Document Title Information Sharing Policy
Reference Number CNTW(O)62
Lead Officer
Lisa Quinn, Executive Director of Performance and Assurance
Dr. Rajesh Nadkarni, Executive Medical Director (Caldicott Guardian)
Author(s) (name and designation)
Angela Faill, Head of Information Governance and Medico Legal.
Ratified by Business Delivery Group
Date ratified Dec 2019
Implementation Date Dec 2019
Date of full implementation
Dec 2019
Review Date Dec 2022
Version number V05
Review and Amendment
Log Version
Type of Change
Date Description of Change
This Policy supersedes the following document which must now be destroyed:
Document Number Title
NTW(O)62 – V04.4 Information Sharing Policy
Information Sharing Policy
Section Contents Page No.
1 Introduction 1
2 Purpose 2
3 Duties, Accountability and Responsibilities 3
4 Definition of Terms 4
5 Procedure / Process 6
6 Identification of Stakeholders 13
7 Training 14
8 Implementation 14
9 Fair Blame 14
10 Fraud, Bribery and Corruption 14
11 Monitoring 14
12 Associate Documents 15
13 References 15
Standard Appendices – attached to Policy
A Equality and Diversity Impact Assessment 16
B Training Checklist and Training Needs Analysis 18
C Audit Monitoring Tool 20
D Policy Notification Record Sheet - click here
Appendices – listed with the Policy
Appendix No:
Description
Appendix 1 DPA Principles
Appendix 2 Caldicott Approval Form
CNTW (O) 62
Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19
1
1 Introduction. 1.1 This Information Sharing Policy has been developed for Cumbria,
Northumberland, Tyne and Wear NHS Foundation Trust (the Trust / CNTW) but may be used by all public sector organisations within the United Kingdom and any other organisation that would benefit from this guidance in managing information sharing arrangements.
The Information Sharing Policy comprises the common principles and procedures to be adopted;
The Information Sharing Policy sets out the basis for agreement between agencies to govern the sharing of personal information about service users and facilitate the development of information sharing agreements;
The Information Sharing Policy will be supplemented by the Information Sharing Agreement as attached at Appendix 1 and the Practice Guidance Note;
Whilst personal information held by NHS Organisations should be properly protected, there is also a growing expectation that information will be shared between health bodies, public and local authorities and the Police service where it is appropriate to do so. Sharing information is a key element in the delivery of high quality, cost effective and seamless public services;
The Health Act 1999 has expanded the statutory obligations on public service agencies to work together in the planning and delivery of health and social care services. Implicit in performing this duty is the need to share information;
The Data Protection Act 2018 places an emphasis on the protection of patient identifiable information which has, in the past, made agencies very reluctant to share information for fear of breaking the Law. It also meant, however, that information which should have been shared was kept within one agency. There is a need to share information within a framework of clear understanding between agencies
The Department of Health Guidance 'Information Sharing and Mental Health - Guidance to Support Information Sharing by Mental Health Service (DOH 2009) emphasises the importance of information sharing in order to deliver effective public services and to enable early intervention and protection where necessary;
The Caldicott Guardian Manual 2006 recommended that Policies should be developed to protect the exchange and disclosure of patient identifiable information;
CNTW (O) 62
Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19
2
The Trust therefore recognises the importance of information sharing within a framework of appropriate controls to protect confidential and sensitive information.
2 Purpose. 2.1 The purpose of this Policy is to:
Ensure common understanding exists between the agencies within the United Kingdom as to the importance of information sharing, confidentiality and information security;
Set out the basis for the secure transfer and use of person identifiable information across traditional organisational boundaries;
Provide a robust framework for the legal, secure and confidential sharing or joint processing of personal data;
Define the key principles which will facilitate the sharing of personal data with partner organisations;
Establish a common standard to which all partner organisations will aspire in respect of the treatment of personal data;
Assist professionals to feel confident that personal information is being shared in the right ways for the right reasons.
2.2 This Policy will:
Set out the legal framework and basis for information sharing
Define the responsibilities of the organisation and individuals within the organisation for information security and sharing
Establish the key principles inherent in all aspects of information sharing
Establish the process for data flows and Caldicott Approval
Establish the use and format of the Information Sharing Agreement
CNTW (O) 62
Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19
3
3 Duties, Accountability and Responsibilities:
3.1 The Trust
Ensuring that staff, volunteers and contractors are provided with the necessary training to be aware of, and comply with, their responsibilities in regard to the confidentiality of information.
3.2 Chief Executive
Overall responsibility for implementation of and compliance with this Policy.
3.3 Trust Senior Information Risk Owner (SIRO)
Co-ordinating development and maintenance of information risk management policies, procedures and standards for the Trust. The SIRO is the Executive Director of Performance and Assurance
The ongoing development and day to day management of the Trust's Information Risk Management Programme
3.4 Caldicott Guardian
Overseeing the establishment of procedures governing access to, and the use of personal information and where appropriate, the transfer of that information to other bodies
Upholding the Caldicott principles, taking account of the codes of conduct provided by professional bodies
3.5 Information Governance and Medico Legal Department
Dealing with enquiries, providing advice and guidance to support the appropriate use of sharing personal information;
Supporting the Data Protection Officer, Caldicott Guardian and Senior Information Risk Owner (SIRO)
Supporting staff in obtaining Caldicott approval for information sharing.
Reviewing the data flows within the Organisation on a regular basis
CNTW (O) 62
Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19
4
3.6 Caldicott and Information Governance Group
Developing and supporting the implementation of Information policies/procedures and supporting the appropriate sharing of information.
3.7 Group Directors
Ensuring implementation throughout their respective Locality Care Groups.
3.8 Trust Information Asset Owners (IAO’s)
Ensuring that information risk assessments are performed routinely on all information assets where they have been assigned 'ownership' following guidance from the SIRO on assessment, method, format, content and frequency
Authorising / controlling system administration.
3.9 Line Managers
Line managers are responsible for ensuring staff in their service area implement the requirements of this Policy, including providing appropriate advice and support. Line Managers should bring to the attention of the Trust-wide Caldicott and Health Informatics Group any issues related to information risk or policy implementation.
3.10 All Employees
All Employees of the Trust, Temporary Staff, Volunteers, Contract and Agency Staff and any other persons working on behalf of the Trust are bound by this Policy and should be aware that any breach of confidentiality could be a matter for disciplinary action.
4 Definition of Terms.
Risk: The chance of something happening, which will have an impact upon objectives. It is measured in terms of consequence and likelihood
Risk Assessment: The overall process of risk analysis and risk evaluation
Risk Management: The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effect
CNTW (O) 62
Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19
5
Risk Management Process: The systematic application of management Policies, Procedures and Practices to the tasks of establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risk.
Personal Data
Data which relates to a living individual who can be identified from those data and other information which is, or is likely to come into the possession of the data controller, and includes any expression of opinion and any indication of the intention of the data controller, or any other person, in respect of the individual. Personal information that is held by The Trust and subject to the provisions of the Data Protection Act includes information about employees and organisations, as well as clients of the Trust.
Special Categories of Personal Data
Special category data is personal data which is more sensitive, and so needs more protection. For example, information about an individual’s:
race
ethnic origin
politics
religion
trade union membership
genetics
biometrics (where used for ID purposes)
health
sex life; or
sexual orientation
Information Sharing Agreement: An over-arching framework for sharing information between the Trust and one or more other agencies. It is not contractually binding but is used to set good practice standards that the parties need to meet in order to fulfil any duty of care which exists in relation to the regular / routine sharing of personal information;
Anonymised information: Information that cannot identify an individual;
CNTW (O) 62
Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19
6
Pseudonymised information: Information that has had any data making the data personally identifiable replaced by another non-identifiable data e.g. the NHS number replaced with a random ID Number;
Access to records requests: The process by which the Trust responds to patient / service users who are entitled to see their records.
5 Procedure/Process: 5.1 Legal Framework 5.1.1 It is important that practitioners are aware of the legal framework which
governs the sharing of personal information. 5.2 Administrative Law
A public authority derives its powers from statute and must not act out of or in excess of those powers. Any act that is in excess of its powers is said to be ultra vires and may be subject to Judicial Review
It is necessary to consider legislation that relates to the Policy or service that the sharing of data supports.
5.3 The Data Protection Act 2018 (DPA)
The DPA regulates the processing of person identifiable information. Person identifiable information can be split into personal and special category of information. (Explanation of differences under Section 4 Glossary of terms.)
The DPA should not be used as a barrier to sharing information if lawfully permitted;
The DPA requires that the processing of information must comply with the seven Data Protection Principles (attached at Appendix 2) and be in accordance with the rights of the data subject;
The Data protection Act 2018 provides that information can be shared even where consent has not been obtained, where conditions for processing under the Act can be relied upon (other than consent as a condition for processing) and common law duty of confidentiality, where appropriate, has been considered and satisfied. Further information regarding condition for processing and common law duty can be found in (link to DPA policy).
CNTW (O) 62
Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19
7
5.4 The Human Rights Act 1998 (HRA).
The HRA gives effect to the principles conferred by the European Convention on Human Rights (ECHR). It is unlawful for any public authority to act inconsistently with any of the Convention rights;
Article 8 of the ECHR provides the right to respect for private and family life. This right can only be interfered with when it is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country for the prevention of disorder or crime, for the protection of health or morals or for the protection of the rights and freedoms of others.
5.5 The Common Law Duty of Confidentiality.
Medical records and information constitute confidential information;
Confidential information cannot be disclosed to a third party without lawful authority. A breach of this duty of confidence may result in an entitlement to damages
The duty of confidentiality requires that unless there is a statutory requirement or other legal basis for disclosure, confidential information should only be used for the purpose for which the patient disclosed it
Exceptions to the duty of confidentiality include where information is already in the public domain, where consent is sought and received, where disclosure is required by statute or Court Order, or where the public interest in disclosure outweighs the public interest in maintaining confidentiality.
5.6 The Caldicott Report and Caldicott 3.
Dame Fiona Caldicott first investigated issues surrounding confidentiality when she chaired a review in 1996-97 on the use of patient data in the NHS. The review recommended that the NHS adopt six principles for the protection of confidentiality, which became the known as the ‘Caldicott principles’. The review also recommended that NHS organisations appoint someone to take responsibility for ensuring the security of confidential information. These people become known as ‘Caldicott Guardians’;
CNTW (O) 62
Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19
8
Following a request from the Secretary of State for Health, Dame Caldicott carried out the latest independent review of information sharing to ensure that there is an appropriate balance between the protection of patient information and the use and sharing of information to improve patient care
In April, 2013, the Caldicott 2 report was published. The reach of Caldicott 2 is far wider than the 1997 report. Its recommendations affect all organisations working in the health and social care sector – including local authorities. The Department of Health has endorsed the 26 recommendations of Caldicott 2 and revised Caldicott principles
In respect of every use of patient identifiable information, the Caldicott Principles require public authorities to:
o Justify the purpose for using confidential
information
o Only use confidential information when absolutely necessary
o Use the minimum that is required
o Ensure that access is on a need to know basis
o Ensure that everyone understands their responsibilities
o Understand and comply with the law
o Duty to share information can be as important as the duty to protect patient confidentiality.
5.7 National and Local Guidance. 5.7.1 Compliance with relevant government and professional guidance is also
important in ensuring that information is managed appropriately. Importance guidance includes:
NHS Confidentiality Code of Practice – Department of Health 2003
NHS Information Governance – September 2007
Information sharing and mental health – guidance to support information sharing by mental health services. Department of Health 2009
NMC Confidentiality Guidance 2009
CNTW (O) 62
Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19
9
GMC Confidentiality Guidance 2009 5.8 Summary of the Legal Framework. 5.8.1 In order to ascertain whether there is a legal basis for information sharing
the following should be considered:
Whether there is a power to carry out the function to which the information Sharing relates
Whether there are express statutory restrictions on the data sharing activity proposed, or any restrictions which may be implied by the existence of other statutory, common law or other provisions
Whether the data sharing would be in accordance with the Data Protection Act 2018, in particular the Data Protection Principles
Whether the sharing of the data would breach any obligation of confidence
Whether the sharing of the data would interfere with rights under Article 8 of the European Convention on Human Rights in a way which would be disproportionate to the achievement of a legitimate aim and unnecessary in a democratic society;
Whether the Caldicott Principles are complied with in any sharing of information.
5.9 Key Principles of Information Sharing: 5.9.1 Commitment to share personal data
To recognise that multi-agency initiatives require a commitment to sharing personal information about service users in compliance with national guidance and legislation.
5.9.2 Compliance with Legislation
To ensure that personal information is only shared in accordance with statutory duties, including the requirements of the Data Protection Act 2018.
5.9.3 Compliance with Caldicott Principles
Caldicott approval is required for all new routine data flows and also all 'one off' or ad hoc requests for release of health, social care or other personal information where consent is not available or is refused. The Caldicott Approval Form can be found at Appendix 2.
CNTW (O) 62
Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19
10
5.9.5 Consent
To obtain the consent of the service user to share personal information where there are no alternative conditions for processing under data protection legislation which can be relied upon
To make service users aware of any information which will be shared and the purposes for which it will be used
To not share information where consent is refused and the only available condition for processing is consent
To keep records of the efforts made to obtain consent and details of whether consent was obtained or refused
Consideration must be given to the provisions of the Mental Capacity Act 2005 (MCA).
5.10 Justification/Purpose for Sharing
To clearly define the purpose and justification for information sharing. To ensure that when sharing personal information only the minimum required for the purpose is shared.
5.11 Fairness and Transparency
To ensure that the public are informed of the purposes for processing their personal information and to whom it will be disclosed.
5.12 Information Standards
Personal information will only be disclosed where it is legally justified
Personal information will be anonymised/pseudonymised where appropriate.
5.13 Requesting Data 5.13.1 In accordance with the Caldicott Principles, any request for data should
include:
The purpose for which the information is to be used
The data items needed i.e. name, diagnosis etc. (only the
CNTW (O) 62
Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19
11
requested);minimum data required to undertake the task should be
If relevant, who the data may be shared with
The time period for which the data will be held
An assurance that the data will be kept in a secure environment e.g. that data will be kept in a password protected database
An assurance that access to the information will be restricted and that the staff who have access to the data understand their responsibility to keep the data secure;
An assurance that the organisation is registered with the Information Commissioner to hold and use the data they are requesting.
5.14 Complaints Procedure
Procedures should be in place to address complaints relating to the disclosure of information;
All complaints and issues relating to information sharing must be dealt with in accordance with the Trust’s Policy, CNTW (O) 07 - Comments, Compliments and Complaints.
Next paragraph: Data Subject Rights – acknowledge the obligations on organisation in safeguarding/providing access in respect of data subject rights. Link to individual rights policy.
5.15 Data Flows
A data flow is any transfer of data between the Trust and a third party
All new routine data flows for the purposes of a contract must be agreed by the Caldicott Guardian / SIRO
Consideration will be given as to whether it is appropriate to enter an Information Sharing Agreement for a particular flow
Data flows will be mapped on an annual basis.
5.16 Caldicott Approval 5.16.1 Caldicott approval is required for all new routine data flows and also all ‘one
off’ or ad hoc requests for release of health, social care which require appropriate escalation and consideration by the Caldicott Guardian. The IG
CNTW (O) 62
Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19
12
& Medico Legal Department can support staff in considering routine data flows, and ‘one off’ or ad hoc requests.
5.16.2 When a request to share information is made the IG & Medico Legal Department will:
Consider whether sufficient information has been provided by the requestor
Consider whether the anonymous or pseudonymised data could be used
Maintain a log of all requests and decisions
Report requests to the Trust-wide Caldicott Information Governance Group.
5.17 Information Sharing Agreement
5.17.1 Where a request for information is a request for a routine data flow or where large amounts of information are to be regularly shared, Caldicott Approval should be sought for the parties to enter an Information Sharing arrangement.
Legislation does not require an Information Sharing Agreement document to be used. The detail around confidentiality, security and governance of personal data can be included within other relevant documentation i.e. a contractual arrangement, a service level agreement, a Memorandum of Understanding etc.
5.17.2 Where an ISA required, an ISA template is attached to this policy at
Appendix 1. 5.17.3 Each Individual Information Sharing Agreement (ISA) or appropriate
provisions will set out the detailed arrangements relevant to that particular application. All individual Information Sharing Agreements /provisions will need to be fully compliant and consistent with this Policy.
5.17.4 The ISA/provisions are not contractually binding and information may be
shared without these in place, but should be used where appropriate to set good practice standards.
5.17.5 The ISA or provisions will include details of, the parties to the Agreement:
What Information is to be shared
For what purpose information is to be shared
On what legal basis the information is to be shared
CNTW (O) 62
Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19
13
Arrangements in place for applicable data subject rights i.e. Right to Access Information.
How frequently information will be shared
How information security will be maintained
What methods of recording, holding, retaining and disposing of information will be used
For what period the information will be retained for. Retention period guidance can be found within (https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-and-social-care-2016) however information should not be held where there is no longer a purpose to holding it. Further information available within Record Management Policy CNTW(O) 09
A Multi-agency protocol re information sharing in place across the North East Region. If staff need any information in relation to the protocol please contact the Information Governance (IG) Team.
5.18 Retention and Security of Shared Information
All agencies should put in place policies or procedures governing the secure storage of all personal information retained in their manual or electronic systems
All agencies will ensure that retention and disposal processes for personal information are agreed and adhered to in line with organisational requirements
All agencies will recognise the importance of restricting access to personal information and maintain standards for technical security to protect shared information during transfer and within partner organisations.
6 Identification of Stakeholders. 6.1 This is an existing policy which has only minor changes that do not relate to
operational and/or clinical practice therefore did not require a full consultation process
North Locality Care Group
North Cumbria Locality Care Group
Central Locality Care Group
CNTW (O) 62
Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19
14
South Locality Care Group
Corporate Decision Team
Business Delivery Group
Safer Care Group
Communications, Finance, IM&T
Commissioning and Quality Assurance
Workforce and Organisational Development
NTW Solutions
Local Negotiating Committee
Medical Directorate
Staff Side
Internal Audit
7 Training 7.1 Training for this Policy is incorporated into the annual Information
Governance Training mandated to all staff. 7.2 Where additional training is required it is the responsibility of both managers
and staff to ensure that this is undertaken and that attendance is verified and recorded.
8 Implementation 8.1 Taking into consideration all the implications associated with this reviewed
policy, it is considered that a target date of December 2019 is achievable for the contents to be implemented across the Trust.
9 Fair Blame 9.1 The Trust is committed to developing an open learning culture. It has
endorsed the view that, wherever possible, disciplinary action will not be taken against members of staff who report near misses and adverse incidents, although there may be clearly defined occasions where disciplinary action will be taken.
10 Fraud, Bribery and Corruption 10.1 In accordance with the Trust’s Policy CNTW (O) 23 – Fraud, Bribery and
Corruption Policy / Response Plan, all suspected cases of fraud and corruption should be reported immediately to the Trust’s Local Counter Fraud Specialist or to the Executive Director of Finance Effective methods of seeking redress in respect of money defrauded.
11 Monitoring 11.1 Responsibility for monitoring compliance with this Policy locally lies with
Directors and Line Managers.
CNTW (O) 62
Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19
15
11.2 The Information Governance Team will monitor compliance with this policy through observation, spot checks and through incident management in line with the Trust Incident reporting process.
11.3 All incidents involving the loss of data whether encrypted or unencrypted
must be reported immediately to the Information Governance department and dealt with in accordance with the Trust’s Policy and Practice Guidance Notes, CNTW(O)05 – Incident Policy; Incident Reporting Procedure.
12 Associated Documents
CNTW(O)05 - Incident Management Policy and Procedures
CNTW(O)07 - Comments, Compliments and Complaints Policy
CNTW(O)09 - Management of Records Policy
CNTW(O)23 - Fraud, Bribery and Corruption Policy / Response Plan
CNTW(O)26 - Data Quality Policy
CNTW(O)28 - Information Governance Policy
CNTW(O)29 - Confidentiality Policy
CNTW(O)30 - Removable Media Encryption Policy
CNTW(O)33 - Risk Management Policy
CNTW(O)35 - Information Security Policy
CNTW(O)36 - Data Protection Policy
CNTW(O)43 - Freedom of Information Policy
CNTW(O)44 - Acceptable use of Email Policy
CNTW(O)46 - Security on use of Data and Private Practice Policy
CNTW(O)55 - Information Risk Policy
CNTW(O)56 - Forensic Readiness Policy
CNTW(O)57 - Registration Authority Policy
CNTW(O)65 - Acceptable use of Intranet and Internet
Staff IT Handbook. 13 References:
https://digital.nhs.uk/
CNTW (O) 62
Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19
16
Appendix A
Equality and Diversity Impact Assessment Screening Tool
Equality Analysis Screening Toolkit
Names of Individuals involved in Review
Date of Initial Screening
Review Date Service Area / Locality
Angela Faill December 2019 December 2022
Trust wide
Policy to be analysed Is this policy new or existing?
NTW(O)62 Information Sharing Policy V05 Existing
What are the intended outcomes of this work? Include outline of objectives and function aims
To ensure that Person Identifiable and confidential Data shared with partner organisations is dealt with in accordance with the Data Protection Act 1998 and Caldicott principles, and that all staff are made aware of their personal responsibilities.
Who will be affected? e.g. staff, service users, carers, wider public etc
Staff, service users, carers and the wider public.
Protected Characteristics under the Equality Act 2010. The following characteristics have protection under the Act and therefore require further analysis of the potential impact that the policy may have upon them
Disability Not applicable
Sex Not applicable
Race Not applicable
Age Not applicable
Gender reassignment
(including transgender)
Not applicable
Sexual orientation. Not applicable
Religion or belief Not applicable
Marriage and Civil Partnership
Not applicable
Pregnancy and maternity
Not applicable
Carers Not applicable
Other identified groups Not applicable
How have you engaged stakeholders in gathering evidence or testing the evidence available?
Through standard policy consultation mechanisms.
How have you engaged stakeholders in testing the policy or programme proposals?
CNTW (O) 62
Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19
17
Through standard policy consultation mechanisms.
For each engagement activity, please state who was involved, how and when they were engaged, and the key outputs:
Through standard policy consultation mechanisms.
Summary of Analysis Considering the evidence and engagement activity you listed above please summarise the impact of your work. Consider whether the evidence shows potential for differential impact, if so state whether adverse or positive and for which groups. How you will mitigate any negative impacts. How you will include certain protected groups in services or expand their participation in public life.
Not applicable
Now consider and detail below how the proposals impact on elimination of discrimination, harassment and victimisation, advance the equality of opportunity and promote good relations between groups. Where there is evidence, address each protected characteristic
Eliminate discrimination, harassment and victimisation
Not applicable
Advance equality of opportunity Not applicable
Promote good relations between groups Not applicable
What is the overall impact? Not applicable
Addressing the impact on equalities Not applicable
From the outcome of this Screening, have negative impacts been identified for any protected characteristics as defined by the Equality Act 2010? No
If yes, has a Full Impact Assessment been recommended? If not, why not?
Manager’s signature: Angela Faill Date: December 19
CNTW (O) 62
Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19
18
Appendix B
Communication and Training Check List for Policies
Key Questions for the accountable Committees designing, reviewing or agreeing a new Trust Policy
Is this a new policy with new training requirements or a change to an existing policy?
No this is an existing Policy
If it is a change to an existing policy are there changes to the existing model of training delivery? If yes specify below.
Not applicable
Are the awareness/training needs required to deliver the changes by law, national or local standards or best practice?
Please give specific evidence that identifies the training need, e.g. National Guidance, CQC, NHS Resolutions etc.
Please identify the risks if training does not occur
Awareness and Guidance concerning safe sharing of data with partner organisations
Ensure that appropriate training and support are provided to assist staff in safe sharing of information
Please specify which staff groups need to undertake this awareness/training. Please be specific. It may well be the case that certain groups will require different levels e.g. staff group A requires awareness and staff group B requires training.
Trust-wide
Is there a staff group that should be prioritised for this training / awareness?
It is essential that all staff groups working with confidential / personal data are made aware of the policy and the personal responsibilities associated with it
Please outline how the training will be delivered. Include who will deliver it and by what method. The following may be useful to consider: Team brief/e bulletin of summary Management cascade Newsletter/leaflets/payslip attachment Focus groups for those concerned Local Induction Training Awareness sessions for those affected by the new policy Local demonstrations of techniques/equipment with reference documentation Staff Handbook Summary for easy reference Taught Session E Learning
Team brief, CEO Bulletin, Intranet, face to face training, E learning, Staff IT Handbook
Please identify a link person who will liaise with the training department to arrange details for the Trust Training Prospectus, Administration needs
Head of Information Governance and Medico Legal.
CNTW (O) 62
Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19
19
Appendix B – continued
Training Needs Analysis
Staff/Professional Group
Type of training Duration of Training
Frequency of Training
All staff sharing service user, staff or confidential information with partner agencies or other third parties
Part of Information Governance training
1 hour Annual
All General awareness of safe Information Sharing is part of Information Governance Training
1 hour
Annual
Copy of completed form to be sent to:
Training and Development Department, St. Nicholas Hospital
Should any advice be required, please contact: - 0191 245 6777 (internal 56777)
CNTW (O) 62
Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19
20
Appendix C
Monitoring Tool Statement The Trust is working towards effective clinical governance and governance systems. To demonstrate effective care delivery and compliance, Policy Authors are required to include how monitoring of this policy is linked to Auditable Standards / Key Performance Indicators will be undertaken using this framework.
CNTW(O)62 – Information Sharing Policy - Monitoring Framework
Auditable Standard / Key Performance Indicators
Frequency / Method / Person Responsible
Where results and any associated action plan will be reported to, implemented and monitored; (this will usually be via the relevant governance group)
1. The Trust must ensure that detailed procedures notes are in place in respect of the sharing and disclosure of data
All DPA Procedures / Policies will be reviewed and agreed on a yearly basis through the Caldicott and Information Governance Group ( CIGG).Policies will be ratified by BDG
Caldicott and Information Governance Group (CIGG) / BDG
2. The Trust must ensure that all staff are aware of their responsibilities under the Data Protection Act 2018
The Information Governance Team will provide a bi-monthly highlight report covering DPA incidents to the CIGG.
Caldicott and Information Governance Group (CIGG).
3. Information Sharing Agreements to be set up for all routine data flows or where large amounts of information are to be regularly shared, to be fully compliant and consistent with this Policy
All Information Sharing agreements will be taken to the CIGG for discussion. All Policies / Procedures to be reviewed annually through CIGG.
Caldicott and Information Governance Group (CIGG).
The Author(s) of each Policy is required to complete this monitoring template and ensure that these results are taken to the appropriate Quality and Performance Governance Group in line with the frequency set out.
CNTW (O) 62
Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19
21
HOME
Appendix 1
THE DATA PROTECTION ACT 2018 PRINCIPLES
(SUMMARY) The following principles must be applied to all processing of personal data: 1. The first data protection principle is that the processing of personal data for any of the law enforcement purposes must be lawful and fair. 2. The second data protection principle is that—
(a) the law enforcement purpose for which personal data is collected on any occasion must be specified, explicit and legitimate, and;
(b) personal data so collected must not be processed in a manner that is
incompatible with the purpose for which it was collected. 3. The third data protection principle is that personal data processed for any of the law enforcement purposes must be adequate, relevant and not excessive in relation to the purpose for which it is processed. 4. The fourth data protection principle is that—
(a) personal data processed for any of the law enforcement purposes must be accurate and, where necessary, kept up to date, and;
(b) every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the law enforcement purpose for which it is processed, is erased or rectified without delay.
5. The fifth data protection principle is that personal data processed for any of the law enforcement purposes must be kept for no longer than is necessary for the purpose for which it is processed. 6. The sixth data protection principle is that personal data processed for any of the law enforcement purposes must be so processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, “appropriate security” includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage).
CNTW (O) 62
Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19
22
Appendix 2
Caldicott Approval Form for Use or Release of Patient Identifiable Data.
What is the title of the project?
What is the name and designation of person responsible for the project?
Name
Designation
What are their contact details?
Contact Tel
Has this received ethical approval? This may not be applicable
Yes Ref No:
No
Has this received Health Research Authority Approval? This may not be applicable
Yes Ref No:
No
What is the purpose of the project?
(principle 1 and 2
Please provide a full and detailed description of the data that you need to access as part of this project (principle 3 and 4)
What information do you need to access on RiO/within paper files? Is it possible for the data to be anonymised/pseudonymised? Is the information personal or personal sensitive?
Please indicate, where know, requested data items:
Name Gender Address
CNTW (O) 62
Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19
23
Age Date of Birth
Postcode
Please provide details of access required to this data (principle 3)
Who will have access to the data? How is access kept on a strict need-to-know basis?
How will the confidentiality of the data be maintained? (principle 4, 5 and 6)
How will the data be stored? Is this data stored securely in line with Trust Policy/PGN? When and how will the data be destroyed? How is information kept up-to date and accurate?
Principle 7- Principle of Accountability- Description of other supporting documentation attached/other relevant information
Is there evidence that consideration has been given to the 6 principles under DPA 2018?
CNTW (O) 62
Cumbria, Cumbria, Northumberland,, Tyne and Wear NHS Foundation Trust CNTW (O) 62 – Information Sharing Policy – V05-Dec 19
24
I confirm that the data will be held as outlined above, and I have fully considered obligations under the Data Protection Act 2018, General Data Protection Regulations, Human Rights Act 1990 and guidelines of the 7 Caldicott principles (principle 1).
Principle 7 generally is not applicable in the context of audit, research or service evaluation.
Name
Title
Signature
Date
If you have any queries or questions relating to your project and the Caldicott Approval Process please contact the Information Governance and Medico Legal Department via e-mail, [email protected]
FOR CALDICOTT GUARDIAN/ DEPUTY COMPLETION
Having read the information provided, the release of data described above has been:
Approved Not Approved
Signed by Caldicott Guardian / Deputy
Name (print)
Date