(a) the law enforcement purpose for which personal data is collected on any occasion must be specified, explicit and legitimate, and;

(b) personal data so collected must not be processed in a manner that is

incompatible with the purpose for which it was collected. 3. The third data protection principle is that personal data processed for any of the law enforcement purposes must be adequate, relevant and not excessive in relation to the purpose for which it is processed. 4. The fourth data protection principle is that—

(a) personal data processed for any of the law enforcement purposes must be accurate and, where necessary, kept up to date, and;

(b) every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the law enforcement purpose for which it is processed, is erased or rectified without delay.

5. The fifth data protection principle is that personal data processed for any of the law enforcement purposes must be kept for no longer than is necessary for the purpose for which it is processed. 6. The sixth data protection principle is that personal data processed for any of the law enforcement purposes must be so processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, “appropriate security” includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage).

CNTW (O) 62


22

Appendix 2

Caldicott Approval Form for Use or Release of Patient Identifiable Data.

What is the title of the project?

What is the name and designation of person responsible for the project?

Name

Designation

What are their contact details?

E-mail

Contact Tel

Has this received ethical approval? This may not be applicable

Yes Ref No:

No

Has this received Health Research Authority Approval? This may not be applicable

Yes Ref No:

No

What is the purpose of the project?

(principle 1 and 2

Please provide a full and detailed description of the data that you need to access as part of this project (principle 3 and 4)

What information do you need to access on RiO/within paper files? Is it possible for the data to be anonymised/pseudonymised? Is the information personal or personal sensitive?

Please indicate, where know, requested data items:

Name Gender Address

CNTW (O) 62


23

Age Date of Birth

Postcode

Please provide details of access required to this data (principle 3)

Who will have access to the data? How is access kept on a strict need-to-know basis?

How will the confidentiality of the data be maintained? (principle 4, 5 and 6)

How will the data be stored? Is this data stored securely in line with Trust Policy/PGN? When and how will the data be destroyed? How is information kept up-to date and accurate?

Principle 7- Principle of Accountability- Description of other supporting documentation attached/other relevant information

Is there evidence that consideration has been given to the 6 principles under DPA 2018?

CNTW (O) 62


24

I confirm that the data will be held as outlined above, and I have fully considered obligations under the Data Protection Act 2018, General Data Protection Regulations, Human Rights Act 1990 and guidelines of the 7 Caldicott principles (principle 1).

Principle 7 generally is not applicable in the context of audit, research or service evaluation.

Name

Title

Signature

Date

If you have any queries or questions relating to your project and the Caldicott Approval Process please contact the Information Governance and Medico Legal Department via e-mail, [email protected]

FOR CALDICOTT GUARDIAN/ DEPUTY COMPLETION

Having read the information provided, the release of data described above has been:

Approved Not Approved

Signed by Caldicott Guardian / Deputy

Name (print)

Date

Date post:	23-Sep-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times