Page 1 of 187
INFORMATION GOVERNANCE POLICY
Including the
Information Governance Strategy Framework and associated
Information Governance Procedures
Last Review Date
August 2020
Approving Body
Executive Committee
Date of Approval
16 September 2020
Date of Implementation
September 2020
Next Review Date
November 2021
Review Responsibility
Head of Corporate Governance
Version
7.2
Page 2 of 187
REVISIONS/AMENDMENTS SINCE LAST VERSION
Date of Review Amendment Details
August 2013 New policy developed from a range of previous Primary Care Trust (PCT) Information Governance (IG) policies, frameworks and related procedures.
December 2014 Policy updated on Privacy Impact Assessment (PIA) Procedure, Caldicott Principle 7, Roles and Accountabilities, additional definitions, application forms for access to records, further clarity on information sharing principles.
November 2015 Two new duties come in to force from 1 October 2015 as part of the Health and Social Care (Safety and Quality) Act. Policy updated to reflect this. Reference made to the consultation on the roles and functions of the statutory National Data Guardian for Health and Social Care. Accountabilities updated. Addition of reference to the Health and Social Care Information Centre Information Governance Serious Incidents Requiring Investigation checklist.
December 2017 Legislation updated with reference to the European Union (EU) General Data Protection Regulation 2016 and the refreshed Records Management Code of Practice for Health and Social Care 2016.
June 2017 Changes: Remove reference to Corporate Governance Management Group; refresh of Records Management Procedure in accordance with updated national guidance; refresh of Subject Access Request Procedure in accordance with updated national guidance; refresh of Privacy Impact Assessment Procedure in accordance with updated national guidance, minor updates throughout to add clarification / amend references.
February 2018 Amendments; removal of remaining references to the Corporate Governance Management Group, replacing Chief of Corporate Services references with Head of Corporate Governance and amendment of Senior Management Team job titles.
April 2018 General Data Protection Regulations (GDPR) requirements included as a pre-curser to the pending Data Protection Act 2018
January 2019 Removal of any reference to data quality and the data quality procedure throughout the document.
Data Security and Protection Toolkit (formerly known as the Information Governance Toolkit).
Data Protection Act 1998 and GDPR regulations wording changed to: EU General Data Protection Regulations 2016 and the Data Protection Act 2018.
Refer to Data Protection Officer responsibilities throughout.
Publishing a Privacy Notice on the CCG website.
Acknowledging Subject Access Requests: Requests made under the current Data Protection Legislation or Access to Health Records Act (1990) will not be subject to fees, unless the request is for a further copy, or if the request is deemed to
Page 3 of 187
be manifestly unreasonable or excessive in which case any fee must be agreed with the recipient, and this should be notified to the requester as soon as possible. It is also legitimate to request up to two months extention to the ‘1 month’ rule, if the request is excessive.
Collating Responses to SARs: reference to the child’s age.
Access to Deceased Patient Records includes: and the information requested and released is relevant to their claim.
Lawful Basis for Processing Personal Data, refers to: organisation complies with Article 9 and as a Public Authority Article 6 in ensuring in the processing of personal data that at least one of the following lawful basis.
Sensitive Personal Data is now referred to as Special Category Data under GDPR Article 9.1.
The section on ‘Use of Email Securely’ has been reviewed considerably with references to NHS digital and NHS.net emails.
Data Protection Officer approval for the Data Protection Impact Assessment.
November 2019 Associate Director of HR and Corporate Services named as the SIRO throughout .
Privacy Impact Assessment amended to Data Protection Impact Assessment throughout.
Data Security Protection Toolkit – reference to the aim of the CCG is to be Fully Met with the standards (page 23).
An annual Caldicott Plan is developed and it is approved by the Information Governance Group and exceptions reported to the Quality and Patient Safety Committee (page 31).
New Information Sharing Agreement (pages 45-53). The new ISA is the Tier 2 ISA that forms part of the Tier 1 Sharing Agreement Protocol with the Doncaster Council.
Update section 4.9 – CCTV and to the Records Retention Schedule (page 54-90).
CCTV: Lead - Head of Corporate Governance. Was previously NHS Property Services (page 96).
Full review of Laptops, Other Portable Devices And Offsite Users Procedure updated (page 114-120).
Mobile Phone Procedure – amended responsibilities from Head of Corporate Governance to Head of IT (page 121-127)
Full review and update to Internet, Email and Social Networking Policy (page 137-153).
Minor amendments to the DPIA procedure (page 155-152).
Amended DPIA Form, includes three screening questions and reference to the new toolkit (pages 155-175).
January 2020 New Information Security Procedure (Section K – page 173)
Legislative and Guidance amendments (Section 2 – page 14)
Password Management amendments (page 135, section 5.1)
May 2020 New – MS Teams Procedure. (page 143-146, 155)
August 2020 Taking CCG Equipment out of the UK (page 116)
Page 4 of 187
CONTENTS Page Definitions 6-11 Section A – Policy 12 1. Policy Statement, Aims and Objectives 12-13 2. Legislation and Guidance 13-14 3. Scope 14-15 4. Accountabilities and Responsibilities 15-19 5. Dissemination, Training and Review 19-20 Section B – Information Governance Strategy and Management Framework
21
1. Introduction
21
2. Strategic Aims
21-26
3. Openness and Information Sharing
26-27
4. Information Security
27-28
5. Information Quality Assurance
28
6. General Data Protection Regulation and the Data Protection Act 2018.
28-30
7. Records Management / Information Lifecycle Management
30
8. Freedom of Information and Environmental Information Regulations
30-31
9. Confidentiality Code of Conduct / Caldicott
31-32
10. Information Risk Management and Lessons Learned
32-34
11. Information Asset Lists and Database List
34
12. Improvement Plan and Assessment
35
Page 5 of 187
Section C – Information Governance Procedures
36
A Information Sharing Procedure
37-53
B Records Management Procedure
54-89
C Subject Access Requests - Access Personal Data Under the EU General Data Protection Regulation 2016 and the Data Protection Act 2018 and Access To Health Records Act 1990
91-106
D Confidentiality Code Of Conduct and Data Protection Procedure
107-113
E Laptops, Other Portable Devices Offsite Users Procedure
114-120
F Mobile Telephone Procedure
121-127
G Procedure For Registering and Authorising Computerised Databases For The Storing and Processing Of Personal Data
128-132
H Password Management Procedure
133-135
I
Internet, Email, MS Teams and Social Networking Procedure
136-152
J Data Protection Impact Assessment Procedure
153-172
K Information Security Procedure 173-180 Appendices 1 Equality Impact Assessment 185-187
Page 6 of 187
DEFINITIONS Term
Definition
Access Control The prevention of unauthorised use of a resource, including the prevention of use of a resource in an unauthorised manner.
Accountability The property that will enable the originator of any action to be identified (whether the originator is a human being or a system.
Anonymised information
Information from which no individual can be identified.
Caldicott Maintaining the legal right to patient confidentiality.
Caldicott Guardian
Is the Chief Nurse and the senior person responsible for protecting the confidentiality of personal identifiable data (PID) information. The Chief Nurse plays a key role in ensuring that the CCG and partner organisations abide by the highest level of standards for handling Personal identifiable Data.
Confidentially Data access is confined to those with specified authority to view the data.
Consent
Explicit Consent means articulated agreement and relates to a clear and voluntary indication of preference of choice, usually given orally or in writing and freely given in circumstances where the available options and the consequences have been made clear. Implied Consent This means agreement that has been signalled by the behaviour of an individual with whom a discussion has been held about the issues and who therefore understands the implications of the disclosure of information. Informed Consent An informed consent can be said to have been given based upon a clear appreciation and understanding of the facts, implications, and future consequences of an action. In order to give informed consent, the individual concerned must have adequate reasoning faculties and be in possession of all relevant facts at the time consent is given.
Current Data Protection Legislation
Includes the UK’s Data Protection Act 2018 and the EU’s General Data Protection Regulation 2016
Page 7 of 187
Term
Definition
Data Controller A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Data Processor
Any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Data Protection Officer (DPO)
Is a legal role required by the current Data Protection Legislation. This person is responsible for overseeing the IG strategy and the implementation of data protection and security measures to ensure compliance with the current Data Protection Legislation requirements, these measures should ultimately minimise the risk of breaches and uphold the protection of personal identifiable and special categories of data.
Data Security and Protection Toolkit (DSPT)
Formerlly known as the Information Governance (IG) Toolkit, the tool is an online system which allows CCG to measure compliance against the listed relevant legislation and regulations within this policy.
General Data Protection Regulation (GDPR)
The EU General Data Protection Legislatin 2016 forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (known as the Current Data Protection Legislation). The current Data Protection Legislation where it is relevant includes links to relevant sections of the GDPR itself, to other ICO guidance and to guidance produced by the EU’s Article 29 Working Party - now the European Data Protection Board (EDPB).
Information Asset
A body of information defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles.
Information Asset Administrator (IAA)
The IAO can assign day to day responsibility for each Information Asset to an IAA or other manager. This should be formalised in job descriptions.
Page 8 of 187
Term
Definition
Information Asset Owner (IAO)
The Data Security and Protection Toolkit (DSPT) (formerly known as the Information Governance Toolkit) defines an owner as a member of staff senior enough to make decisions concerning the asset at the highest level. Are departmental heads and senior managers involved in running the relevant business, their role is to understand what information is held, who has access and why. As a result they can understand and address risks to the Information Assets they ‘own’ providing assurance to the Senior Information Responsible Owner (SIRO). The IAO should understand what information is held, what is added and removed, how information is moved, who has access and why. As a result they should be able to understand and address risks to the information and to ensure that information is fully used within the law for the public good. The IAO will also be responsible for providing regular reports to the SIRO, a minimum of annually on the assurance and usage of their assets.
Information Governance (IG)
Term used to describe how we manage information legally, securely, and effectively. The good practice guidelines necessary to ensure that organisations and individuals deal with information legally, securely, efficiently and effectively in order to deliver the best possible care.
Information Lifecycle Management (ILM)
The main principles of ILM are that it applies to information in paper and other physical forms eg. electronic, microfilm, negatives, photographs, audio or video recordings and other assets, and that it relates to the 5 distinct phases in the life of information; creation, retention, maintenance, use and disposal.
Information Risk Information Risk is inherent in all activities and an information risk assurance process is set out as a requirement of the DSPT. Information risk management seeks to identify and control information risks in relation to business processes and functions and is led by the SIRO.
Modalities
A term used to describe machines or devices which capture, collect, store, retrieve or transmit clinical images, data or information which then enables health care professionals to visualise, monitor or study the clinical outputs to improve healthcare.
Page 9 of 187
Term
Definition
Must
The responsibilities and or actions from NHS England, Department of Health (DoH), NHS Digital and the Information Commissioners Office (ICO) require to be carried out as the minimum mandatory and statutory measure.
NHS Doncaster CCG
NHS Doncaster Clinical Commissioning Group.
Password Confidential authentication information composed of a string of characters.
Personal Confidential Data
Data consisting of information which relates to a living individual who can be identified from that information (or from that and other information in the possession of the Data User), including any expression of opinion about the individual but not any indication of the intentions of the Data User in respect of that individual.
Project
Shall mean any plan, process or proposal, which involves the use of information, data or technology. This shall also include any change that will amend the way in which the information, data or technology is handled.
Processing of Data
Obtaining, recording or holding information or data or carrying out any operation or set of operations on the information or data, including a) organisation, adaptation or alteration of the information or
data, b) retrieval, consultation or use of the information or data, c) disclosure of the information or data by transmission,
dissemination or otherwise making available, or d) alignment, combination, blocking, erasure or destruction
of the information or data.
Pseudonymised Data
Pseudonymisation takes the most identifying fields within a database and replaces them with artificial identifiers, or pseudonyms. For example a name is replaced with a unique number. The purpose is to render the data record less identifying and therefore reduce concerns with data sharing and data retention.
Responsible Project Lead (RPL)
Is any member of staff, including flexible, permanent, new starters, locum, temporary, student and contract staff members who are tasked with and responsible for accomplishing “project” objectives and outcomes.
Page 10 of 187
Term
Definition
Risk The chance that something will happen that will have an impact on achievement of the organisation’s aims and objectives. It is measured in terms of likelihood (probability of the risk occurring) and consequence (impact or magnitude of the effect of the risk occurring).
Risk Assessment A process of identifying the hazards in a workplace so as to effectively eliminate or adequately control the risks.
Risk Management A process that enables organisations to identify, analyse, control and monitor risks. By doing this we can protect our patients, visitors, contractors and employees.
Safe Haven The term Safe Haven refers to a location (or in some cases a piece of equipment) situated on the CCG premises where arrangements and procedures are in place to ensure person-identifiable information can be held, received and communicated securely
Security breach Any event that has, or could have resulted in, loss or damage to NHS assets, or an action that is in breach of NHS security procedures.
Senior Information Risk Owner (SIRO)
The SIRO understands how the strategic business goals of the organisation may be impacted by information risks. The SIRO acts as an advocate for information risk on the CCG Board and in internal discussions and will provide written advice to the Chief Officer on the content of their Annual Governance Statement in regard to information risk. Is the Associate Director of HR and Corporate Services and the SIRO on behalf of the Governing Body. The SIRO owns the information risk and incident management framework, overall information risk policy and risk assessment processes, ensuring they are implemented consistently throughout the business by the IAOs.
Special Category Data – GDPR Article 9.1 (Sensitive Personal Data)
Data relating to individuals which is classified as sensitive as defined by the Information Commissioner and for which a greater degree of confidentiality is owed. This includes records relating to health and social care, personal financial circumstances, sexuality, ethnicity etc.
Should The responsibilities and or actions recommended to follow as good practice.
Page 11 of 187
Term
Definition
Technology A term used to describe systems, tools, techniques and processes embedded in machines or devices which then store, study, retrieve, transmit, and manipulate data or information.
Page 12 of 187
SECTION A
1. Policy Statement, Aims and Objectives
1.1. NHS Doncaster Clinical Commissioning Group (CCG) fully supports the
principles of information governance, recognising its public accountability, but equally placing importance on the confidentiality of, and the security arrangements to safeguard personal information about patients, employees and commercially sensitive information and for implementing risk management and embedding risk management into the culture of the organisation.
1.2. This document sets out the CCG’s policy for IG within the organisation. This policy includes the Information Governance Framework (IGF) and all associated procedures.
1.3. The organisation recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. Equal importance is placed on the confidentiality of, and the security arrangements to safeguard personal information about patients and employees, and commercially sensitive information. The organisation also recognises the need to safely share patient information with other health organisations and other partner care organisations, with the explicit consent of the patient or where there is a legal gateway to share. In certain circumstances information may be shared with other agencies in the public interest in line with agreed protocols.
1.4. IG plays a key part in supporting clinical and corporate governance. The organisation recognises the importance of reliable information, both in terms of the clinical management of individual patients and the efficient management of services and resources. It also gives assurance to the organisations and to individuals that personal information is dealt with legally, securely, efficiently and effectively.
1.5. There are four principle areas which form the scope of IG:
Information Governance Management (IGM)
Confidentiality and Data Assurance
Information Security Assurance (ISA)
Clinical Information Assurance (CIA) 1.6. The aims of this policy are to:
Provide employees with a framework through which all the elements of IG and current Data Protection Legislation will be met.
Page 13 of 187
Ensure a proactive use of information within the organisation both for patient care and service management as determined by law, statute and best practice.
Ensure NHS Doncaster CCG complies with the requirements contained in the DSP Toolkit.
Ensure IG and current Data Protection Legislation Training is completed by all employees and agency workers on an annual basis.
Describe the management and accountability arrangements for IG within the CCG.
Ensure a proactive use of information between the organisation and other NHS and partner organisations to support patient care as determined by law, statute and best practice.
Ensure non-confidential information is made widely available in line with responsibilities under the Freedom of Information Act (FOIA) (2000) and Environmental Information Regulations (EIR) (2004).
Ensure there are effective arrangements to support confidentiality, security and the integrity of personal and other sensitive information.
Ensure the organisation’s information is of the highest quality in terms of accuracy, timeliness and relevance.
1.7. To ensure continuous improvement in information governance the
organisation has a range of key performance indicators (KPIs) which it uses for monitoring purposes:
No Key Performance Indicator Method of Assessment
1 Minimum of Standards Met compliance with the DSPT.
Self-assessment completed as required by NHS Digital and annual audit.
2 Mandatory Information Governance training completed by all staff.
Reports through the Corporate Assurance quarterly report and Data Security and Awareness Training Tool.
3 Production of quarterly Corporate Assurance reports.
Audit Committee and Governing Body minutes.
2. Legislation and Guidance
2.1. The following legislation and guidance has been taken into consideration in
the development of this policy and associated procedures:
The EU General Data Protection Regulation (2016) and the Data Protection Act (2018) known as current Data Protection Legislation throughout the document
The Freedom of Information Act (FOIA) (2000)
Environmental Information Regulations (EIR) (2004)
Access to Health Records Act (1990)
Page 14 of 187
Human Rights Act (1998)
Crime and Disorder Act (1998)
Criminal Procedures and Investigations Act (1996)
Regulatory and Investigatory Powers Act (2000)
Information Commissioners Officer (ICO) Framework Code of Practice for Data Sharing (2011)
NHS Act (2006) and as updated 2012
NHS Information Governance - Guidance (2007)
Information Sharing: advice for practitioners providing safeguarding services (July 2018)
Confidentiality NHS Code of Practice (2003)
NHS Digital - Code of practice on confidential information (2014)
NHS Digital - A guide to confidentiality in health and social care (2013)
Health and Social Care Act (2012)
Caldicott Guidance (2017)
Information: To Share or Not to Share: Government Response to Caldicott Review (2013)
Computer Misuse Act 1990
Fraud Act 2006
Data Security and Protection Toolkit (DSPT)
Copyrights, Designs and Patents Act 1990
Records Management Code of Practice for Health and Social Care 2016
Public Records Acts 1958 and 1967
Common Law Duty of Confidentiality
Public Interest Disclosure Act 1998
Health and Social Care (Safety and Quality) Act 2015
Roles and Functions of the National Data Guardian for Health and Care (July 2016)
The Mental Capacity Act 2005
Information Security Management: NHS Code of Practice
NHS Constitution
Caldicott 2 Review: to Share or Not to Share
Information Standard DCB1596 Secure Email Requirements Specification
Information Security Management Systems - ISO/IEC 27001:2013
Information Commissioners Office – A data protection code of practice for surveillance cameras and personal information.
3. Scope 3.1. This policy applies to those members of staff that are directly employed by the
CCG and for whom the CCG has legal responsibility. For those staff covered by a letter of authority / honorary contract or work experience this policy is also applicable whilst undertaking duties on behalf of the CCG or working on CCG premises and forms part of their arrangements with the CCG. As part of good employment practice, agency workers are also required to abide by the CCG policies and procedures, as appropriate, to ensure their health, safety and welfare whilst undertaking work for the CCG.
Page 15 of 187
4. Accountability and Responsibilities 4.1. Overall accountability for ensuring that there are systems and processes to
effectively manage information governance lies with the Chief Officer. Responsibility is also delegated to the following individuals.
Associate Director of HR
and Corporate Services
Acting as the organisational SIRO, ensuring the identification and mitigation of corporate and operational risks relating to all aspects of Information Security Management (ISM).
Head of Corporate
Governance (or
equivalent)
Has delegated responsibility for:
Providing the necessary leadership, management, specialist, technical and legal advice to IG across the organisation, ensuring IG requirements, compliance and standards are met.
Overseeing the development and maintenance of relevant IG policies and procedures.
Assisting and supporting the organisational SIRO, ensuring the identification and mitigation of corporate and operational risks relating to all aspects of Information Security Management (ISM).
Ensuring that the organisation meets the requirements of the IG Standards under the DSPT and associated assurance frameworks to ensure that a high level of compliance is reached and maintained by the organisation.
Initiating and managing confidentiality and governance-related audits and working with Internal Audit to assess progress, developing action plans as required.
Oversight of the impact of organisational changes on information assets. Ensuring a data protection impact assessment procedure is in place.
Monitoring and taking action on all IG related incidents, ensuring the development of action plans and external reporting where appropriate.
Working with the DPO on relevant matters related to IG.
Strategically leading the organisation’s approach to the creation, storage, sharing, management and disposal of both corporate and clinical records, ensuring compliance with relevant legislation and guidance.
Chief Nurse (or
equivalent)
Has delegated responsibility for:
Acting as the Caldicott Guardian for the organisation with responsibility for CIA and Clinical Governance.
Page 16 of 187
Governance Manager
(or equivalent)
Has delegated responsibility for:
Overseeing, coordinating and issuing information governance information, maintaining appropriate records regarding information governance, and monitoring developments in information governance.
Ensuring maintenance of the information asset registers including portable IT equipment, information flows, Database of Databases and liaising with all teams to ensure this is regularly updated.
Supporting the Head of Corporate Governance in ISM.
Providing information for patients and staff in relation to how their information is held, used and shared and answering queries in relation to this, including establishing process for managing objections.
Operationally managing the organisation’s approach to the creation, storage, sharing, management and disposal of both corporate and clinical records, ensuring compliance with relevant legislation and guidance.
Dealing with subject access requests.
Overseeing IG training compliance.
Operationally managing the organisation’s response to the requirements of the IG Standards under the DSPT.
Contributing to governance-related audits and working with Internal Audit to assess progress, developing action plans as required.
Administering IG related incidents, ensuring the development of action plans and external reporting where appropriate.
Liaising with other Committees and groups within the organisation to promote and integrate information governance.
Information Asset Owners
IAOs are responsible for providing regular reports to the SIRO, a minimum of annually on the assurance and usage of their assets. The IAO’s have delegated responsibility for:
Maintaining professional standards according to best practice in liaison with staff working in the area.
Ensuring local application of guidelines including retention and disposal schedules and advising on disposal.
Determining the most effective ways of promoting the guidelines in their area eg. training, induction, team meetings etc.
Providing support and advice to staff in the area of Records Management with the assistance of the CG and Corporate Services.
Monitoring performance through quality control / periodic
Page 17 of 187
audits.
Ensuring compliance with the standards, legislation, policies and procedures relating to the management of records.
Identifying areas where improvements could be made.
Ensuring that staff complete relevant training on records management, confidentiality and data protection.
Reviewing / adopting tracking and registration systems for appropriate records in all areas.
Ensuring appropriate records are archived.
Ensuring that there is a mechanism for identifying records which must be kept for permanent preservation.
Ensuring the confidentiality, integrity, and availability of all information that their system processes and protect against any anticipated threats or hazards to the security or integrity of such information.
Undertaking information risk assessments on all information assets where they have been assigned ‘ownership’, following guidance from the SIRO on assessment method, format, content, and frequency – which is provided through the annual Data Assets and Flows update exercise.
Reporting security incidents and ensure that the reports are fully documented, including type of incident, and ensure that countermeasures put in place.
Reporting to the SIRO and ensure countermeasures are discussed and implemented in conjunction with security incidents.
Initiating the necessary disciplinary action through the HR Team if a member of staff is found to be disregarding procedures which could result in a security incident.
Information Asset
Administrator
The IAO can assign day to day responsibility for each Information Asset to an IAA or other manager.
Data Protection
Officer
The DPO has responsibilities under current Data Protection Legislation:
To provide advice to the organisation and its employees on compliance obligations
To advise on when data protection impact assessments are required and to monitor their performance
To monitor compliance with the current Data Protection Legislation and organisational policies, including staff awareness and provisions for training
To co-operate with, and be the first point of contact for the ICO
To be the first point of contact within the organisation(s) for all data protection matters
To be available to be contacted directly by data subjects –
Page 18 of 187
the contact details of the data protection officer will be published in the organisation’s privacy notice
To take into account information risk when performing the above.
All Staff
Responsibilities of Staff (including all employees, whether full / part time, agency, bank or volunteers) are:
Complying with this policy and procedures.
Identifying any gaps in the policy to the responsible officers.
4.2. The Executive Committee of the Governing Body has delegated responsibility
for overseeing information governance management to the Information Governance Group (IGG). The Audit Committee will monitor compliance with IG requirements through the quarterly Corporate Assurance Report containing assurance to enable the Committee to:
Review the systems in place to develop and implement the IG Policy and all other related procedures.
Review information incident reporting procedures, monitoring and assuring systems to investigate all reported instances of actual or potential breaches of confidentiality and security.
Review IG requirements in line with changes on at least on an annual basis in order to update contracts, policy and training accordingly.
Review systems in line with national directives.
Work with Internal Audit to facilitate effective audits against nationally and locally agreed criteria.
Support the provision of high quality care by promoting the effective and appropriate use of information.
Receive assurance of assessments undertaken using the DSPT, overseeing work plans to address gaps identified and ensuring they are monitored and performance managed.
Assure the Governing Body that IG policies and procedures remain up-to-date, reflect national guidance and are in operational use throughout the organisation.
Monitor the CCG’s information handling activities to ensure compliance with the law and guidance eg. reviewing results of audits.
Provide a focal point for the resolution and/or discussion of IG issues.
Receive assurance that mandatory IG training is completed annually by all staff and additional IG training is completed which is necessary to support their role.
Receive assurance that relevant IG experience, evidence, research, information and data is readily available to all staff.
The CCG’s IGF is used in conjunction with the policy and will act as an overarching framework for the local delivery of IG.
Page 19 of 187
4.3 The IGG’s purpose is to:
Guide the CCG as a data controller, in ensuring that all information is used in line with legislation/ standards using members roles and expertise to direct work plans ;
Directly support the SIRO, CG and DPO roles.
Maintain the CCG’s notification with the ICO (if applicable)
Ensure objections to the disclosure of confidential personal information are appropriately respected (where applicable)
Ensure completion of the IGT and current Data Protection Legislation and equivalent each year;
Approve any action plans stemming from the IG work plan and monitor their implication;
Review and maintain the IG Strategy, and all related Policies / procedures for recommendation to the Governing Body;
Review any risks or incidents in relation to IG and ensure that appropriate actions have been taken and escalation process is implemented and monitored for IG incidents;
Ensure that the CCG’s approach to information handling is communicated to all staff and made available to the public (where applicable) by reviewing training programmes, fair processing notices and communication plans;
Review the results of any IG audits oversee the implementation of any remedial actions;
Review minutes and actions of meetings with the SIRO and CG;
Provide a focal point for advising the Executive Committee on IG,
Review the presentation of the DSPT progress reports, incidents, risks and commissioning programmes regarding IG requirements and ensure that assurance is received for actions being implemented.
Conduct key reviews of the Information Asset Register with IAO’s linking Data Protection Impact Assessments (DPIA).
The IGG shall take place on a bi-monthly basis with a key membership including the SIRO, CG, DPO, Data Security Specialist and the IG Lead. It is a key reviewing function of IG and Data Security in ensuring that IG and current Data Protection Legislation requirements are being demonstrated and embedded across the CCG. A terms of reference for the group and a work plan has been developed to provide a framework for delivery of the above duties.
5. Dissemination, Training and Review
5.1. Dissemination
5.1.1. The effective implementation of this policy will support openness and transparency. The CCG will:
Ensure all staff and stakeholders have access to a copy of this policy via the organisation’s website and shared drive.
Communicate to staff any relevant action to be taken
Page 20 of 187
Ensure that relevant information governance training raises and sustains awareness of the importance of effective information governance management.
5.1.2. This policy is located on the Shared Drive. All procedural documents are
available via the organisation’s website. Staff are notified by email of new or updated procedural documents.
5.2. Training
5.2.1. All staff are required to complete basic information governance and data
protection training annually and will also be asked to complete other training commensurate with their duties and responsibilities. Staff requiring support should speak to their line manager in the first instance. Managers should contact the Corporate Services Team if there are specific training needs.
5.3. Review 5.3.1. As part of its development, this policy and its impact on staff, patients and the
public has been reviewed in line with NHS Doncaster CCG’s Equality Duties. The purpose of the assessment (refer to Appendix 1 for the Equality Impact Assessment) is to identify and if possible remove any disproportionate adverse impact on employees, patients and the public on the grounds of the protected characteristics under the Equality Act.
5.3.2. The policy will be reviewed every three years, and in accordance with the following on an as and when required basis:
Legislatives changes
Good practice guidelines
Case Law
Significant incidents reported
New vulnerabilities identified
Changes to organisational infrastructure
Changes in practice 5.3.3. This policy will be performance monitored to ensure that it is in-date and
relevant to the core business of the CCG. The results will be published in the regular Corporate Assurance Reports.
Page 21 of 187
SECTION B – INFORMATION GOVERNANCE STRATEGY AND MANAGEMENT FRAMEWORK
1. Introduction 1.1. This document sets out the approach to be taken within the organisation to
provide a robust IGF for the management of information. It supports the IG policy and procedures by addressing key areas for IG development across the organisation and with our partners and cannot be seen in isolation as information plays a key part in governance, strategic risk, knowledge management, service planning, procurement and performance management. The IG Policy, Framework and procedures will be made available to staff via the website and shared drive to improve staff awareness of the organisation’s approach to future IG developments.
1.2. Key Related Procedures
A. Information Sharing Procedure B. Records Management Procedure C. Subject Access Requests - Access Personal Data Under Current Data
Protection Legislation and Access To Health Records Act 1990 D. Confidentiality Code Of Conduct And Data Protection Procedure E. Laptops, Other Portable Devices Offsite Users Procedure F. Mobile Telephone Procedure G. Procedure For Registering and Authorising Computerised Databases For
The Storing and Processing Of Personal Data H. Password Management Procedure I. Internet, Email and Social Networking Policy J. Data Protection Impact Assessment Procedure K. Information Security Procedure
1.3. The IGG oversees the IG agenda. 1.4. The following organisational resources are available to the agenda:
Head of Corporate Governance
Corporate Governance Manager
Information Asset Owners (IAO)
Information Asset Administrators (IAA)
Data Protection Officer (DPO) 2. Strategic Aims
Aim Detail Outcome
Aim 1 -Training and Staff
Awareness
Fundamental to the success of delivering the IGF is developing an IG culture within the organisation. Awareness and IG training is mandatory for all CCG staff through an e-learning programme. A training
All staff are aware of IG legal
and national requirements
thus reducing the
Page 22 of 187
Aim Detail Outcome
needs analysis will identify staff roles where additional IG training is indicated and this will be made available through a variety of sources including e-learning and specialist sessions as required. All staff should have access to up-to-date legislation and guidance relating to their roles. This is facilitated by providing access to the internet, as well as suitable training. All staff are required to read and sign the Confidentiality Code of Conduct on appointment, which describes the organisation’s expectations regarding staff compliance with statutory requirements such as the current Data Protection Legislation and the Human Rights Act 1998. This requirement extends to all agency and temporary staff and, where appropriate, to contractors working on site. Adequate training must be available to all staff to support the development and implementation of new technologies and working practices. An IG staff survey will be sent out annually to all staff to check their awareness of a range of IG areas. A summary will then submitted as part of the Corporate Assurance Report. Where it is deemed appropriate to raise staff awareness further or to advise of recent changes, additional information is included in Team Meetings or via group e-mails to all staff.
risk of a breach which could
result in distress to patients or
colleagues or an incident,
complaint, claim or adverse
publicity for the CCG.
Aim 2 – Staff and Patients are informed of how
their information is
used
The Organisation must ensure that staff and patients are made aware of how their information is used and of the importance of checking accuracy of data. In order to make sure that all are aware of their rights regarding data, there is a leaflet and Privacy Notice published on the CCG website. All staff should be aware of these documents and offer them if queried about these issues. Staff should be encouraged to check data accuracy to reduce the likelihood of mistakes being made eg. incorrect identification of similarly named people.
Staff and
patients will be informed about
the uses of information held
about them. Effective and
timely communication should enable
the organisation to move forward
with technological
advances.
Aim 3 – Data Security and Protection
Continual progress and improvement against the DSPT is a key target for the organisation. In this
The organisation will ensure a proactive IG
Page 23 of 187
Aim Detail Outcome
Toolkit
Continual progress
against the DSPT with a
Fully Met Rating
way, IG processes will be built into the culture and based on best practice. A Fully Met rating for the CCG’s DSPT submission is also required for performance management purposes. The organisation will reassess compliance on an ongoing basis to reflect changes in the toolkit requirements, to re-evaluate the robustness of evidence and to comply with NHS requirements for continuous rather than annual assessments.
culture and meet required
performance targets.
Aim 4 - Risk Management
Incidents and potential incidents involving information, data and personal or sensitive records are reported, analysed and lessons learned (see Risk Management Policy and Procedures) Any unforeseen occurrences involving staff or patient personal information or breaches of confidential business information (in whatever format) should be reported via the incident reporting system. IG incidents may include Information Management Technology and Security, unauthorised access, Caldicott / current Data Protection Legislation / FOI or all aspects of records management from creation to disposal. Staff should be encouraged to report these types of incidents promptly and should receive feedback to enable them to improve practice. IG Incidents are reviewed as part of the overall risk management process and included where appropriate in the risk register. The SIRO is responsible for ensuring the safe management all information related risks. The organisation has developed arrangements to report and manage serious incidents in line with the IG Assurance Programme Guidance including reporting to NHS England and Information Commissioner as required. This also includes a requirement to incorporate such issues in the Annual Governance Statement.
Improved incident reporting
and hence, better
understanding of real and potential
risks requiring action.
Aim 5 – NHS
Number
(Records Management /
Information Lifecycle
The organisation will work towards the use of the NHS number in all patient records and documentation related to the direct care of the patient, or where there is consent or a legal gateway.
NHS Number compliance
Page 24 of 187
Aim Detail Outcome
Strategic Aims)
Aim 6 - Rationalising
Records
(Records Management /
Information Lifecycle
Strategic Aims)
All staff will work towards rationalising record collections through sharing records and the information they contain (subject to the requirements of the Caldicott Principles, the Current Data Protection Legislation, EIR 2004 and FOIA 2000) by merging or ensuring effective cross-referencing.
The organisation will carry out regular Data Audits which look at the records ‘owned’ by the organisation and how they are stored and transferred. Following each audit, it is possible to identify records (manual and electronic) held by members of staff within the CCG. At this point, the lead in Records Management will be able to determine if any of these records could be subject to record sharing. If it is decided that different systems with common sets of data need to continue, documented procedures should be developed to ensure that any differences between the records are reconciled. Consideration will also be given to whether records could be merged or cross-referenced. The IAO’s will ensure that all records held by their teams are included and assessed as part of the ongoing audits. All teams across the organisation are responsible for ensuring that they have a manageable and accessible filing system which reduces duplication and avoids retention of files beyond the recommended limits or operational need.
Record collections
assessed for rationalisation potential which
will in turn reduce
duplication and possible errors and effective
progress towards integrated records.
Aim 7 - Records Storage and Maintenance
(Records
Management / Information
Lifecycle Strategic Aims)
All manual and electronic records in the CCG will be appropriately stored and maintained in accordance with guidance and legislation (see Records Management Procedure). Manual Records: Storage facilities for current paper records are very restricted requiring ongoing review processes to support disposal or long term retention off site. Records should only be kept long term where there is a specific requirement to do so. Any records containing personal data may only be retained in line with the current Data Protection Legislation and cannot be legally kept for any longer periods without express consent of the identifiable individuals. Non-Paper Records: There should be ongoing review of electronically held data to include retention periods and general housekeeping. General
Streamlined approach to paper record
retention according to guidelines.
Streamlined recording of
electronic data according to
guidelines and a reduced risk of
information data breaches and
ensuring compliance with
retention guidelines.
Page 25 of 187
Aim Detail Outcome
housekeeping issues include deleting duplicates and unnecessary information (whilst following the correct retention periods) from the server or any stand-alone systems. It should also be ensured that all confidential information is stored in the correct sections of the server. The review of records forms part of the DSPT Assessment Process and there will be checks across the organisation.
Aim 8 - Records Disposal
(Records
Management / Information
Lifecycle Strategic Aims)
Records will be reviewed under the retention periods stated and those no longer required by the services of the organisation will be considered for disposal eg. permanent preservation, long term archiving, transfer, destruction or any other use as agreed by the relevant Line Manager / CG.
There are occasions when records may need to be passed onto other NHS organisations thus disposing of the record. Detailed audits of such movement of records must be maintained. The principles of Caldicott, current Data Protection Legislation and the IG Assurance programme must be adhered to. A record or brief description must be kept about any record that has been destroyed if it is deemed to be a document that was relevant to the business of the organisation. Further guidance should be sought from Corporate Services if required. Methods of disposal of records must meet confidentiality and security guidelines. For records disposed of by a contractor, the contractor will be required to sign confidentiality agreements and produce written certification as proof of destruction. Action that will be taken in the event of confidence being breached (eg. termination of contract) will be specified. This will be managed as part of the organisations waste management policies and procedures giving due account to Waste Electric and Electronic Equipment (WEEE) regulations for electronic equipment and best practice guidance on disposing of computer hardware.
Streamlined, standardised
record storage system
according to guidelines and
tighter confidentiality controls with contractors.
Aim 9 – Documentation
(Records
Management / Information
Lifecycle
Standards will be applied to the production of documentation (manual and electronic) to ensure good record keeping principles are adhered to.
The organisation has professional record keeping standards, staff training and a plan of audits to
Improved quality control and
consistency of records. Improved
corporate image and clarity for
Page 26 of 187
Aim Detail Outcome
Strategic Aims) ensure high standards are maintained. Corporate standards have been reviewed across the organisation to ensure consistency and a policy and procedure has been developed to inform staff of the model formats for policies, strategies and procedures (Policy on Procedural Documents). Other guidance will be available from the Corporate Services Team. Templates will be available on the shared drive.
staff concerning publications/doc
umentation. Increased
understanding of documentation by the general
public.
3. Openness and Information Sharing 3.1. The CCG will ensure that the principles of Caldicott and the regulations
outlined in the current Data Protection Legislation and the organisation’s current Data Protection Legislation Procedure underpin the management of confidential information at all times.
3.2. The organisation recognises the need for an appropriate balance between
openness and confidentiality in the management and use of information. The CCG needs to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest. Detailed guidance can be found in the organisation’s Information Sharing Procedure.
3.3. Non-confidential information about the CCG and its services will be made
available to the public through a variety of means, in compliance with the FOIA 2000 and EIR 2004. The organisation’s Publication Scheme will continue to meet the requirements of the ICO’s Model Scheme for health bodies.
3.4. Patients will have access to information relating to their own health care,
options for treatment and their rights as patients. There are clear procedures and arrangements for handling requests for personal information or medical records from patients and the public detailed in the organisation’s Access to Records Procedure and Records Management Procedure.
3.5. The CCG has an obligation as a Data Controller to notify the Information Commissioner of the purposes for which it processes personal data. Notification monitoring within the organisation is carried out by the Head of Corporate Governance. Before the annual review of the CCG’s Notification, the Head of Corporate Governance will review the types of processing being carried out within the organisation (eg. from the Data Flow Audit and Database of Databases) to ensure that the processing complies with the seventh principle of the current Data Protection Legislation. Individual data subjects can obtain full details of the organisation’s data protection registration / notification with the Information Commissioner from the Information Commissioner's website (www.ico.gov.uk).
Page 27 of 187
3.6. We will publish an appropriate Privacy Notice on our website.
4. Information Security 4.1. Information security risk is inherent in all administrative and business activities
and everyone working for or on behalf of the CCG continuously manages information security risk. The aim of information security risk management is not to eliminate risk, but rather to provide the structural means to identify, prioritise and manage the risks involved in all our organisational activities. It requires a balance between the cost of managing and treating information security risks with the anticipated benefits that will be derived.
4.2. The principles of information security require that all reasonable care is taken to prevent inappropriate access, modification or manipulation of data from taking place. In the case of the NHS, the most sensitive of our data is patient record information. In practice, this is applied through three cornerstones - confidentiality, integrity and availability:
Information must be secured against unauthorised access – confidentiality;
Information must be safeguarded against unauthorised modification – integrity;
Information must be accessible to authorised users at times when they require it – availability.
4.3. Further information can be found in the organisation’s ISM Statement and
Assurance Plan. 4.4. The organisation will undertake audits or commission assessments of its
information and IT security arrangements. Risk assessments will be undertaken to determine appropriate, effective and affordable information security controls are in place in the CCG locations.
4.5. The CCG will promote effective confidentiality and security practices to its
employees through policies, procedures and training. 4.6. The organisation will establish and maintain incident reporting procedures and
will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security.
4.7. Breaches of Information Security will be investigated in line with guidance and
reported as appropriate via the Head of Corporate Governance. 4.8. IAOs will liaise with the SIRO on all issues relating to information security
risks within their area of responsibility.
4.9. An agreement describes the responsibilities of contractors and their sub contractors under the NHS Confidentiality Code of Practice 2003 and the
Page 28 of 187
current Data Protection Legislation when undertaking work for or with NHS Doncaster CCG. It should be signed by all contractors prior to entering the CCG’s site. This is the responsibility of leads managing those contractors, whether they are management associates or facilities contractors.
4.10. A procedure is in place for secure IT asset disposal.
4.11. An information security procedure is in place for:
management of access control,
virus control,
physical control,
disposal of equipment and media,
montoring system access and use,
information, transition and networks,
information asset management and risk assessment,
accreditation of information systems. 4.12. Staff are reminded that the intentional disclosure of information to a third party
where a gain is made for themselves or another, or results in the risk of, or actual loss to the CCG is a potential criminal offence under Section 4 of the Fraud Act 2006. Suspicion of any such breaches should be reported without delay in accordance with the CCG’s Counter Fraud, Bribery and Corruption Policy, or a confidential report can be made to the NHS Fraud and Corruption Reporting Line, by calling 0800 028 40 60.
5. Information Quality Assurance
5.1. The CCG will establish and maintain procedures for information quality
assurance and the effective management of records. Refer to the Records Management Procedure for more details.
5.2. Audits will be undertaken or commissioned of the records management
arrangements.
5.3. Wherever possible, information quality will be assured at the point of collection. Integrity of information will be developed, monitored and maintained to ensure that it is appropriate for the purposes intended. Managers are expected to take ownership of, and seek to improve, the quality of information within their services.
6. Data Protection 6.1. The CCG holds and processes information about its employees, patients and
other individuals for various purposes (for example, the effective provision of healthcare services or to operate the payroll and to enable correspondence and communications). To comply with the current Data Protection Legislation information must be collected and used fairly, stored safely and not disclosed
Page 29 of 187
to any unauthorised person. The current Data Protection Legislation apply to both manual and electronically held data for living persons.
The lawful and correct treatment of personal information is vital to successful operations, and to maintaining confidence within the organisation and the individuals with whom it deals. The CCG will comply with the following data protection principles setting out the main responsibilities for organisations.
6.2 The current Data Protection Legislation and the common law duty of
confidentiality should underpin the development of any information sharing decision. As data controllers, the CCG and its partners have a duty to comply with the eight Data Protection Principles:
1. Personal data shall be processed fairly and lawfully. 2. Personal data shall be obtained only for one or more specified and
lawful purposes, and shall not be further processed in any matter incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive. 4. Personal data shall be accurate, and where necessary, kept up to date. 5. Personal data processed for any purpose or purposes shall not be kept
for longer than is necessary for that purpose or purposes. 6. Personal data shall be processed in accordance with the rights of data
subjects under the current Data Protection Legislation. 7. Appropriate technical and organisational measures shall be taken
against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data
6.3 Article 5 of the current Data Protection Legislation requires that personal data
shall be: a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
Page 30 of 187
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the current Data Protection Legislation in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
6.2. Further details can be found in the Confidentiality Code of Conduct and Data Protection Procedure.
7. Records Management / Information Lifecycle Management 7.1. The CCG recognises the need to ensure a structured and integrated
approach to Records Management throughout the organisation which supports the overall IG arrangements within the organisation.
7.2. The CCG is committed to a systematic and planned approach to the
Management of Records, from their creation to their ultimate disposal in accordance with relevant legislation. This will ensure that the the CCG can control both the quality and quantity of the information that it generates, it can maintain that information in an effective manner, and it can dispose of the information efficiently when it is no longer required. Detailed Records Management guidance can be found in the Records Management Procedure.
8. Freedom of Information and Environmental Information Regulations 8.1. The FOIA 2000 is part of the Government’s commitment to greater openness
in the public sector. 8.2. The main features of the FOIA are:
A general right of access from 1st January 2005 to recorded information held by public authorities, subject to certain conditions and exemptions;
In cases where information is exempt from disclosure, except where an absolute exemption applies, a duty on public authorities to: (i) Inform the applicant whether they hold the information requested,
and (ii) Communicate the information to him or her, unless the public interest
in maintaining the exemption in question outweighs the public interest in disclosure;
Page 31 of 187
A duty on every public authority to adopt and maintain a Publication Scheme, specifically applicable to the NHS from 31st October 2003;
The office of the Information Commissioner with wide powers to enforce the rights created by the FOIA and to promote good practice;
A duty on the Lord Chancellor to disseminate Codes of Practice for guidance on specific issues.
8.3. The EIR 2004 give rights of public access to environmental information held
by public authorities. These regulations have been introduced in line with European Directive 2003/4/EC and the Aarhus Convention on Access to Information, Public Participation in Decision Making and Access to Justice in Environmental Matters 1998.
8.4. The EIR 2004 permit exceptions rather than exemptions and the emphasis is
in favour of disclosure. It is important for the organisation to make the distinction between FOI and EIR and to respond accordingly.
8.5. The CCG believes that public authorities should be allowed to discharge their
functions effectively. This means that the organisation will use the exemptions contained in the FOIA 2000 where an absolute exemption applies or where a qualified exemption or exception can reasonably be applied in terms of the public interest of disclosure. Detailed information can be found in the FOI and EIR Policy.
9. Confidentiality Code of Conduct / Caldicott 9.1. The principle behind the organisation’s Confidentiality Code of Conduct is that
no employee shall breach their legal duty of confidentiality, allow others to do so, or attempt to breach any of the CCG’s security systems or controls in order to do so. The organisation’s Confidentiality Code of Conduct can be found in appended to this policy. Each new employee is required as part of their contract of employment to sign the Confidentiality Code of Conduct / their contract which is then retained in their personal file.
9.2. The CG oversees the Caldicott function and is primarily concerned with
upholding and supporting patient confidentiality. This function is based within the broader remit of the IG Assurance Framework as outlined by the Department of Health’s guidelines. Under the current Data Protection Legislation and other relevant legislation, the role of the CG is vital in the assurance and safety of patient identifiable information. A national Register of CGs is held and the CCG CG is registered.
9.3. The CCG has appointed a CG who has responsibility to ensure the protection
of patient confidentiality throughout the organisation in accordance with legal rights. The CCG’s CG is the Chief Nurse. The CG is supported by the Associate Director of HR and Corporate Services as SIRO. An annual Caldicott Plan is developed and it is approved by the Information Governance Group and exceptions reported to the Quality and Patient Safety Committee.
Page 32 of 187
9.4. In any case where confidential information has been requested for non-medical purposes, the CG will assess whether the information request is supported by the following seven Caldicott principles: Principle 1 – Justify the purpose(s) for using confidential information. Every proposed use or transfer of patient identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed, by an appropriate guardian. Principle 2 – Only use it when absolutely necessary. Personal confidential data should not be included unless it is essential for the specified purpose(s) of that flow. Principle 3 – Use the minimum that is required. Where use of personal confidential data is considered to be essential, the inclusion of each individual item of information should be considered and justified so that the minimum amount of identifiable information is transferred or accessible as is necessary for a given function to be carried out.
Principle 4 – Access should be on a strict need-to-know basis. Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the information items that they need to see. This may mean introducing access controls or splitting information flows where one information flow is used for several purposes.
Principle 5 – Everyone must understand his or her responsibilities. Action should be taken to ensure that those handling personal confidential data are made fully aware of their responsibilities and obligations to respect patient confidentiality.
Principle 6 – Understand and comply with the law. Every use of personal confidential data must be lawful. Principle 7 – The duty to share information can be as important as the duty to protect patient confidentiality. Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.
10. Information Risk Management and Lessons Learned 10.1. Information Risk is inherent in the CCG activities and an information risk
assurance process is set out as a requirement of the DSPT. Information risk management is the ongoing process of identifying information risks and implementing plans to address them. The responsibilities, definitions, processes and templates as contained in the Risk Management Policy and Procedure also apply to information risk management.
Page 33 of 187
10.2. The CCG maintains an Assurance Framework which covers strategic risks, and a Risk Register which covers operational risks. All risks are reviewed regularly by the risk lead in line with the organisation’s Risk Management strategy, policy and procedure. As part of this risk management programme of activity, the CCG’s IG risks are routinely reviewed.
10.3. The SIRO acts as an advocate for information risk on the Governing Body. The SIRO is the Associate Director of HR and Corporate Services. IAO’s liaise with the SIRO in relation to any risks associated with the assets for which they are accountable. In addition, the DPO is to be consulted upon for advice in data protection matters.
10.4. The following objective within our Risk Management Strategy underpins our
strategic aim for risk management and the second column details our methods for delivery against the stated objective.
Objective Delivery
To ensure information risk management is integrated into the organisation’s IGF to assist in safeguarding the organisation’s information assets, people finance, property and reputation.
We will deliver this through:
Collation and review of risk assessments
Information Security threats to be followed up by and managed by appropriate action plans.
Regular reporting and review of information risks by the SIRO
10.5. Information Risk Management aims to:
Protect the CCG from those information risks of significant negative likelihood and consequence in the pursuit of the CCG's stated strategic goals and objectives.
Meet legal, statutory, and NHS Policy requirements.
Assist in safeguarding the CCG's information assets - people, finance, property and reputation.
10.6. Information risk assessments will be performed on a regular basis for all
information systems and critical information assets. Information Risk assessments will also occur at the following times:
At the inception of new systems, applications and facilities that may impact the assurance of the CCG Information or Information Systems.
Before enhancements, upgrades, and conversions associated with critical systems or applications.
When NHS policy or legislation requires risk determination.
When the the CCG Management team requires it. 10.7. An IG Incident is an event which may result in:
Degraded system integrity eg. causing a virus to enter the system.
Loss of system availability eg. email not working.
Page 34 of 187
Disclosure of confidential information eg. password sharing (accidentally or on purpose).
Disruption of activity eg. inappropriately deleting files from S-drive.
Loss eg. theft of laptop.
Legal action eg. inappropriate disclosure of patient information.
Unauthorised access to applications eg. unauthorised access to payroll system.
10.8. All IG incidents will be formally logged, categorised by severity and analysed
in accordance with the organisation's Incident Management Policy and the NHS Digital IG Serious Incidents Requiring Investigation (SIRI) checklist.
10.9. One or more of the following individuals should also be advised according to the severity and type of incident as appropriate:
Caldicott Guardian if the incident involves patient identifiable information.
Head of Corporate Governance for IG incidents.
Human Resources Manager for incidents relating to Smart Cards. 10.10. Major breaches of confidentiality, including theft or loss of medical records
and electronic equipment containing patient/personal data should be reported to the Head of Corporate Governance or their Deputy as soon as possible and within a maximum of 24 hours in line with Serious Incident (SI) reporting requirements. Under current Data Protection Legislation there is a legal requirement for personal data breach notification to the ICO within 72 hours where there is a significant risk to data subjects. As above, the Head of Corporate Governance or their deputy and the CCGs DPO should be informed within a maximum of 24 hours.
10.11. All serious IG incidents and results of incident investigations / root cause analyses will be discussed by the IGG at the earliest subsequent meeting with the Audit Committee having oversight and the SIRO will keep the Governing Body informed as appropriate. Relevant reporting will be made externally in line with IG requirements.
10.12. Learning from risks, incidents and other such events is key to developing a culture in the organisation that welcomes knowledge of such events as an opportunity to improve patient care, the services offered within the CCG, and the working environment and safety of employees.
11. Information Asset Lists and Database List 11.1. IT assets worth over £5,000 are included within the Asset List which is
maintained by the Finance Team.
Page 35 of 187
11.2. Information Asset Lists have been compiled for all teams and the maintenance of these is the responsibility of the Head of Corporate Governance.
11.3. The Head of Corporate Governance maintains a list of databases held by the
organisation which contain patient or employees information and have been approved by the CG. It is the responsibility of all staff to ensure that authorisation is obtained to create and hold databases and spreadsheets which contain person identifiable information. This information can only be stored where there is consent or a legal gateway or it if held for the purposes of direct patient care.
12. Improvement Plan and Assessment 12.1. Assessments of compliance with each requirement within the DSPT will be
undertaken throughout each year. Annual reports and proposed action / development plans will be presented to the IGG for approval prior to submission annually in March. The requirements are grouped into the following initiatives:
Information Governance Management
Confidentiality and Data Assurance
Information Security Assurance
Clinical Information Assurance
Page 36 of 187
SECTION - C INFORMATION GOVERNANCE PROCEDURES A. Information Sharing Procedure
B. Records Management Procedure
C. Subject Access Requests - Access Personal Data Under the Current Data
Protection Legislation and Access To Health Records Act 1990
D. Confidentiality Code Of Conduct and Data Protection Procedure
E. Laptops, Other Portable Devices Offsite Users Procedure
F. Mobile Telephone Procedure
G. Procedure For Registering and Authorising Computerised Databases For The Storing and Processing Of Personal Data
H. Password Management Procedure
I. Internet, Email and Social Networking Procedure
J. Data Protection Impact Assessment Procedure
K. Information Security Procedure
Page 37 of 187
INFORMATION SHARING PROCEDURE
Page 38 of 187
A - INFORMATION SHARING PROCEDURE 1. Introduction 1.1. An information sharing procedure is crucial to the provision of comprehensive
and continually improving health and social care through partnership working and embracing new technologies. It is also a major factor in joint working to protect the most vulnerable and in providing accessible services across the whole population.
1.2. It is equally important that our patients, clients and their families are confident
that the CCG and its partners will still keep their personal information safe and secure and that it will only be shared in agreed and appropriate circumstances.
1.3. The purpose of this document is to provide guidance to staff on the
development of Information Sharing Agreements (ISA) to reflect the needs of their service, a proposed development, partnership group or in line with a statutory requirement.
1.4. In certain circumstances there may be a legal or statutory requirement to
share data or information but this should still be considered in line with the current Data Protection Legislation and Caldicott principles and it should be proportionate and appropriate.
No Secrets: Guidance on developing and implementing multi-agency policies and procedures to protect vulnerable adults from abuse.
Data Protection and Sharing – Guidance for Emergency Planners and Responders (HMG 2007).
Data Sharing Review Report (Thomas and Walport 2008).
Health and Social Care Act (2012).
Caldicott Report (1997)
Caldicott Review (2013)
Common Law Duty of Confidentiality.
Health and Social Care (Safety and Quality) Act 2015 (New duties to share and to use the NHS number)
General Data Protection Regulation 2. Current Data Protection Legislation
Refer to Section B, Information Governance Strategy and Management Framework, Item 6 – current Data Protection Legislation principles.
2.1 In addition, health and social care data is subject to the Caldicott principles
and the professional codes of practice. The current Data Protection Legislation should not be seen as a barrier to information sharing but as a framework to support good information sharing in practice.
Page 39 of 187
3. Key Prior Considerations for Information Sharing 3.1. There must always be a clear and justifiable purpose for sharing the
information:
Supporting the delivery of care
Improving quality standards
Effective partnership working
Monitoring public health
Audit and research
Managing incidents, risks and complaints
Contracting and service planning
Education and training
Protecting the vulnerable
Investigating serious crime and fraud 3.2. Information is provided in confidence when it appears reasonable to assume
that the provider of the information believed that this would be the case, or where a person receiving the information knows, or ought to know, that the information is being given in confidence. It is generally accepted that most (if not all) information provided by service users is confidential in nature.
3.3. Consent should be obtained wherever it is possible or appropriate:
Always ask for informed consent where possible and appropriate.
Be open about what information will be used for and who our partners are.
In situations where there may be a legal duty to share without consent, information sharing should still be proportionate and relevant.
Seek advice in circumstances where children are involved or adults who lack capacity.
Consider any barriers to understanding and facilitate good communication with all parties involved.
When first setting up a service consider an information sharing agreement from the outset.
3.4. Individuals’ rights to confidentiality are not absolute and may be overridden if
evidence that disclosure for specific purposes is necessary in exceptional circumstances such as;
Where it is required by statute.
Where not to share the information poses a public health risk.
In the vital (life or death) interests of the data subject or another person and consent cannot be obtained.
Where sharing is required to prevent, detect or prosecute a serious crime such as treason, murder, manslaughter, rape, kidnapping, hostage-taking, causing an explosion likely to endanger life or property and hijacking (this list is not exhaustive).
Safeguarding of children or vulnerable adults where a lack of information sharing may lead to unjustified delay in making enquiries about allegations of serious harm.
Page 40 of 187
3.5. Consideration should be given as to whether individuals can be identified from the data:
Consider whether some or all of the information can be shared anonymously, in a redacted format, or psuedonymised.
Information in healthcare is often sensitive personal data. Consent or a legal gateway is required when sharing personal confidential data.
Be sure that you protect the rights of third parties mentioned in data. 3.6. The parties to the agreement must be stated:
Consider who the partners are to be and whether they are bound by the same rules of confidentiality as NHS staff
If external contractors are involved are the contracts specific on the confidentiality of information and any permitted secondary use.
Ensure all parties sign up to the agreement at the appropriate level (eg. CG in health and social care).
3.7. The actual information to be shared must be defined along with storage and
retention criteria:
Define the terms and conditions relating to how the information can be used.
Define at the outset the information to be shared and any information that is excluded.
Ensure there is agreement on the responsibilities for managing the shared information and investigating any breaches or inappropriate use.
Identify a data controller for the amalgamated information.
Identify a retention period for the shared data and monitor compliance. 3.8. The security arrangements for the data in storage and transit must be
considered:
Make sure there are clearly defined rules for the way in which information is passed between individuals and teams.
Keep records of information shared and where it is stored.
Identify responsibilities for safe disposal of data.
Ensure access controls have been agreed between all parties. 3.9. Mandatory information governance training, support and guidance must be
available to all staff:
Ensure all parties to a data sharing agreement have undertaken information governance training.
Agree how support and advice will be provided to partners to the agreement.
3.10. All ISAs must reflect the CCG’s IG Policy and Procedures.
3.11. The appended information sharing flowchart may support consideration of
information sharing issues.
Page 41 of 187
4. Style and Format of ISAs 4.1. All agreements should be written in a style which is concise and clear using
unambiguous terms and language. 4.2. A sample template is appended. Alternative formats can be used as long as
the agreement includes at least the following information:
Name of project, working group or client group.
Purpose of Information Sharing.
Partners – all agencies involved.
Date of Agreement.
Review period.
Approvals (where relevant).
Relevant legislation and guidance.
Process for sharing including transfer methods.
Types of information to be shared.
Constraints on the use of information (Terms and Conditions).
Roles and responsibilities.
Specific issues for the agreement.
Review, retention and deletion of information.
Signature of all relevant parties including Caldicott Guardians where health and social care information is to be shared.
4.3. Key questions when seeking to share information are:
What is the sharing meant to achieve? There should be a clear objective, or set of objectives. Being clear about this helps to establish what data need to be shared and with whom.
What information needs to be shared? All the personal data held about someone should not be shared if only certain data items are needed to achieve the objectives.
Who requires access to the shared personal data? ‘Need to know’ principles should be employed, meaning that other organisations should only have access to data if they need it, and that only relevant staff within those organisations should have access to the data. This should also address any necessary restrictions on onward sharing of data with third parties.
When should it be shared? Is the sharing part of an ongoing, routine process or will it only take place in response to particular events?
How should it be shared? This involves addressing the security surrounding the transmission or accessing of the data and establishing common rules for its security.
Page 42 of 187
How can we check the sharing is achieving its objectives? Regular review will be needed to judge whether it is still appropriate to share the data and to confirm that the safeguards still match the risks.
What risk does the data sharing pose? For example, is any individual likely to be damaged by it? Is any individual likely to object? Might it undermine individuals’ trust in the organisations that hold the records?
Could the objective be achieved without sharing the data or by anonymising it? It is not appropriate to use personal data to plan service provision, for example, where this could be done with information that does not amount to personal data.
5. Development and Approval Process for ISAs
Step 1: The need is identified for an ISA within a service, or to support a work area or project and an author is identified.
Step 2: Draft an agreement to suit the service or adapt a nationally provided model that reflects the requirements set out above.
Step 3: Ensure all agencies and departments support and understand the agreement. Step 4: Seek advice as required from the CG and/or IG Lead. Step 5: Obtain the formal approval and signatures from organisations and departments depending on the information and functions involved. Step 6: Pass a copy of the completed agreement to the IG lead who will ensure that it is publicly available as appropriate.
Page 43 of 187
You are asked or wish to share
information
Is there a statutory obligation for sharing the information?
Does the information enable a person to be identified (i.e. is it
person identifiable data)?
Can the information be anonymised or pseudonymised?
Do you have consent*?
Share the Information***
Is there a legal basis** to share?
Record the information sharing
decision and your reasons
Seek advice from your Caldicott Guardian if you are not sure what to do at any stage and ensure that the outcome of the discussion is recorded. * See Glossary for definitions. ** Consult your Caldicott Guardian / IG Lead or DPO. *** Unless there is a statutory obligation you will probably need an Information Sharing Agreement (see below for a template).
No
Do not share No
No
Yes
You can share
Yes
No
No
Yes
No
Yes
Is there a legitimate reason for sharing the information?
Yes
Yes
Information Sharing Guide
Page 44 of 187
Information Sharing Agreement (ISA) This Information Sharing Agreement (ISA) defines the arrangements for processing personal, identifiable information between NHS Doncaster Clinical Commissioning Group (CCG) and the organisation stated below. Data Share Name/Identifier: For example, Safe and Well Between NHS Doncaster CCG (ICO Registration Number Z3624278) Providing Information (Data flow)
And: Enter Organisation Name(s) and ICO Registration Number Receiving Information (Data flow) For what purpose is the information being shared?
Is there a Privacy Notice in place, covering the information to be shared?
Yes - please supply a copy
No – please consider the need to create a notice
Are you:
Collecting new personal data items that have not been collected/shared
before?
Introducing new or changing identity authentication requirements which may
be intrusive?
Introducing new privacy invasive technologies?
Updating current or providing new links with data in other collections?
Changing the medium for publically available information to enable data to be
more readily acceptable?
Converting transactions from anonymised/pseudonymised data to identifiable
transactions?
Changing a data delivery method that may be unclear or intrusive?
None of the above
If you have ticked any boxes above, there is a requirement for the host organisation to update/amend their Privacy Notice.
Page 45 of 187
Please provide details below: What is the legal gateway for sharing? If relying on consent to share, please specify “Not applicable”.
A legal gateway is any piece of legislation which requires or allows the movement of information from one organisation to another. It may place a statutory duty on the organisation or powers on behalf of the individuals concerned.
What information is being shared?
Personal
Special category
Criminal offence data
Statistical data
What is the lawful basis for processing (Article 6, GDPR)?
Not applicable (statistical data only)
Consent
Contractual necessity
Legal obligation
Vital interests
Public task
Legitimate interests
What is the lawful basis for processing (Article 9, GDPR)? Special category data only: race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life, and sexual orientation.
Not applicable (personal data or statistical data only)
Consent
Obligations in connection with employment
Vital interests
Legitimate activities of a not for profit body or association
Information has been made public by the data subject
Necessary in relation to legal rights
Necessary for public functions
Necessary for medical purposes
Necessary for reasons of public interest in the area of public health
Necessary for archiving purposes
Page 46 of 187
What is the lawful basis for processing criminal offence data (Article 10, GDPR)? Criminal allegations, proceedings or convictions only.
Not applicable (personal data or special category data or statistical data only)
Legal authorisation
Official capacity
What are the benefits to sharing the information?
Which data fields/items will be shared? Please list, for example name, address, telephone number, date of birth, etc.
In what format is the data being transferred and how?
Electronic data – accessed on site by staff working for partner organisations
Electronic data – by email
Electronic data – via automated system to system
Electronic data – via manual system transfer
Electronic data – via text
Information delivered by voice
Paper – courier
Paper – hand delivered by data subject
Paper – hand delivered by staff
Paper – standard post
Paper – transferred by fax
Removable media – hand delivered by staff
Removable media – standard post
Further notes on the above:
What is the frequency of the transfer?
Instant
Daily
Weekly
Monthly
Page 47 of 187
Quarterly
Annually
Ad hoc
Other – please specify:
Further notes on the above:
How many records are being transferred?
Who are the data subjects?
Where will the information be stored by the receiving organisation after transfer?
Server – personal or shared drive
Server – system on organisation premises
Off site server – UK based
Off site server – EEA based
Off site server – outside of EEA
Secure storage on organisations premises
Secure storage off organisations premises
Other – please specify:
Further notes on the above:
How will the information be secured by the receiving organisation?
Page 48 of 187
Area access by key/key pad/access card
Password protection
Smartcard/system password
Other – please specify:
Further notes on the above:
How will the information be accessed by the receiving organisation?
Log book
Key allocation
Key issue log
System login
Other – please specify:
Further notes on the above:
Who will access the information being shared in the receiving organisation?
Employees – professional qualified staff
Employees – all staff
Volunteers
Third parties – other partners
Third parties – trusted partners
Other – please specify:
Further notes on the above:
Page 49 of 187
How will the information be kept up to date and checked for accuracy and completeness by the providing organisation? Select all that apply.
Assurance in place (e.g. IGT, PSN)
Staff aware of responsibilities when working with data
Clear retention schedules
Integrity checks maintained
Other – please specify:
Further notes on the above:
Describe your management of the retention and disposal of data by the providing organisation: Select all that apply.
Assurance in place (e.g. IGT, PSN)
Policies and procedures in place which state/define retention schedules
Policies and procedures in place which state/define disposal methods and
criteria
Other – please specify:
Further notes on the above:
Describe how you deal with Subject Access Requests for individual records and how you rectify / block / erase / destroy as necessary by individual request or court order by the data controller (host organisation): Select all that apply.
Assurance in place (e.g. IGT, PSN)
Clearly defined procedures in place for Subject Access Requests for
individuals
Clearly defined procedures in place to handle rectification and blocking of
data
Other – please specify:
Page 50 of 187
Further notes on the above:
Describe the receiving organisation's policies, processes and standard operating procedures: Select all that apply.
Assurance in place (e.g. IGT, PSN)
Clearly defined
Up-to-date
Readily available
Understandable (in plain English) for staff to use
Other – please specify:
Further notes on the above:
Describe the receiving organisation's management of incidents: Select all that
apply.
Reviewed, including any root cause analysis and action plans
Other – please specify:
Further notes on the above:
Describe the receiving organisation's training for both the system and data: Select all that apply.
Assurance in place (e.g. IGT, PSN)
Users are aware of their responsibilities when using the asset
Regularly trained and tested on their understanding
Understand what to do in the event of a breach or incident
Other – please specify:
Page 51 of 187
Further notes on the above:
Describe the receiving organisation's security of the asset: Select all that apply.
Assurance in place (e.g. IGT, PSN)
Secure storage (e.g. locked cabinet)
Secure connection (e.g.https:)
Secure access (e.g. password protected)
Secure encrypted device (e.g. data stick)
Managed so only authorised persons can access and access routinely
checked
Audit trail of interactions
Other – please specify:
Further notes on the above:
Describe the receiving organisation's business continuity arrangements: Select all that apply.
Assurance in place (e.g. IGT, PSN)
Clear business continuity arrangements
Users are aware of arrangements and appropriately trained
Regularly reviewed and updated (at least annually)
Other – please specify:
Further notes on the above:
Describe the receiving organisation's disaster recovery arrangements: Select all that apply.
Assurance in place (e.g. IGT, PSN)
Page 52 of 187
Regularly reviewed and updated (at least annually)
Electronic part of a disaster recovery testing regime, regularly tested
Other – please specify:
Further notes on the above:
Does the third party/supplier agreement/contract(s) contain all the necessary Information Governance clauses regarding Data Protection and Freedom of Information?
Yes
No
Not applicable
Further notes on the above:
Review cycle:
1 year
2 years
3 years
Other – please specify:
Date of agreement:
Date review due:
Page 53 of 187
CCG contact name: Email address: Phone number: Role: Signed: XXX contact name: Email address: Phone number: Role: Signed:
Page 54 of 187
RECORDS MANAGEMENT PROCEDURE
Page 55 of 187
B - RECORDS MANAGEMENT PROCEDURE 1. Introduction 1.1. The organisation’s records are a corporate memory, providing evidence of
actions and decisions and representing a vital asset to support daily functions and operations. They support policy formation and managerial decision-making, protect the interests of the CCG and the rights of patients, staff and members of the public who have dealings with the organisation. They support consistency, continuity and efficiency and productivity and help us deliver our services in consistent and equitable ways.
1.2. In addition to legislative requirements the organisation is subject to
monitoring of records management through a number of compliance tools including the DSPT.
1.3. The CCG is committed to openness and accountability and to ensuring that
records are made publically available where appropriate, but the organisation is equally committed to the principles of confidentially of an individual’s information and the rights of privacy enshrined in the common law duties of confidentiality, the Caldicott Principles, current Data Protection Legislation.
1.4. The CCG is committed to a systematic and planned approach to the
management of records within the organisation, from their creation to their ultimate disposal (information lifecycle) in accordance with relevant legislation. This will ensure that the organisation can control both the quality and quantity of the information that it generates, it can maintain that information in an effective manner and it can dispose of the information efficiently and securely when it is no longer required.
1.5. This Records Management Procedure aims to clearly describe the CCG’s
approach to Records Management and provides the framework for developing good Records Management within the organisation to:
Ensure systems are in place to provide a robust structure for Records Management within the organisation leading to the CCG Governing Body.
Increase staff awareness of the issue of Records Management and the organisation’s requirements from creation to disposal.
Ensure legal obligations and national requirements are met.
Set out generic principles on specific aspects of records.
Ensure systems are in place to monitor and learn from Records Management incidents in accordance with the organisation’s Risk Management Policy and Procedure.
2. Accountability and Responsibilities 2.1. Overall accountability for Records Management lies with the Chief Officer who
has overall responsibility for meeting all statutory requirements and adhering
Page 56 of 187
to guidance issued in respect of records management. The operational responsibility is delegated to the Head of Corporate Governance.
2.2. Ongoing monitoring of the procedure and other reported records management
issues is the responsibility of the Audit Committee.
2.3. The CG oversees all aspects of Caldicott Guidance on Health and Social Care Records and has responsibility for approving and ensuring that national and local guidelines and procedures on the handling, sharing and management of confidential personal information are in place. The CG also oversees appropriate controls and procedures for the monitoring of databases (or spreadsheets) or software containing patient or staff identifiable information created by the CCG.
2.4. The Associate Director of HR and Corporate Services is the SIRO for the
organisation and should be advised of any significant risks or incidents involving the security of data in manual or electronic format.
2.5. Each IAO is responsible for:
Maintaining professional standards according to best practice in liaison with staff working in the area.
Ensuring local application of guidelines including retention and disposal schedules and advising on disposal.
Determining the most effective ways of promoting the guidelines in their area eg. training, induction, team meetings etc.
Providing support and advice to staff in the area of Records Management with the assistance of the CG and Corporate Services.
Monitoring performance through quality control / periodic audits.
Ensuring compliance with the standards, legislation, policies and procedures relating to the management of records.
Identifying areas where improvements could be made.
Ensuring that staff complete relevant training on records management, confidentiality and data protection.
Reviewing / adopting tracking and registration systems for appropriate records in all areas.
Ensuring appropriate records are archived.
Ensuring that there is a mechanism for identifying records which must be kept for permanent preservation.
Ensuring the confidentiality, integrity, and availability of all information that their system processes and protect against any anticipated threats or hazards to the security or integrity of such information.
Undertaking information risk assessments on all information assets where they have been assigned ‘ownership’, following guidance from the SIRO on assessment method, format, content, and frequency – which is provided through the annual Data Assets and Flows update exercise.
Reporting security incidents and ensure that the reports are fully documented, including type of incident, and ensure that countermeasures put in place.
Page 57 of 187
Reporting to the SIRO and ensure countermeasures are discussed and implemented in conjunction with security incidents.
Initiating the necessary disciplinary action through the HR Team if a member of staff is found to be disregarding procedures which could result in a security incident.
2.6. All Chiefs have a responsibility to ensure they are familiar with the Records
Management procedure. Chiefs are also responsible for ensuring staff are familiar and understand the procedure, receive training where required and are aware of any new procedures which impact upon their service area.
2.7. Line Managers’ Responsibilities - All line managers must ensure that their
staff are adequately trained in records management issues and apply the appropriate guidelines.
2.8. Employees' Responsibilities - It is important to remember that record
'ownership' and copyright lie with the NHS organisation and not with an individual employee or contractor. However, each individual is responsible for the records they create or use by law and the quality of record keeping.
2.9. When commissioning or developing new services the CCG’s staff must
ensure that the management of records is considered from the outset of the project and that the arrangements and any performance management standards are clearly defined within specifications and contracts.
2.10. Staff will be made aware of Records Management Procedure updates as they occur via team meetings and emails from Corporate Services.
3. Types of Records 3.1. In the context of this procedure, a record is anything which contains
information (in any media) which has been created or gathered as a result of any aspect of work of NHS employees. These may consist of:
Patient health records;
X-ray and imaging reports, output and images;
Photographs, slides, and other images;
Microform (i.e. microfiche / microfilm);
Audio and video tapes, USBs, CD-ROM, digital camera etc;
Emails and NHS emails;
Computerised records, databases, disks and all other electronic records;
Scanned records;
Text messages;
Diaries.
This list is not intended to be exhaustive but to give a broad indication of the range of items likely to constitute a record.
Page 58 of 187
4. Record Creation 4.1. General Points
All CCG records should be created in Arial typeface (12 font) where a pre-existing bespoke system does not use an alternative.
The use of jargon or initials should be avoided where possible.
Access controls (who will be able to view the record) should be determined when files are created.
All records should include the CCG name or logo.
Text should not be ‘justified’ i.e. it should be aligned to the left hand side of the page.
All reviewed records eg. forms, policies etc. will include a version number to ensure that old versions are not accidentally used. The individual who ‘owns’ the record should retain all versions in case of future queries.
Referencing/Naming – each document or record should be referenced in a way which can be easily understood by others to help data retrieval at a later date.
Protective marking - Records may be classified into one of several categories, eg. draft, confidential – this should be noted on the folder or record where relevant to reduce the likelihood of confusion or accidental viewing. Consideration should be given when creating a record as to whether this should be published proactively on the organisation’s model FOIA publication scheme.
All formal documents should have page numbers in the format Page 1, 2, 3 etc of 25.
4.2. Templates for Meeting Papers, Letters and Faxes
Templates for Meeting Papers (formal minutes and agendas), letters and faxes will be available on the Shared Drive.
4.3. Email
All e-mails should have a subject heading that is relevant to the email but which does not contain personal or sensitive information. All email should include at the end a name, contact details and a standard confidentiality statement.
4.4. Leaflets and Information for the Public
These should follow the guidance in the organisation Communication Strategy and associated guidance.
4.5. Scanning Documents
Page 59 of 187
Documents received in hard copy only may be scanned in using NHS Doncaster CCG approved equipment but must be saved as an image which can be retrieved through effective electronic filing systems. Documents must only be scanned in such a way as to provide an exact image of the original. Care should be taken when scanning records to ensure the image is readable and that the whole page has been scanned correctly. Provided quality checks are in place there is no need to retain the original paper record once the image has been completed. Where scanning is proposed, other factors to be taken into account include: o The costs of the initial and then any later media conversion to the
required standard, bearing in mind the length of the retention period for which the records are required to be kept.
o The need to consult in advance with the local Place of Deposit or The National Archives with regard to records which may have archival value, as the value may include the format in which it was created.
Before scanning a record you should consider who you may need to present the scanned documents to and whether they would accept scanned copies as evidence of a transaction. The following list provides further examples of when it may not be suitable to scan the record:
o Where the original copy of a record is poor quality and a legible image cannot be obtained.
o Where the original document contains physical amendments or annotations, or Tippex that cannot be identified on a scanned image.
o Where the record is regularly amended. It is unsuitable to scan a series of records which you are still adding to.
You should ALWAYS check the quality of the scanned copy before destroying the original document.
Scanner resolution is typically measured in dots per inch (current Data Protection Legislationi). The higher the resolution, the finer the detail captured. On the other hand the higher the resolution the larger the file size. A balance needs to be achieved between detail and file size.
You should choose to scan all records to a Portable Document Format (PDF file). PDF files are non-editable, ensuring the authenticity of the record as it cannot be altered once it has been scanned. This is especially important if you are destroying the original paper record.
4.6. Records Filing
All records within a filing system should have an index. Records should be filed in an agreed order most appropriate to the class of record. File labels/titles should represent the titles given on the enclosed documents as far as possible. Acronyms and abbreviations should be avoided except where an explanation is clearly provided.
Page 60 of 187
The file cover / folder should contain the date for destruction (if applicable) and/or any restrictions eg. ‘Private and Confidential’ to reduce the likelihood of accidental viewing.
4.7. Electronic Records
Records on shared servers (eg. S-drive) should be broken down into directorates and teams, then folders should be created with titles to represent the enclosed documents. The folder titles will be stored in alphabetical order automatically by the system. In this way, the paper filing system will be mirrored. Individual documents should be identifiable i.e. by subject/date/draft number.
All records which may need to be accessed by another member of staff should be stored in a shared area. If files are confidential, folders can have restricted access (by contacting the IT Helpdesk) so that only designated individuals can view these areas.
Any Personal Confidential Information that is received and stored on the network must be stored on a network drive securely and in a designated folder that has access restricted to only those who need to access the data in order to perform their role. This acts as a Safe Haven.
Safe Haven folders should have access restrictions imposed by the IT Helpdesk and the IT Helpdesk should be advised that access requests for that location must be approved by the relevant folder owner. Only personal information which will never be required by other members of staff should be stored on personal areas of the server (U:drives). Inappropriate storage of information on personal drives (U:drives) may lead to password sharing especially when members of staff are absent, which then allows access to all files in the personal drive. Any form of password sharing, except for some pre-agreed communal equipment, is a breach of this procedure and could result in disciplinary action.
It is important that all relevant emails are filed with the appropriate file on the corporate shared drive and not just kept in email in-box folders. This ensures an accurate record is available to anyone when the recipient is absent.
4.8. Records on CDs / floppy discs / Memory Sticks
Some areas may have electronic information on CDs / floppy discs / encrypted memory sticks. Appropriately named folders should be created and maintained in alphabetical order. The organisation provides encrypted memory sticks for use by staff and no other equipment should be used. The downloading of information to other types of portable media is actively discouraged and advice should be sought from the Corporate Services Team before any such action.
APPENDIX B
Page 61 of 187
4.9. Photographs / Videos / CCTV
The organisation has collections of visual images – either as artistic images and still photographs (which may be prints, negatives, slides, transparencies, and electronic-readable images) or as moving images (film or video / CCTV).
In the case of photographs, the quality of image available from negatives or original prints should be considered and new prints may be made in cases where the original is deteriorating.
It should be ensured that a consent form is filled in where photographs / videos etc are taken of patients or members of the public, so they are aware of how their images will be used. Completed consent forms are held locally.
5. Records Storage, Maintenance and Tracking 5.1. General points
The organisation makes use of a separate storage area for long term records storage (archiving).
NHS Doncaster CCG’s has a shared documents folder for general viewing to reduce the incidence of duplicate copies being stored.
Paper records in current use should be stored close to the user for easy access eg. in their office. For records no longer in current use see the Records Retention Schedule.
All current records should be stored so that they are accessible and comply with security and health and safety requirements. Storage accommodation for current records should be clean and tidy, should prevent damage to the records and should provide a safe working environment for staff. For electronic records, maintenance in terms of back-up and planned migration to new platforms should be designed and scheduled to ensure continuing access to readable information.
There is a wide range of suitable office filing equipment available. The following factors should be taken into account: o Compliance with Health and Safety regulations (must be the top
priority) o Security (especially for confidential material) o The user’s needs o Type(s) of records to be stored o Their size and quantities o Usage and frequency of retrievals o Suitability, space efficiency and price.
Page 62 of 187
5.2. Access to and Retrieval of Current Records
The guidelines contained within this procedure such as record creation and filing will aid record access/retrieval. It should be re-iterated at this point that only individuals with authorised access to the records should retrieve them.
5.3. Records Tracking
Any paper records owned by the organisation which are loaned to another person, department or external organisation must have a tracking system established eg. master copies of papers, library documents, HR /staffing files. The options for tracking are as follows:-
Paper / Manual System Tracer card - This consists of a standard tracer card which is kept with the file and contains information which allows it to be located at a later date if it is found to be missing. When a record is taken out, the individual must complete the date, person who has removed the record, Department and telephone number. When the record is returned, the date of return should be completed. A paper register – a book, diary, or index card to record transfers. File “on loan” (library-type) cards for each absent file, held in alphabetical or numeric order.
Electronically operated tracking systems An electronic system can drastically reduce the amount of paper generated, and therefore the volume of paper to be stored. Using an electronic tracking system rather than, for example, a card index, can be more efficient – speeding up information retrieval times, reducing miss-filing, and the problems associated with the use of tracer cards.
A well thought -out tracking system – manual or electronic – should meet all user needs and be supported by adequate equipment. It should provide an up-to-date and easily accessible movement history and audit trail. The success of any tracking system depends on the people using it and therefore all staff must be made aware of its importance and given adequate training and updating.
5.4. Staff Records / Personal Confidential Data in Transit
If staff records or patient identifiable information is being delivered to another location they should be enclosed in envelopes or opaque wallets, marked confidential, and sealed for transfer. Any records that may be damaged in transit should be enclosed in suitable padding or containers.
For larger quantities, records should be boxed in suitable boxes or containers for their protection. Each box should be secured, addressed
Page 63 of 187
clearly and marked confidential with the senders name and address on the reverse of the box.
There are various options if records are to be mailed externally, such as recorded delivery, registered mail etc. When choosing options staff should consider the following: o Will the records be protected from damage, unauthorised access or
theft? o Is the level of security offered appropriate to the degree of
importance, sensitivity or confidentiality of the records? o Does the mail provider offer ‘track and trace’ options and is a
signature required on delivery?
For further advice please contact the CG or Corporate Services Team. 5.5. Taking records off site
Records should only ever be taken off site with the approval of the line manager. Security of these records should be paramount, especially in the case of confidential records. The CG can provide advice on the precautions to take.
Records should never be left unattended eg. on a back seat of the car. If the record is to be taken home, the record must be stored securely in accordance with the staff members Professional Code of Conduct and kept away from the base-point for the minimum length of time possible.
It is essential that any such records are tracked out of the department so that staff are aware of the location of the record.
6. Record Disclosure / Information Sharing
Access to records may be requested from different teams or different organisations. Where the information is confidential eg. staff or patient personal information or sensitive information it should be ensured that the person is authorised to receive the information. See Information Sharing Procedure or Access to Records Procedure for more information.
7. Records Retention and Disposal 7.1. General points
When a record is no longer in use or current, a decision must be made concerning its future. Certain types of records have a minimum retention period, so whether the record requires retention should be first determined by consulting the Records Retention Schedule appended to this procedure. Records which are not covered by these retention periods
Page 64 of 187
should be discussed locally, and whether or not the record should be retained should be agreed by a Senior Manager with the assistance of the Caldicott Guardian. If retention is not required, the record can be securely destroyed. If retention is required, the options for long term storage should be considered eg. the organisation’s archiving system. The alert mechanism for ensuring records are not destroyed should also be determined eg. clear labelling.
Staff should be aware that the minimum retention periods apply to both paper and computerised records, though extra care needs to be taken to ensure there is no corruption or deterioration of electronic data. For example, emails concerning the subjects covered in the Records Retention Schedule appended to this procedure should be subject to the same retention period as a manual record.
7.2. Long-term Storage / Archiving
The following issues should be considered when deciding upon whether or not to use the archiving facility. o If the record will foreseeably need retrieving in the future, the
archiving facility may not be the best option as there are cost and time delay implications.
o The records will need boxing and labelling with the contents and disposal date.
o If the archiving facility is inappropriate, records can be stored locally in departments. Records which are stored locally should be clearly labelled with disposal dates (if known) eg. on the file cover, so they are not accidentally disposed of.
7.3. Transferring Records
There are occasions when non-current records need to be passed onto other NHS organisations thus disposing of the record. Details must be retained of such movement of records.
7.4. Destroying Records
Records which are due to be destroyed but are the subject of a FOIA 2000 or EIR 2004 request and / or current complaint or litigation enquiry should be retained. Destruction should be delayed until disclosure has taken place or, if the organisation has decided not to disclose the Information, until the complaint and appeals provisions of the legislation have been exhausted or the legal process completed.
A large number of NHS records contain sensitive or confidential information. It is therefore vital that confidentiality is safeguarded at every stage and that the method used to destroy such records is fully effective and secures their complete illegibility. Normally this will involve shredding, pulping, or incineration. Floppy disk / CD / backup tapes /
Page 65 of 187
audio tapes / memory sticks with person identifiable information must be reformatted with a random pattern to ensure data cannot be recovered or they must be physically destroyed.
A record or brief description including any reference and date of destruction must be kept about any record that has been destroyed following being retained for the appropriate period. Further guidance should be sought from the Corporate Services Team if required.
If records are inappropriately or unlawfully destroyed, the Incident Management Policy should be followed. If the records were electronic, the relevant back-up facilities should be utilised.
Confidential material designated for shredding should not be kept unsecured in any areas.
8. Appendices 8.1. Appendices to this procedure consist:
Detailed Records Retention Schedule
Archiving Flowchart
Page 66 of 187
Records Management Appendix 1 Records Retention Schedule Below are some key principles to consider when archiving and retaining hardcopy and electronic documents. Please read the principles in conjunction with the archiving flowchart. 1. The Chair / Administrator of a meeting is required to take responsibility for
archiving the agenda, minutes, papers and terms of reference. Attendees do not have responsibility to retain their copies.
2. Only documents which fall under the Records Retention Schedule need to be
retained and/or archived. 3. If a document is available electronically, you do not need to archive a hardcopy –
place the e-file to be archived in an e-folder named “Archive” and include a destruction date with each one in line with the Records Retention Schedule.
4. All archived items require a destruction date in line with the Records Retention
Schedule. 5. CCG administrative records containing individual patient identifiable clinical
patient information around treatments, choose and book, referrals, continuing care etc will be classed as health and care records for retention under the appropriate schedule
6. The Records Retention Schedule demonstrates in detail the records to be held by
the CCG and the minimum retention periods. This is not a comprehensive list and if in doubt should be read in conjunction with Records Management Code of Practice for Health and Social Care 2016. Further advice is available from the Head of Corporate Governance. Typical retention periods for frequently archived items are detailed overleaf.
Page 67 of 187
Typical retention periods for frequently archived items are detailed below.
Broad descriptor
Record Type Retention
Start Retention
period
Action at end of
retention period
Notes
Care Records with standard retention periods
Adult health records not covered by any other section in this schedule
Discharge or patient last seen
8 years
Review and if no longer needed destroy
Basic health and social care retention period - check for any other involvements that could extend the retention. All must be reviewed prior to destruction taking into account any serious incident retentions. This includes medical illustration records such as X-rays and scans as well as video and other formats.
Care Records with standard retention periods
Adult social care records
End of care or client last seen
8 years
Review and if no longer needed destroy
Care Records with standard retention periods
General Dental Services records
Discharge or patient last seen
10 Years
Review and if no longer needed destroy
Care Records with standard retention periods
Children’s records including midwifery, health visiting and school nursing
Discharge or patient last seen
25th or 26th birthday (see Notes)
Review and if no longer needed destroy
Basic health and social care retention requirement is to retain until 25th birthday or if the patient was 17 at the conclusion of the treatment, until their 26th birthday. Check for any other involvements that could extend the retention. All must be reviewed prior to destruction taking into account any serious incident retentions. This includes medical illustration records such as X-rays and scans as well as video and other formats.
Page 68 of 187
Care Records with standard retention periods
Electronic Patient Records System
See Notes See Notes Destroy
Where the electronic system has the capacity to destroy records in line with the retention schedule, and where a metadata stub can remain demonstrating that a record has been destroyed, then the code should be followed in the same way for electronic records as for paper records with a log being kept of the records destroyed. If the system does not have this capacity, then once the records have reached the end of their retention periods they should be inaccessible to users of the system and upon decommissioning, the system (along with audit trails) should be retained for the retention period of the last entry related to the schedule.
Care Records with standard retention periods
Obstetric records, maternity records and antenatal and post natal records
Discharge or patient last seen
25 years
Review and if no longer needed destroy
For the purposes of record keeping these records are to be considered as much a record of the child as that of the mother.
Care Records with standard retention periods
GP Patient records Death of Patient
10 years after death see Notes for exceptions
Review and if no longer needed destroy
If a new provider requests the records, these are transferred to the new provider to continue care. If no request to transfer: 1. Where the patient does not come back to the practice and the records are not transferred to a new provider the record must be retained for 100 years unless it is known that they have emigrated 2. Where a patient is known to have emigrated, records may be reviewed and destroyed after 10 years 3. If the patient comes back within the 100 years, the retention reverts to 10 years after death.
Page 69 of 187
Care Records with standard retention periods
Mental Health records
Discharge or patient last seen
20 years or 8 years after the patient has died
Review and if no longer needed destroy
Covers records made where the person has been cared for under the Mental Health Act 1983 as amended by the Mental Health Act 2007. This includes psychology records. Retention solely for any persons who have been sectioned under the Mental Health Act 1983 must be considerably longer than 20 years where the case may be ongoing. Very mild forms of adult mental health treated in a community setting where a full recovery is made may consider treating as an adult records and keep for 8 years after discharge. All must be reviewed prior to destruction taking into account any serious incident retentions.
Care Records with Non-Standard Retention Periods
Cancer/Oncology - the oncology records of any patient
Diagnosis of Cancer
30 Years or 8 years after the patient has died
Review and consider transfer to a Place of Deposit
For the purposes of clinical care the diagnosis records of any cancer must be retained in case of future reoccurrence. Where the oncology records are in a main patient file the entire file must be retained. Retention is applicable to primary acute patient record of the cancer diagnosis and treatment only. If this is part of a wider patient record then the entire record may be retained. Any oncology records must be reviewed prior to destruction taking into account any potential long term research value which may require consent or anonymisation of the record.
Care Records with Non-Standard Retention Periods
Contraception, sexual health, Family Planning and Genito-Urinary Medicine (GUM)
Discharge or patient last seen
8 or 10 years (see Notes)
Review and if no longer needed destroy
Basic retention requirement is 8 years unless there is an implant or device inserted, in which case it is 10 years. All must be reviewed prior to destruction taking into account any serious incident retentions. If this is a record of a child, treat as a child record as above.
Page 70 of 187
Care Records with Non-Standard Retention Periods
HFEA records of treatment provided in licenced treatment centres
3, 10, 30, or 50 years
Review and if no longer needed destroy
Retention periods are set out in the HFEA guidance at:http://www.hfea.gov.uk/docs/General_directions_0012.pdf
Care Records with Non-Standard Retention Periods
Medical record of a patient with Creutzfeldt-Jakob Disease (CJD)
Diagnosis
30 Years or 8 years after the patient has died
Review and consider transfer to a Place of Deposit
For the purposes of clinical care the diagnosis records of CJD must be retained. Where the CJD records are in a main patient file the entire file must be retained. All must be reviewed prior to destruction taking into account any serious incident retentions.
Care Records with Non-Standard Retention Periods
Record of long term illness or an illness that may reoccur
Discharge or patient last seen
30 Years or 8 years after the patient has died
Review and if no longer needed destroy
Necessary for continuity of clinical care.The primary record of the illness and course of treatment must be kept of a patient where the illness may reoccur or is a life long illness.
Page 71 of 187
Pharmacy Information relating to controlled drugs
Creation See Notes
Review and if no longer needed destroy
NHS England and NHS BSA guidance for controlled drugs can be found at: http://www.nhsbsa.nhs.uk/PrescriptionServices/1120.aspx and https://www.england.nhs.uk/wp-content/uploads/2013/11/som-cont-drugs.pdf The Medicines, Ethics and Practice (MEP) guidance can be found at the link (subscription required) http://www.rpharms.com/support/mep.asp#new Guidance from NHS England is that locally held controlled drugs information should be retained for 7 years. NHS BSA will hold primary data for 20 years and then review.NHS East and South East Specialist Pharmacy Services have prepared pharmacy records guidance including a specialised retention schedule for pharmacy. Please see:http://www.medicinesresources.nhs.uk/en/Communities/NHS/SPS-E-and-SE-England/Reports-Bulletins/Retention-of-pharmacy-records/
Pharmacy
Pharmacy prescription records see also Controlled Drugs
Discharge or patient last seen
2 Years
Review and if no longer needed destroy
See also 'Controlled Drugs'. There will also be an entry in the patient record and a record held by the NHS Business Services Authority. NHS East and South East Specialist Pharmacy Services have prepared pharmacy records guidance including a specialised retention schedule for pharmacy. Please see: http://www.medicinesresources.nhs.uk/en/Communities/NHS/SPS-E-and-SE-England/Reports-Bulletins/Retention-of-pharmacy-records/
Page 72 of 187
Pathology
Pathology Reports/Information about Specimens and samples
Specimen or sample is destroyed
See Notes
Review and consider transfer to a Place of Deposit
This Code is concerned with the information about a specimen or sample. The length of storage of the clinical material will drive the length of time the information about it is to be kept. For more details please see: https://www.rcpath.org/resourceLibrary/the-retention-and-storage-of-pathological-records-and-specimens--5th-edition-.html. Retention of samples for clinical purposes can be for as long as there is a clinical need to hold the specimen or sample. Reports should be stored on the patient file. It is common for pathologists to hold duplicate reports. For clinical purposes this is 8 years after the patient is discharged for an adult or until a child's 25th birthday whichever is the longer. . After 20 years for adult records there must be an appraisal as to the historical importance of the information and a decision made as to whether they should be destroyed of kept for archival value.
Event & Transaction Records
Blood bank register Creation 30 Years minimum
Review and consider transfer to a Place of Deposit
Event & Transaction Records
Clinical Audit Creation 5 years
Review and if no longer needed destroy
Event & Transaction Records
Chaplaincy records Creation 2 years
Review and consider transfer to a Place of Deposit
See also Corporate Retention
Page 73 of 187
Event & Transaction Records
Clinical Diaries
End of the year to which they relate
2 years
Review and if no longer needed destroy
Diaries of clinical activity & visits must be written up and transferred to the main patient file. If the information is not transferred the diary must be kept for 8 years.
Event & Transaction Records
Clinical Protocols Creation 25 years
Review and consider transfer to a Place of Deposit
Clinical protocols may have archival value. They may also be routinely captured in clinical governance meetings which may form part of the permanent record (see Corporate Records).
Event & Transaction Records
Equipment maintenance logs
Decommissioning of the equipment
11 years
Review and consider transfer to a Place of Deposit
Event & Transaction Records
Datasets released by NHS Digital under a data sharing agreement
Date specified in the data sharing agreement
Delete with immediate effect
Delete according to NHS Digital instruction
http://www.hscic.gov.uk/media/15729/DARS-Data-Sharing-Agreement/pdf/Data_Sharing_Agreement_2015v2%28restricted_editing%29.pdf
Event & Transaction Records
Destruction Certificates or Electronic Metadata destruction stub or record of clinical information held on destroyed physical media
Destruction of record or information
20 Years
Review and consider transfer to a Place of Deposit
Destruction certificates created by public bodies are not covered by an instrument of retention and if a Place of Deposit or the National Archives do not class them as a record of archival importance they are to be destroyed after 20 years.
Event & Transaction Records
General Ophthalmic Services patient records related to NHS financial transactions
Discharge or patient last seen
6 Years
Review and if no longer needed destroy
Page 74 of 187
Event & Transaction Records
GP temporary resident forms
After treatment
2 years
Review and if no longer needed destroy
Assumes a copy sent to responsible GP for inclusion in the primary care record
Event & Transaction Records
Inspection of equipment records
Decommissioning of equipment
11 Years
Review and if no longer needed destroy
Event & Transaction Records
Notifiable disease book
Creation 6 years
Review and if no longer needed destroy
Event & Transaction Records
Operating theatre records
End of year to which they relate
10 Years
Review and consider transfer to a Place of Deposit
If transferred to a place of deposit the duty of confidence continues to apply and can only be used for research if the patient has consented or the record is anonymised.
Event & Transaction Records
Patient Property Books
End of the year to which they relate
2 years
Review and if no longer needed destroy
Event & Transaction Records
Referrals not accepted
Date of rejection.
2 years as an ephemeral record
Review and if no longer needed destroy
The rejected referral to the service should also be kept on the originating service file.
Event & Transaction Records
Requests for funding for care not accepted
Date of rejection
2 years as an ephemeral record
Review and if no longer needed destroy
Page 75 of 187
Event & Transaction Records
Screening, including cervical screening, information where no cancer/illness detected is detected
Creation 10 years
Review and if no longer needed destroy
Where cancer is detected see 2 Cancer / Oncology. For child screening treat as a child health record and retain until 25th birthday or 10 years after the child has been screened whichever is the longer.
Event & Transaction Records
Smoking cessation Closure of 12 week quit period
2 years
Review and if no longer needed destroy
Event & Transaction Records
Transplantation Records
Creation 30 Years
Review and consider transfer to a Place of Deposit
See guidance at: https://www.hta.gov.uk/codes-practice
Event & Transaction Records
Ward handover sheet
Date of handover
2 years
Review and if no longer needed destroy
This retention relates to the ward. The individual sheets held by staff must be destroyed confidentially at the end of the shift.
Telephony Systems & Services (999 phone numbers,111 phone numbers, ambulance, out of hours, single point of contact call centres).
Recorded conversation which may later be needed for clinical negligence purpose
Creation 3 Years
Review and if no longer needed destroy
The period of time cited by the NHS Litigation Authority is 3 years
Page 76 of 187
Telephony Systems & Services (999 phone numbers,111 phone numbers, ambulance, out of hours, single point of contact call centres).
Recorded conversation which forms part of the health record
Creation Store as a health record
Review and if no longer needed destroy
It is advisable to transfer any relevant information into the main record through transcription or summarisation. Call handlers may perform this task as part of the call. Where it is not possible to transfer clinical information from the recording to the record the recording must be considered as part of the record and be retained accordingly.
Telephony Systems & Services (999 phone numbers,111 phone numbers, ambulance, out of hours, single point of contact call centres).
The telephony systems record(not recorded conversations)
Creation 1 year
Review and if no longer needed destroy
This is the absolute minimum specified to meet the NHS contractual requirement.
Births, Deaths & Adoption Records
Birth Notification to Child Health
Receipt by Child health department
25 years
Review and if no longer needed destroy
Treat as a part of the child's health record if not already stored within health record such as the health visiting record.
Births, Deaths & Adoption Records
Birth Registers Creation 2 years
Review and actively consider transfer to a Place of Deposit
Where registers of all the births that have taken place in a particular hospital/birth centre exist, these will have archival value and should be retained for 25 years and offered to a Place of Deposit at the end of this retention period. Information is also held in the NHS Number for Babies (NN4B) electronic system and by the Office for National Statistics. Other information about a birth must be recorded in the care record.
Page 77 of 187
Births, Deaths & Adoption Records
Body Release Forms
Creation 2 years
Review and consider transfer to a Place of Deposit
Births, Deaths & Adoption Records
Death - cause of death certificate counterfoil
Creation 2 years
Review and consider transfer to a Place of Deposit
Births, Deaths & Adoption Records
Death register information sent to General Registry Office on monthly basis
Creation 2 years
Review and consider transfer to a Place of Deposit
A full dataset is available from the Office for National Statistics.
Births, Deaths & Adoption Records
Local Authority Adoption Record (normally held by the Local Authority children's services)
Creation 100 years from the date of the adoption order
Review and consider transfer to a Place of Deposit
The primary record of the adoption process is held by the local authority children's service responsible for the adoption service
Births, Deaths & Adoption Records
Mortuary Records of deceased
End of year to which they relate
10 Years
Review and consider transfer to a Place of Deposit
Births, Deaths & Adoption Records
Mortuary register Creation 10 Years
Review and consider transfer to a Place of Deposit
Page 78 of 187
Births, Deaths & Adoption Records
NHS Medicals for Adoption Records
Creation 8 years or 25th birthday
Review and consider transfer to a Place of Deposit
The health reports will feed into the primary record held by Local Authority Children’s services. This means that the adoption records held in the NHS relate to reports that are already kept in another file which is kept for 100 years by the appropriate agency and local authority.
Births, Deaths & Adoption Records
Post Mortem Records
Creation 10 years
Review and if no longer needed destroy
The primary post mortem file will be maintained by the coroner. The coroner will retain the post mortem file including the report. Local records of post mortem will not need to be kept for the same extended time.
Clinical Trials & Research
Advanced Medical Therapy Research Master File
Closure of research
30 years
Review and consider transfer to a Place of Deposit
See guidance at: https://www.gov.uk/guidance/advanced-therapy-medicinal-products-regulation-and-licensing For clinical trials record retention please see the MHRC guidance at https://www.gov.uk/guidance/good-clinical-practice-for-clinical-trials
Clinical Trials & Research
Clinical Trials Master File of a trial authorised under the European portal under Regulation (EU) No 536/2014
Closure of trial
25 years
Review and consider transfer to a Place of Deposit
For details see: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2014.158.01.0001.01.ENG
Clinical Trials & Research
European Commission Authorisation (certificate or letter) to enable marketing and sale within the EU member states area
Closure of trial
15 years
Review and consider transfer to a Place of Deposit
http://ec.europa.eu/health/files/eudralex/vol-2/a/vol2a_chap1_2013-06_en.pdf
Page 79 of 187
Clinical Trials & Research
Research data sets End of research
Not more than 20 years
Review and consider transfer to a Place of Deposit
http://tools.jiscinfonet.ac.uk/downloads/bcs-rrs/managing-research-records.pdf
Clinical Trials & Research
Research Ethics Committee’s documentation for research proposal
End of research
5 years
Review and consider transfer to a Place of Deposit
For details see: http://www.hra.nhs.uk/resources/research-legislation-and-governance/governance-arrangements-for-research-ethics-committees/ Data must be held for sufficient time to allow any questions about the research to be answered. Depending on the type of research the data may not need to be kept once the purpose has expired. For example data used for passing an academic exam may be destroyed once the exam has been passed and there is no further academic need to hold the data. For more significant research a place of deposit may be interested in holding the research. It is best practice to consider this at the outset of research and orphaned personal data can inadvertently cause a data breach.
Clinical Trials & Research
Research Ethics Committee’s minutes and papers
Year to which they relate
Before 20 years
Review and consider transfer to a Place of Deposit
Committee papers must be transferred to a place of deposit as a public record: http://www.hra.nhs.uk/resources/research-legislation-and-governance/governance-arrangements-for-research-ethics-committees/
Corporate Governance
Board Meetings Creation
Before 20 years but as soon as practically possible
Transfer to a Place of Deposit
Page 80 of 187
Corporate Governance
Board Meetings (Closed Boards)
Creation May retain for 20 years
Transfer to a Place of Deposit
Although they may contain confidential or sensitive material they are still a public record and must be transferred at 20 years with any FOI exemptions noted or duty of confidence indicated.
Corporate Governance
Chief Executive records
Creation May retain for 20 years
Transfer to a Place of Deposit
This may include emails and correspondence where they are not already included in the board papers and they are considered to be of archival interest.
Corporate Governance
Committees Listed in the Scheme of Delegation or that report into the Board and major projects
Creation
Before 20 years but as soon as practically possible
Transfer to a Place of Deposit
Corporate Governance
Committees/ Groups / Sub-committees not listed in the scheme of delegation
Creation 6 Years
Review and if no longer needed destroy
Includes minor meetings/projects and departmental business meetings
Corporate Governance
Incidents (not serious)
Date of Incident
10 Years
Review and if no longer needed destroy
Corporate Governance
Destruction Certificates or Electronic Metadata destruction stub or record of information held on destroyed physical media
Destruction of record or information
20 Years
Consider Transfer to a Place of Deposit and if no longer needed to destroy
The Public Records Act 1958 limits the holding of records to 20 years unless there is an instrument issued by the Minister with responsibility for administering the Public Records Act 1958. If records are not excluded by such an instrument they must either be transferred to a place of deposit as a public record or destroyed 20 years after the record has been closed.
Page 81 of 187
Corporate Governance
Incidents (serious) Date of Incident
20 Years
Review and consider transfer to a Place of Deposit
Corporate Governance
Non-Clinical Quality Assurance Records
End of year to which the assurance relates
12 years
Review and if no longer needed destroy
Corporate Governance
Patient Advice and Liaison Service (PALS) records
Close of financial year
10 years
Review and if no longer needed destroy
Corporate Governance
Policies, strategies and operating procedures including business plans
Creation Life of organisation plus 6 years
Review and consider transfer to a Place of Deposit
Communications Intranet site Creation 6 years
Review and consider transfer to a Place of Deposit
Communications Patient information leaflets
End of use 6 years
Review and consider transfer to a Place of Deposit
Communications Press releases and important internal communications
Release Date
6 years
Review and consider transfer to a Place of
Press releases may form a significant part of the public record of an organisation which may need to be retained
Page 82 of 187
Deposit
Communications Public consultations End of consultation
5 years
Review and consider transfer to a Place of Deposit
Communications Website Creation 6 years
Review and consider transfer to a Place of Deposit
Staff Records & Occupational Health
Duty Roster Close of financial year
6 years
Review and if no longer needed destroy
Staff Records & Occupational Health
Exposure Monitoring information
Monitoring ceases
40 years/5 years from the date of the last entry made in it
Review and if no longer needed destroy
A) Where the record is representative of the personal exposures of identifiable employees, for at least 40 years or B) In any other case, for at least 5 years.
Staff Records & Occupational Health
Occupational Health Reports
Staff member leaves
Keep until 75th birthday or 6 years after the staff member leaves whichever is sooner
Review and if no longer needed destroy
Page 83 of 187
Staff Records & Occupational Health
Timesheets (original record)
Creation 2 years
Review and if no longer needed destroy
Staff Records & Occupational Health
Occupational Health Report of Staff member under health surveillance
Staff member leaves
Keep until 75th birthday
Review and if no longer needed destroy
Staff Records & Occupational Health
Occupational Health Report of Staff member under health surveillance where they have been subject to radiation doses
Staff member leaves
50 years from the date of the last entry or until 75th birthday, whichever is longer
Review and if no longer needed destroy
Staff Records & Occupational Health
Staff Record Staff member leaves
Keep until 75th birthday (see Notes)
Create Staff Record Summary then review or destroy the main file.
This includes (but is not limited to) evidence of right to work, security checks and recruitment documentation for the successful candidate including job adverts and application forms. May be destroyed 6 years after the staff member leaves or the 75th birthday, whichever is sooner, if a summary has been made.
Staff Records & Occupational Health
Staff Record Summary
6 years after the staff member leaves
75th Birthday
Place of Deposit should be offered for continued retention or Destroy
Please see page 36 for an example of a Staff Record Summary used by an organisation.
Page 84 of 187
Staff Records & Occupational Health
Staff Training records
Creation See Notes
Review and consider transfer to a Place of Deposit
Records of significant training must be kept until 75th birthday or 6 years after the staff member leaves. It can be difficult to categorise staff training records as significant as this can depend upon the staff member’s role. The IGA recommends: 1 Clinical training records - to be retained until 75th birthday or six years after the staff member leaves, whichever is the longer2 Statutory and mandatory training records - to be kept for ten years after training completed3Other training records - keep for six years after training completed.
Procurement Contracts sealed or unsealed
End of contract
6 years
Review and if no longer needed destroy
Procurement Contracts - financial approval files
End of contract
15 years
Review and if no longer needed destroy
Procurement Contracts - financial approved suppliers documentation
When supplier finishes work
11 years
Review and if no longer needed destroy
Procurement Tenders (successful)
End of contract
6 years
Review and if no longer needed destroy
Procurement Tenders (unsuccessful)
Award of tender
6 years
Review and if no longer needed destroy
Page 85 of 187
Estates Building plans and records of major building work
Completion of work
Lifetime of the building or disposal of asset plus six years
Review and consider transfer to a Place of Deposit
Building plans and records of works are potentially of historical interest and where possible be kept and transferred to a place of deposit
Estates Minor building works Completion of work
retain for 6 years
Review and if no longer needed destroy
Estates CCTV See ICO Code of Practice
Review and if no longer needed destroy
ICO Code of Practice: https://ico.org.uk/media/for-organisations/documents/1542/cctv-code-of-practice.pdf The length of retention must be determined by the purpose for which the CCTV has been deployed. The recorded images will only be retained long enough for any incident to come to light (e.g. for a theft to be noticed) and the incident to be investigated.
Estates
Equipment monitoring and testing and maintenance work where asbestos is a factor
Completion of monitoring or test
40 years
Review and if no longer needed destroy
Estates
Equipment monitoring and testing and maintenance work
Completion of monitoring or test
10 years
Review and if no longer needed destroy
Estates Inspection reports End of lifetime of installation
Lifetime of installation
Review
Page 86 of 187
Estates Leases Termination of lease
12 years
Review and if no longer needed destroy
Estates
Photographic collections of service locations and events and activities
Close of collection
Retain for not more than 20 years
Consider transfer to a place of deposit
The main reason for maintaining photographic collections is for historical legacy of the running and operation of an organisation. However, photographs may have subsidiary uses for legal enquiries.
Estates Radioactive Waste Creation 30 years
Review and if no longer needed destroy
Estates
Sterilix Endoscopic Disinfector Daily Water Cycle Test, Purge Test, Nynhydrin Test
Date of test 11 years
Review and if no longer needed destroy
Estates Surveys
End of lifetime of installation or building
Lifetime of installation or building
Review and consider transfer to Place of Deposit
Finance Accounts Close of financial year
3 years
Review and if no longer needed destroy
Includes all associated documentation and records for the purpose of audit as agreed by auditors
Finance Benefactions End of financial year
8 years
Review and consider transfer to Place of Deposit
These may already be in the financial accounts and may be captured in other records/reports or committee papers. Where benefactions endowment trust fund/legacies - permanent retention.
Page 87 of 187
Finance Debtor records cleared
Close of financial year
2 years
Review and if no longer needed destroy
Finance Debtor records not cleared
Close of financial year
6 years
Review and if no longer needed destroy
Finance Donations Close of financial year
6 years
Review and if no longer needed destroy
Finance Expenses Close of financial year
6 years
Review and if no longer needed destroy
Finance Final annual accounts report
Creation Before 20 years
Transfer to place of deposit if not transferred with the board papers
Should be transferred to a place of deposit as soon as practically possible
Finance Financial records of transactions
End of financial year
6 Years
Review and if no longer needed destroy
Finance Petty cash End of financial year
2 Years
Review and if no longer needed destroy
Page 88 of 187
Finance Private Finance initiative (PFI) files
End of PFI Lifetime of PFI
Review and consider transfer to Place of Deposit
Finance Salaries paid to staff Close of financial year
10 Years
Review and if no longer needed destroy
Finance Superannuation records
Close of financial year
10 Years
Review and if no longer needed destroy
Legal, Complaints & information Rights
Complaints case file Closure of incident (see Notes)
10 years
Review and if no longer needed destroy
http://www.nationalarchives.gov.uk/documents/information-management/sched_complaints.pdf The incident is not closed until all subsequent processes have ceased including litigation. The file must not be kept on the patient file. A separate file must always be maintained.
Legal, Complaints & information Rights
Fraud case files Case closure
6 years
Review and if no longer needed destroy
Legal, Complaints & information Rights
Freedom of Information (FOI) requests and responses and any associated correspondence
Closure of FOI request
3 years
Review and if no longer needed destroy
Where redactions have been made it is important to keep a copy of the redacted disclosed documents or if not practical to keep a summary of the redactions.
Page 89 of 187
Legal, Complaints & information Rights
FOI requests where there has been a subsequent appeal
Closure of appeal
6 years
Review and if no longer needed destroy
Legal, Complaints & information Rights
Industrial relations including tribunal case records
Close of financial year
10 Years
Review and consider transfer to a Place of Deposit
Some organisations may record these as part of the staff record but in most cases they will form a distinct separate record either held by the staff member/manager or by the payroll team for processing.
Legal, Complaints & information Rights
Litigation records Closure of case
10 years
Review and consider transfer to a Place of Deposit
Legal, Complaints & information Rights
Patents / trademarks / copyright / intellectual property-
End of lifetime of patent or termination of licence / action
Lifetime of patent or 6 years from end of licence /action
Review and consider transfer to Place of Deposit
Legal, Complaints & information Rights
Software licences End of lifetime of software
Lifetime of software
Review and if no longer needed destroy
Legal, Complaints & information Rights
Subject Access Requests (SAR) and disclosure correspondence
Closure of SAR
3 Years
Review and if no longer needed destroy
Legal, Complaints & information Rights
Subject access requests where there has been a subsequent appeal
Closure of appeal
6 Years
Review and if no longer needed destroy
Page 90 of 187
Do you need to keep the document?
(Please refer to the Record Retention Schedule) *** only retain documents for which you are the lead ***
eg. not for meetings you have attended but not chaired/administered
Yes
Archiving Flowchart
Yes
Records Management Appendix 2
Is the document available electronically?
DO NOT ARCHIVE
THE DOCUMENT
No
Can the document be scanned?
Yes No
No
PUT THE DOCUMENT IN AN ELECTRONIC
FOLDER WITH A DESTRUCTION DATE
IN THE TITLE (ACCORDING TO THE
RETENTION SCHEDULE)
DESTROY THE
ORIGINAL PAPER VERSION
APPROPRIATELY
Scan the document
ARCHIVE THE DOCUMENT
Complete the Archive Facility Form and return to the Corporate Governance Manager.
Set the retention period as per the retention schedule.
Fill an archiving box. NB Do not include plastic sleeves, card folders,
or file holders of any description – separate any batches with elastic bands or a sheet of paper.
Do not include any publications or documents that can be downloaded from the internet.
Batch together in one box documents that can be destroyed at a similar time.
Ensure each box is full to capacity. Ensure that all boxes have a destruction
date, and if relevant an accompanying spreadsheet with the detail of what the box contains.
Page 91 of 187
SUBJECT ACCESS REQUESTS - ACCESS TO PERSONAL DATA UNDER
THE CURRENT DATA PROTECTION
LEGISLATION AND ACCESS TO HEALTH RECORDS ACT 1990
PROCEDURE
Page 92 of 187
C - ACCESS TO DATA UNDER THE CURRENT DATA PROTECTION LEGISLATION AND ACCESS TO HEALTH RECORDS ACT 1990 PROCEDURE 1. Right of Access to Personal Data 1.1. Individuals have a right to access their personal data, and this is often
referred to as ‘the right of subject access’ and individuals may exercise the right by making a written ‘Subject Access Request’ (SAR).
1.2. For information to be personal data, it must relate to a living individual and allow that individual to be identified from it (either on its own or along with other information likely to come into the organisation’s possession).
1.3. Organisations are not permitted to insist on the use of a particular form for making a SAR, but we do make a form available to assist requesters to provide the information that we need to deal with their request (appended to this procedure and available on our website).
1.4. Subject access is most often used by individuals who want to see a copy of the information an organisation holds about them. However, subject access goes further than this and an individual is entitled to be:
told whether any personal data is being processed;
given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
given a copy of the personal data; and
given details of the source of the data (where this is available). 1.5. An individual can also request information about the reasoning behind any
automated decisions taken about him or her.
1.6. Subject Access provides a right for the requester to see their own personal data, rather than a right to see copies of documents that contain their personal data. Often, the easiest way to provide the relevant information is to supply copies of original documents, but organisations are not obliged to do this.
1.7. Disclosure must be made within the timescales laid down by the current Data Protection Legislation i.e. within one calendar month. The calculation of one calendar month is from the date on which the request is received or (if later) the day on which we receive:
any requested clarification information;
any information requested to confirm the requester’s identity. 2. Receiving SARs 2.1. All requests for access to personal data held by the CCG are dealt with by the
Corporate Governance Team. Any requests received elsewhere in the organisation should be forwarded immediately to the Corporate Governance
Page 93 of 187
team. For further information or guidance about SARs, requesters should contact the IG Team on 01302 566300 or in writing to:
Corporate Governance Team NHS Doncaster Clinical Commissioning Group Sovereign House Heavens Walk Doncaster DN4 5HZ
2.2. A SAR is a written request made by or on behalf of an individual for the
information which he or she is entitled to ask for under section 7 of the current Data Protection Legislation. The request does not have to be in any particular form. Nor does it have to include the words ‘subject access’ or make any reference to the current Data Protection Legislation. A request may be considered a valid SAR even if it refers to other legislation, such as the FOIA. An emailed or faxed request is as valid as one sent in hard copy.
2.3. SAR application forms are appended to this procedure. We may invite individuals to use our own application form, but this is not compulsory.
2.4. Before responding to a SAR, the organisation may ask the requester for information reasonably needed to find the personal data covered by the request. We do need not to comply with the SAR until we have received it.
2.5. If the requester requires access to their medical records, then this information
is not held by the CCG and the requester will need to submit their request in writing to the appropriate health organisation such as:
Their local GP surgery, optician, dentist or pharmacist.
Their local Out of Hours care provider for care provided by that organisation.
Their local Community or Mental Health Trust for care provided by that Trust.
Their local Hospital Trust for care provided by that Trust. 2.6. The current Data Protection Legislation does not limit the number of SARs an
individual can make to any organisation. However, organisations are not obliged to comply with an identical or similar request to one which has already been dealt with unless a reasonable interval has elapsed between the first request and any subsequent ones, or information has subsequently been added to the record.
2.7. The current Data Protection Legislation governs access to the personal data of living individuals. The Access to Health Records Act 1990 provides a small cohort of people with a statutory right to apply for access to information contained within a deceased person’s health record. The same general principles for SARs should be followed, however Section 9 of this Procedure deals access to deceased records in more detail.
Page 94 of 187
3. Acknowledging SARs
3.1. The request must be acknowledged so that the applicant is aware the request is being processed.
3.2. We may need to ask the requester for clarification or further information we reasonably need in order to find the personal data covered by the request. The timeframe for complying with the SAR does not commence until we have received this clarification.
3.3. Requests made under the current Data Protection Legislation or Access to Health Records Act (1990) will not be subject to fees, unless the request is for a further copy, or if the request is deemed to be manifestly unreasonable or excessive in which case any fee must be agreed with the recipient, and this should be notified to the requester as soon as possible. It is also legitimate to request up to two months extention to the ‘1 month’ rule, if the request is excessive.
4. Confirming the Requester’s Identity
4.1. To avoid personal data about one individual being sent to another, either
accidentally or as a result of deception, the organisation needs to be satisfied that we know the identity of the requester.
4.2. If not supplied with the request, then prior to processing the request we must ask for sufficient information to judge whether the person making the request is the individual to whom the personal data relates (or a person authorised to make a SAR on their behalf). This information should include copies of two official documents that, between them, show the individual’s name, date of birth and current address eg. birth/adoption certificate, driving licence, medical card, passport or other official document that shows the individual’s name and address such as a utility bill. Original documents should not be requested. If the requester is already known to the organisation, the requirement for identify documents may be waived on a case-by-case basis (eg. Staff members).
4.3. The current Data Protection Legislation does not prevent an individual from
making a subject access request via a third party. Often, this will be a solicitor acting on behalf of a client, but it could simply be that an individual wants someone else to act for them. In these cases, we need to be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. If the data subject is not making the access request themselves, consent of the data subject will need to be verified and this can take the form of:
A signature from the subject of the personal information (including if the request comes from a solicitor).
Page 95 of 187
A signature from a person appointed to act in the best interests of the patient where an individual does not have the mental capacity to manage their own affairs.
The signature of a parent or legal guardian applying for access to their child’s data.
4.4. The advice of the CG may be sought where necessary. 5. Disclosure Timescales
5.1. Disclosure must be made within the timescales laid down by the current Data
Protection Legislation - within one calendar month. 6. Identifying Personal Data in Response to SARs 6.1. Under the right of subject access, an individual is entitled only to their own
personal data, and not to information relating to other people (unless they are acting on behalf of that person). Before the organisation can respond to a SAR, we need to decide whether information held is personal data and, if so, whose personal data it is.
6.2. The current Data Protection Legislation provides that, for information to be personal data, it must relate to a living individual and allow that individual to be identified from that information (either on its own or in conjunction with other information likely to come into the organisation’s possession). The context in which information is held, and the way it is used, can have a bearing on whether it relates to an individual and therefore on whether it is the individual’s personal data. In most cases, it will be obvious whether the information being requested is personal data, however the Information Commissioner has produced separate guidance (Determining what is personal data) to support decisions on defining personal data.
6.3. If the CCG determines the purpose for which and the manner in which the personal data in question is processed, then the CCG is the data controller in relation to that personal data and is responsible for responding to the SAR. The current Data Protection Legislation does not allow any extension to the time limit for responses where the CCG relies on a data processor to provide the information which we need to respond.
7. Collating Responses to SARs
7.1. The Corporate Governance Team are responsible for collating responses to
SARs but will forward the request securely to the appropriate Manager with responsibility for the records, specifying the internal timeframes for responding to the request. Types of record containing personal data are likely to be:
Staff employment records: Lead – Human Resources Team
Page 96 of 187
Complaints records: Lead – Patient Experience Lead
Commissioning/contracting records: Lead – relevant Commissioning / Contracting Managers
Clinical records: Lead – Clinical Lead eg. Continuing Healthcare Team, Quality Manager
CCTV: Lead – Head of Corporate Governance
Images: Lead – Communications Team
Minutes of meetings, emails, letters: Lead – Administrative Support Team 7.2. The appropriate Manager must consider and apply the following areas and
discuss any issues with the Corporate Governance Team prior disclosure to the requester by the Corporate Governance Team:
Serious harm: Whether access should be allowed or limited to prevent the disclosure of information which may cause serious harm to the physical or mental health or condition of the requester or any other person. If health information is being released, the Manager must consult the health professional who is responsible for the clinical care of the individual concerned before deciding whether the exemption applies.
Third parties: Whether access should be allowed or limited to prevent the identification of third party individuals. Decisions about disclosing third-party information will be made on a case-by-case basis. In making a decision on releasing information, we will take into account the information we are intending to disclose and any information which we reasonably believe the person making the request may have, or may obtain, that would identify a third-party individual. In general, third party information can be released if: o the third party is a health professional who has compiled or contributed
to health records or who has been involved in the care of the requester; o the third party is capable of and gives their consent to disclosure; or o it is reasonable to dispense with the third party’s consent (taking into
account the duty of confidentiality, any steps taken to seek consent, the third party’s capability of giving consent, and whether consent has been refused).
Where a SAR is made by a third party who has a right to make the request on behalf of the individual, such as the parent of a child or someone appointed to manage the affairs of an individual who lacks capacity, personal data is exempt from subject access if the individual has made clear they do not want it disclosed to that third party.
Confidentiality: A duty of confidence arises where information that is not generally available to the public (that is, genuinely 'confidential' information) has been disclosed to the CCG with the expectation it will remain confidential. This expectation might result from the relationship between the parties eg.
o Medical (doctor and patient) o Employment (employer and employee) o Legal (solicitor and client)
Page 97 of 187
o Financial (bank and customer) o Caring (counsellor and client)
In most cases where a duty of confidence does exist, it will usually be reasonable to withhold third-party information unless we have obtained the third-party individual’s consent to disclose it.
Children: Whether the SAR relates to the records of a child. Even if a child is too young to understand the implications of subject access rights, data about them is still their personal data and does not belong to anyone else, such as a parent or guardian. Before responding to a SAR for information held about a child, we must consider whether the child is mature enough to understand their rights. If we are confident that the child can understand their rights, then we will respond to the child rather than the parent. When considering borderline cases, we will take into account, among other things: o The childs age; o where possible, the child’s level of maturity and their ability to make
decisions like this; o the nature of the personal data; o any court orders relating to parental access or responsibility that may
apply; o any duty of confidence owed to the child or young person; o any consequences of allowing those with parental responsibility
access to the child or young person’s information. This is particularly important if there have been allegations of abuse or ill treatment;
o any detriment to the child or young person if individuals with parental responsibility cannot access this information; and
o any views the child or young person has on whether their parents should have access to information about them.
Mental capacity: Where an individual does not have the mental capacity to manage their own affairs, whether access would be in accord with the best interest or wishes of the patient. There are no specific statutory provisions enabling a third party to exercise subject access rights on such a person’s behalf, but Information Commissioner guidance deems it reasonable to assume that an Attorney with authority to manage the individual’s property and affairs, or a person appointed by the Court of Protection to make decisions about such matters, will have the appropriate authority.
Access: Whether the applicant should be sent an extract setting out so much of the record as is not excluded from access together with any necessary explanation, or be allowed to inspect the record in a face-to-face meeting within the required timescales. If an extract is to be provided, this must be prepared by the Manager responsible for those records.
7.3. The organisation will make extensive efforts to find and retrieve the requested information. However, guidance from the Information Commissioner does not require the organisation to do things that would be unreasonable or
Page 98 of 187
disproportionate to the importance of providing subject access to the information.
7.4. Information is classed as ‘deleted’ when the organisation attempts to permanently delete it and has no intention of ever trying to access it again. The Information Commissioner’s view is that, if organisations delete personal data held in electronic form by removing it (as far as possible) from computer systems, the fact that expensive technical expertise might enable it to be recreated does not mean that organisations must go to such efforts in order to respond to a SAR.
8. Releasing Information in Response to SARs 8.1. Subject access provides a right for the requester to see their own personal
data, rather than a right to see copies of documents that contain their personal data. Often, the easiest way to provide the relevant information is to supply copies of original documents, and this is the approach generally taken by the organisation.
8.2. In responding to a SAR, we will:
Advise whether any personal data is being processed;
Provide a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
Provide a copy of the personal data (having removed or redacted any third party information which we do not have consent to release, information which may cause serious harm, or confidential information); and
Provide details of the source of the data (where this is available). 8.3. The requester may also ask for an explanation of the reasoning behind any
automated decisions taken about him or her. This additional information will only be provided if it has been specifically requested.
8.4. If a requester dies before a response is provided but the CCG received the SAR when the individual was living, we will provide the response to the individual’s personal representatives if the information is still required. Identity verification checks will take place on the personal representative as were undertaken for the subject.
9. Access to Deceased Patients’ Health Records 9.1. The Access to Health Records Act 1990 provides certain individuals with a
right of access to the health records of a deceased individual. These individuals are defined as the patient’s personal representative and any person who may have a claim arising out of the patient’s death. A personal representative is the executor or administrator of the deceased person’s estate.
Page 99 of 187
9.2. The personal representative is the only person who has an unqualified right of
access to a deceased patient’s record and need give no reason for applying for access to a record. Individuals other than the personal representative have a legal right of access under the Act only where they can establish a claim arising from a patient’s death and the information requested and released is relevant to their claim. The decision as to whether a claim actually exists lies with the record holder.
9.3. The CCG must satisfy ourselves as to the identity of applicants, who should provide as much information to identify themselves as possible. Where an application is being made on the basis of a claim arising from the deceased’s death, applicants must provide evidence to support their claim. Personal representatives will also need to provide evidence of identity.
9.4. A request for access should be made in writing ensuring that it contains
sufficient information to enable the correct records to be identified. Applicants may wish to specify particular dates or parts of records which they wish to access.
9.5. When considering release of the personal information of deceased individuals, issues we will consider include those relevant to SARs and any of the following in addition:
Whether disclosure would cause serious harm to the physical or mental health of any other person;
Whether disclosure would identify a third person who has not consented to the release of that information;
Whether any preference was expressed by the deceased prior to death. If the deceased person had indicated that they did not wish information to be disclosed, or the record contains information that the deceased person expected to remain confidential, then it should remain so unless there is an overriding public interest in disclosing;
The extent of the proposed disclosure;
The distress or detriment that any living individual might suffer following the disclosure;
Any loss of privacy that might result and the impact upon the reputation of the deceased.
9.6. If in doubt, the organisation’s CG should be consulted. 10. Amendments to Records 10.1. Any inaccuracies in the record, reported by the applicant, should be noted. If
agreed by the health professional / manager (dependant on the type of record) these inaccuracies should be corrected using a single line to strike through the amendment and the amendment signed by the health professional / manager. Care must be taken not to obliterate information which may have significance for the future care and treatment of the patient or for litigation purposes.
Page 100 of 187
11. Appealing Against a Decision / Making a Complaint 11.1. An applicant who wishes to appeal against a decision to either refuse access
or refuse changes to a record should initially contact:
Chief Officer NHS Doncaster Clinical Commissioning Group Sovereign House Heavens Walk Doncaster DN4 5HZ
11.2. Should the response not be satisfactory to the appellant, the appellant should
contact the Information Commissioner. The Information Commissioner has power to rule that any erroneous information is rectified, blocked, erased or destroyed. The applicant should be given the Information Commissioner’s details if they wish to contact them.
12. Assessing Performance on SARs 12.1. Access Requests are subject to statutory timeframes and performance
against this is reported quarterly to the Audit Committee via the Corporate Assurance Report.
13. Breaches Related to Disclosure of Information 13.1. Staff are reminded that the intentional disclosure of information to a third party
where a gain is made for themselves or another, or results in the risk of, or actual loss to the CCG is a potential criminal offence under Section 4 of the Fraud Act 2006. Suspicion of any such breaches should be reported without delay in accordance with the CCG’s Counter Fraud, Bribery and Corruption Policy, or a confidential report can be made to the NHS Fraud and Corruption Reporting Line, by calling 0800 028 40 60.
14. Requests under Current Data Protection Legislation 14.1. Organisations that have a crime prevention, law enforcement or tax collection
function may request information from NHS organisations under the provisions of current Data Protection Legislation Information may be requested for the prevention or detection of crime, apprehension or prosecution of offenders or for the assessment or collection of tax, duty or similar obligations. The organisation will make a decision based on the information provided in each instance but reserves the right not to release the information or to provide redacted information where it is considered appropriate. Any disclosures should be made with an individual’s consent, or
Page 101 of 187
without consent in the over-riding public interest eg. in serious cases of crime such as murder, manslaughter, rape, terrorism or serious fraud.
14.2. The Coroner may request access to medical or staff records. National guidance is that the Coroner is working in the public interest and should be provided with access to all aspects of records.
14.3. If the release relates to clinical records, advice should be sought from the CG. If the release relates to corporate or staff records, advice should be sought from the Corporate Governance Team.
15. Flowcharts
15.1. Flowcharts are appended to cover access to personal information for living and deceased individuals.
Page 102 of 187
Access requested to record of living individual
Relates to own record Relates to a third party record
YES
GRANT ACCESS within I month
(Reportable to the Information Governance Group / accountable to
the Executive Committee)
Prior to any release of data, consideration should be given to the following:
A healthcare professional should review the record.
How much data is requested: the whole record or part? Release the minimum needed.
Remove any references to third parties or references which could potentially identify third parties.
Remove any data which could, if released, cause serious harm to the person’s mental or physical health.
Remove any data which relates to legal professional privilege.
Remove any data which is restricted by order of the Courts or other legislation eg. adoption records.
Copies only should be provided – never originals.
DO NOT RELEASE THE
RECORD
Does the subject of the record have mental capacity?
(under the Mental Capacity Act)
NO YES
Does the subject of record have mental capacity?
(under the Mental Capacity Act)
NO
Has the written consent of the subject of the record
been received for release to the third party?
YES NO
Has a third party been legally authorised to act on their behalf?
Legal documents needed as proof: Deputyship Order from the Court of
Protection or
Registered and Certified Lasting Power of Attorney (LPA) for Health
and Welfare (if Finance LPA, release only finance data)
YES NO
DO NOT RELEASE THE
RECORD
GRANT ACCESS within 1 month
(Reportable to the Information Governance Group / accountable to the Executive
Committee)
LIVING
INDIVIDUALS
Page 103 of 187
DECEASED
INDIVIDUALS
Access requested to record of deceased individual
YES
Does the third party have a legal right of access to the record?
NO
DO NOT RELEASE THE
RECORD
Certain individuals have rights of access:
The patient’s personal representative (Executor or Administrator of the deceased’s Estate)
Any person who may have a claim arising out of the patient’s death NB.
Data Controllers must satisfy themselves as to the identity of the applicant, who should provide as much information as possible to identify themselves.
Where the application relates to a claim, the applicant must provide evidence to support their claim.
Evidence could include:
A redacted copy of the Will showing the Executor / Administrator (or beneficiary for a claim)
Grant of Probate (if a Will is in existence)
Grant of Letters of Administration (if no Will)
Legal evidence that a Will is being contested Executors can be a Solicitor or can appoint a Solicitor to act on their behalf. “Next of kin” has no legal definition and have no legal right of access.
Prior to any release of data, consideration should be given to the following:
A healthcare professional should review the record.
How much data is requested: the whole record or part? Release the minimum needed.
Remove any references to third parties or references which could potentially identify third parties.
Remove any data which could, if released, cause serious harm to the person’s mental or physical health.
Remove any data which relates to legal professional privilege.
Remove any data which is restricted by order of the Courts or other legislation eg. adoption records.
Copies only should be provided – never originals.
GRANT ACCESS within 1 month
(Reportable to the Information Governance Group / accountable to the Executive
Committee)
Page 104 of 187
SUBJECT ACCESS REQUEST / ACCESS TO HEALTH RECORDS APPLICATION
SECTION 1: DETAILS OF THE SUBJECT OF THE PERSONAL INFORMATION
Surname: Forenames:
Address:
Postcode:
Date of Birth:
Reference number (if known):
NHS Number (if applicable / known):
If the individual’s name and/or address was different from the above during the period to which the Subject Access Request relates, please give details: Previous Surname(s):
Previous Address(es):
Postcode:
SECTION 2: DETAILS OF THE PERSONAL INFORMATION REQUESTED
Please provide as much information as possible to identify the personal information which you are requesting, including dates between which the information was created and the type of information which you are seeking.
Personal information requested Dates
Page 105 of 187
SECTION 3: AUTHORISATION
PERSON COMPLETING THE APPLICATION: I declare that the information given by me is correct to the best of my knowledge and belief and that I am entitled to access the requested personal information under the terms of the Current Data Protection Legislation or Access to Health Records Act 1990.
Surname: Forenames:
Address:
Postcode:
Signature: Date:
PLEASE COMPLETE ONLY ONE OF THE FOUR SECTIONS BELOW:
A – You
I am the subject of the information (this is about me).
B – Third Party
I have been asked to act by the subject of the information (I am applying on behalf of someone else).
The subject’s written authorisation to this effect is set out below:
I certify that I
(name of subject)
Hereby authorise
(name of applicant)
to act on my behalf in respect of this application for access to my personal information.
Signature: Date:
I am acting on behalf of an individual who lacks the capacity to consent as defined by the Mental Capacity Act 2005. I hold a Power of Attorney or a Deputyship from the Court of Protection, a copy of which is attached.
C – Children and Young People
I have parental responsibility and the child/young person is under the age of 13 years, and lacks capacity to make/understand the request.
Page 106 of 187
D – Deceased persons
I am the deceased patient’s personal representative and attach confirmation of my appointment.
For example:
A copy of the Will showing the personal representative
Grant of Probate (if a Will is in existence)
Grant of Letters of Administration (if no Will)
I have a claim arising from the individual’s death and attach evidence of this.
For example:
A copy of the Will showing a beneficiary, evidence of a claim, and legal evidence that a Will is being contested
I wish to access information relevant to my claim on the grounds that:
SECTION 4: IDENTITY CHECKS
To help establish the identity of the subject of the personal information,
your application must be accompanied by copies of TWO official documents that, between them, show the individual’s name, date of birth and current address.
For example:
Birth/Adoption certificate, Passport, Driving Licence.
Medical Card or other official document that shows name and address such as a Utility Bill. For Section D only:
A copy of the Will showing the personal representative (Executor / Administrator)
Grant of Probate (if a Will is in existence)
Grant of Letters of Administration (if no Will)
Evidence of a claim / legal evidence that a Will is being contested
Please do not send originals.
Failure to provide this proof of identity may delay your application.
Requests are generally free of charge however, in certain circumstances a charge may be levied
On completion, this form should be forwarded to: Information Governance Team
NHS Doncaster Clinical Commissioning Group Sovereign House
Heavens Walk Doncaster DN4 5HZ
Page 107 of 187
CONFIDENTIALITY CODE OF CONDUCT AND
CURRENT DATA PROTECTION LEGISLATION PROCEDURE
Page 108 of 187
D - CONFIDENTIALITY CODE OF CONDUCT AND CURRENT DATA PROTECTION LEGISLATION PROCEDURE 1. Introduction 1.1. NHS Doncaster CCG holds and processes information about its employees,
patients and other individuals for various purposes (for example, operate the payroll and to enable correspondence and communications).
1.2. To comply with the Current Data Protection Legislation information must be collected and used fairly, stored safely and not disclosed to any unauthorised person. The Current Data Protection Legislation applies to both manual and electronically held data. The eight Current Data Protection Legislation principles – refer to Section B, Information Governance Strategy and Framework, Item 6 – Current Data Protection Legislation principles.
1.3. Common Law Duty of Confidentiality – A duty of confidence arises when one
person discloses information to another (eg. patient to clinician) in circumstances where it is reasonable to expect that the information will be held in confidence. This covers not only what a patient may reveal, but also what the professional may independently conclude or form an opinion about based on examinations or assessments as well as communications.
1.4. The seven Caldicott Principles – refer to Section B: IG Strategy and Framework, Item 9.4 – Caldicott Principles.
1.5. Patients and staff have a right to expect that the Current Data Protection
Legislation and Caldicott principles are adhered to. Patients and staff have the right to choose whether or not to agree to information that they have provided in confidence being used or shared beyond what they understood to be the case when they provided the information (give consent). NHS Doncaster CCG produces a patient leaflet describing what their information is used for and their rights. Without assurances about confidentiality patients may be reluctant to give information which is needed in order to provide good care. For these reasons:
When you are responsible for confidential information you must make sure that the information is effectively protected against improper disclosure when it is disposed of, stored, transmitted or received;
When patients give consent to disclosure of information about them, you must make sure they understand what will be disclosed, the reasons for disclosure and the likely consequences;
You must make sure that patients are informed whenever information about them is likely to be disclosed to others involved in their health care, and that they have the opportunity to withhold permission. Patients should be made aware of their right to change their mind at any time up to the point of disclosure;
You must respect requests by patients that information should not be disclosed to third parties, save in exceptional circumstances (for example, where the health or safety of others would otherwise be at serious risk).
Page 109 of 187
Patients should be advised in a non-confrontational way of any consequences of refusal to allow the disclosure of information from their records;
A record should be made of any decision not to disclose personal information including the date and background to any discussion or correspondence with the patient. If necessary, further advice should be sought from the CG or the Head of Corporate Governance;
If you disclose confidential information you should release only as much information as is necessary for the purpose - if it is appropriate to share information gained in the course of your work with other health or social work practitioners, you must make sure that as far as is reasonable, the information will be kept in strict professional confidence and used only for the purpose for which the information was given;
If you decide to disclose confidential information, you must be prepared to explain and justify your decision. If you are unsure whether or not to disclose information or whether you need to ask for patient consent, please ask the advice of the CG;
You must always abide by these principles. 1.6. All types of information of a confidential, person identifiable, business type
and sensitive personal should also be treated by using the above principles. 2. Guidance on the Protection and use of Personal Information 2.1. Patients and staff expect that information about them will be treated as
confidential.
2.2. Personal information should be anonymised wherever possible, unless explicit identification is necessary and held with consent, for direct patient care or in line with a statutory gateway.
2.3. Any personal information held is safeguarded by the Current Data Protection Legislation. No computerised databases holding personal information should be created without registration with the Corporate Governance Manager and approved by the CG. The Corporate Governance Manager is responsible for maintaining these registrations.
2.4. It is strictly forbidden for employees to look at any information relating to their own, their family, friends or acquaintances unless they are directly involved in the patient’s clinical care or with the employee’s administration on behalf of NHS Doncaster CCG. There may also be sealed envelopes within patient or staff files. These must only be opened by authorised personnel.
2.5. Care should be taken to ensure that unintentional breaches of confidence do not occur. For example:
Do not leave confidential paper files or computer terminals unattended / unsecured – lock files away and lock computers even if you are only absent for a couple of minutes.
Page 110 of 187
Ensure you confirm the identity of the person to avoid giving information to the wrong person.
Only have confidential conversations in private areas. Do not allow sensitive conversations to be overheard.
Guard against people seeking information by deception. In cases where it is suspected that attempts to gain information have been made using any form of deception, consider seeking advice from the Local Counter Fraud specialist (LCFS).
Ensure you always use a “Safe Haven” Fax when you are transmitting any personal data by fax.
Personal information should only be emailed if absolutely necessary, encrypted wherever possible and password protection must be used.
Only access personal information on portable IT equipment if absolutely necessary. Please refer to the Laptops, Other Portable Devices Off-site Procedure for more information
2.6. If personally identifiable data is taken off site for proper business purposes,
then appropriate measures must be taken to ensure that the data is safeguarded against unauthorised disclosure, loss or destruction. It is the individuals’ responsibility to ensure the confidentiality of any information held on equipment and extra care should be taken for portable equipment, please refer to the Laptops, Other Portable Devices Off-site Procedure for full details.
2.7. Personal information should not be made available to other organisations or individuals without the prior approval of the CG and/or Head of Corporate Governance. In addition, individual consent may be required. These measures help to ensure compliance with the Current Data Protection Legislation and ensure that information will is treated and stored according to specified security standards and used only for agreed purposes.
2.8. ISAs should be developed for operational circumstances which require sharing of information. See the Information Sharing Procedure for further information.
2.9. All staff or patient identifiable correspondence should be addressed to a named recipient wherever possible and sent in a sealed envelope (not an internal envelope) and marked ‘Private’ or ‘Confidential’.
2.10. Any breach of information security must be reported immediately to your line manager and an incident report completed as per the Incident Management Policy. Your line manager will then contact the appropriate person(s) eg. the IT Services ‘help desk’, CG or SIRO. Suspected or actual breaches of personal data should be reported using the same process. Any serious breaches of confidentiality should also be reported within 24 hours in person or by telephone to the Head of Corporate Governance or their nominated Deputy, the CCGs DPO, and to the ICO within 72 hours.
2.11. Procedures should be in place to ensure that from record creation to disposal, information is held so it serves the purpose it was created for and is disposed of appropriately. Appropriate disposal for confidential information would be
Page 111 of 187
shredding. For further information about records management please refer to the Records Management Procedure.
2.12. Failure to comply with this Code of Conduct will be viewed as a breach of confidentiality and may result in disciplinary action and possibly risk legal action by others. For more information refer to the Disciplinary Procedure.
3. Lawful Basis for Processing Personal Data It is NHS Doncaster CCG’s policy in demonstrating compliance with Current Data Protection Legislation that the organisation complies with Article 9 and as a Public Authority Article 6 in ensuring in the processing of personal data that at least one of the following lawful basis applies:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
3.1. The lawful basis for processing information should be determined and documented via a Current Data Protection Legislation and the IAR, before processing begins.
3.2. Requests for consent are carried out to allow individuals an opportunity to raise any objections to any intended processing of personal data. NHS Doncaster CCG will consider any such objections but reserves the right to process personal data in order to carry out its functions as permitted by law.
3.3. Advice can be sought from the CG or the Head of Corporate Governance to consider the correct lawful basis for processing or the DPO in the completion of the Current Data Protection Legislation.
Page 112 of 187
4. Sensitive (Special Category) Personal Data 4.1. NHS Doncaster CCG’s function means that it may process "sensitive personal
data" relating to staff, patients and other individuals when explicit consent has been given and the data controller can demonstrate that consent was given.
4.2. "Sensitive personal data" is information as to a data subject's racial or ethnic origin, political opinions, religious beliefs or beliefs of a similar nature, trade union membership, physical or mental health or condition, sexual life, offences or alleged offences, and information relating to any proceedings for offences committed or allegedly committed by the data subject, including the outcome of those proceedings. For example, data relating to the ethnic origin of individuals may be processed for the purposes of equal opportunities monitoring or to identify any necessary dietary requirements and possible sources of financial assistance. In certain circumstances, NHS Doncaster CCG may need to process information regarding criminal convictions or alleged offences in connection, for example, with any disciplinary proceedings or other legal obligations.
4.3. In other circumstances, where sensitive personal data is to be held or processed, NHS Doncaster CCG will seek to determine the lawful basis for processing. Any such queries regarding exemptions must be directed to the CG or Head of Corporate Governance.
5. Disclosure Outside of the United Kingdom 5.1. NHS Doncaster CCG transfers personal data to countries or territories outside
of the United Kingdom in relation to the organisation’s website or to comply with an access request from a patient who has relocated. The website contains job titles, work addresses, telephone numbers and email addresses. Person identifiable information is never disclosed via the website. If an individual wishes to raise an objection to this disclosure then written notice should be given to the Head of Corporate Governance. When complying with an access request from abroad, a signature is required on delivery of the notes, which acts as a security measure.
5.2. Other personal data, even if it would otherwise constitute fair processing, must not, unless certain exemptions apply or protective measures taken, be disclosed or transferred outside the UK to a country or territory which does not ensure an adequate level of protection for the rights and freedoms of data subjects. Advice should be sought from the Head of Corporate Governance or CG before any such information is transferred.
Page 113 of 187
CONFIDENTIALITY CODE OF CONDUCT DECLARATION
I, the undersigned have read, understood and agree to comply with NHS Doncaster CCG’s “Confidentiality Code of Conduct and Current Data Protection Legislation Procedure” and accept that any breach of this may be a disciplinary offence
Employee’s Name:
Job Title:
Directorate:
Location:
Contact Number:
Employee Signature
Date:
Page 114 of 187
LAPTOPS, OTHER PORTABLE DEVICES AND OFF-SITE USERS
PROCEDURE
Page 115 of 187
F - LAPTOPS, OTHER PORTABLE DEVICES AND OFFSITE USERS PROCEDURE 1. Introduction 1.1. The purpose of this document is to provide guidance to staff in relation to the
correct and safe use of any type of laptop, portable IT or communications equipment which has been provided to them in relation to their work.
1.2. The aims of this document are:
To ensure that portable IT devices are issued, maintained and used in accordance with all NHS Doncaster CCG policies and procedures and in line with the law and current guidance.
To ensure that all person identifiable data remains secure at all times in accordance with legislation and guidance.
To ensure that staff and managers are fully aware of their responsibilities for hardware and software supplied.
1.3. Traditional password protection on a laptop offers limited defence against a
determined attack. Modern complex password techniques offer more protection but are not currently in widespread use. The physical security controls that are possible within NHS buildings are not available outside of that environment; therefore if procedural and personal controls of a portable device are breached the only effective technical measure that can be applied is cryptography. Encryption products must be used correctly in accordance with defined procedures, in particular the password and any additional token used must be kept separate from the portable device. Data is only protected by encryption when the device is powered off and not in normal use.
2. Procurement and Issuing of Portable Devices 2.1. NHS Doncaster CCG’s information management and technology strategy
direction led by the Head of Information Technology will inform all decisions on the purchase and development of IT and communications equipment.
2.2. Line managers must authorise the ordering of portable IT devices including but not limited to laptops, notebooks, tablets, USB sticks and 3G cards. Usage is restricted to business purposes, and users must be aware of, and accept the terms and conditions of use, especially the responsibility for the security of information held on such devices and the necessity to complete required documentation.
2.3. All orders for IT equipment must be made through the agreed process with authorisation from the Head of IT.
2.4. Each portable device is to have a named owner registered in the Asset Register. Line managers are responsible for agreeing who will be identified
Page 116 of 187
as the registered owner for each portable device. For laptops, once agreed, the registered owner is required to sign to accept receipt of the laptop and responsibility for its maintenance on the Network.
2.5. All peripheral data storage devices including USB memory sticks and portable hard drives may only be issued where certain criteria are met and line managers will be asked to make requests through the Head of IT. This will only include use with person identifiable data in exceptional circumstances when authorisation will be required in advance from the CG. The Corporate Governance Team will support the Head of IT in the issuing and retrieval of USB memory sticks.
2.6. Mobile telephones will be subject to the conditions of this policy and procedure due to the increased functionality available on such items. A separate procedure also governs mobile telephones.
3. Use of Portable Devices 3.1. Staff who are issued with portable devices and who intend to travel for
business purposes must be made aware of the information security issues relating to portable facilities and implement the appropriate safeguards to minimise the risks. The theft of a laptop computer / tablet device may result in additional organisational costs and loss of data.
3.2. Any CCG devices issued to staff must not be taken outside of the UK, unless authorised by the SIRO or the Director of Digital.
3.3. Portable devices are very vulnerable to theft, loss or unauthorised access. All portable devices must have NHS approved encryption software installed by the NHS Doncaster CCG’s commissioned IT Service. To preserve the integrity of data, portable devices should be maintained regularly and batteries kept charged to preserve their functionality. Portable devices should never be left unattended in public view even if locked in a vehicle.
3.4. Be aware that a portable device such as a laptop / tablet is a valuable, portable piece of equipment that is attractive to thieves. Please ensure sensible precautions are taken when carrying or using these devices. In vulnerable areas, laptops should always be locked away overnight or when left unattended for long period. Docking stations are not secure. Never leave your laptop where it is visible, if possible take it with you. If you must leave it in the car, lock it in the boot, and try to ensure that nobody sees you do it. When carrying your laptop in a shoulder bag, where possible place the carrying strap over your head so that it lies diagonally across your body; this makes it more difficult to snatch. Airports and railway stations are favourite places for laptop theft, so be especially vigilant in these places. While using your laptop outside the offices (in public places or third party premises), always be aware that the screen could be seen by other people. If possible avoid displaying or entering sensitive information in public places. If you must
Page 117 of 187
do so, try to position yourself where the screen cannot be seen by other people.
3.5. All users of portable devices are responsible for ensuring the security of their password and for complying with NHS Doncaster CCG policies and procedures in relation to password management and access controls.
3.6. Users who have been issued with a device to allow remote access to the NHS Doncaster CCG server must follow the guidance issued with the card. It is the user’s responsibility to ensure that the laptop and token are kept separately when not in use.
3.7. Off site computer usage must be with the authorisation of the line manager. Usage is restricted to business purposes and users must adopt adequate and appropriate security measures.
3.8. Only legal copies of software purchased or obtained by authorised personnel should be installed, and then only by NHS Doncaster CCG’s commissioned IT Service. Where software is in the form of a demonstration disk then, upon completion of its use, it should be removed from the portable device.
3.9. No unauthorised software should be installed on any portable device. Shareware, Public Domain Software and computer games must not, under any circumstances be loaded on to any portable device.
3.10. Laptop computers must be connected to the NHS Doncaster CCG network at the recommended intervals to ensure that all software including virus protection is regularly updated. To ensure that the laptop has the latest up to date virus signature files and software patches, the registered owner should ensure that the laptop has been connected to the network on a regular basis; ideally once a week (unless you are on holiday). If you are unable to do this please contact the IT Service Desk for advice. If your laptop is not connected to the network for a period of 90 days it will be disabled and it will be necessary to return it to the IT Service Desk to be re-enabled. Do not attempt to change any security settings in the operating system, anti-virus software, firewall etc.
3.11. All portable devices will be supplied with the appropriate level of encryption installed. Non-encrypted laptops and USB sticks must not be used for NHS Doncaster CCG work.
3.12. Sensitive data, including that relating to patients, should not routinely be stored on an NHS laptop, Smartphone or tablet and where necessary should be kept to the minimum required for its effective business use in order to minimise the risks and impacts should a breach occur.
3.13. Sensitive data, including that relating to patients, personal data such as notes, music, videos and photos may be stored on the device but should not use more storage than is reasonable.
Page 118 of 187
3.14. Streaming video and personal data downloads must not take place while the device is connected to the NHS Doncaster CCG IT network or NHS Doncaster provided 3G/4G service.
3.15. In order to protect the organisation’s interest, all data – or any subset thereof – may be deleted by the IT department from a Doncaster CCG owned or personal smartphone/tablet device connected to the network if the device appears to be lost or stolen or if the user terminates employment with the company.
3.16. Smartphones and tablet devices that access the network or email system must be protected by a PIN code and set to time out after a maximum of 5 minutes use.
3.17. PIN codes set on the device must have a maximum amount of retries set to 10.
3.18. Devices must have an auto-erase function set once the maximum amount of PIN retries has been breached.
3.19. Users are not permitted to use remote backup or storage facilities outside the control of the CCG. Devices must have iCloud services disabled with the exception of ‘Find my iPhone/iPad’.
3.20. Other devices such as Blackberry/Android may be permitted to use NHS DoncasterCCG Wi-Fi services for access to NHS Mail with authorisation from either the Director of Digital or Head of IT. They will not be permitted to connect to the CCG email system.
3.21. Any misuse of devices that causes a financial loss to NHS Doncaster CCG or facilitates a similar gain for another (individual or organisation), or uses devices to facilitate the passage of any data for criminal purposes will be subject to referral to the Local Counter Fraud Specialist (LCFS) for investigation, sanction and redress action (see the Fraud Policy for further details). This will be in addition to any disciplinary action relevant to the situation.
3.22. Staff may use their own personal portable devices in conjunction with NHS Doncaster CCG work. A signed user agreement will be required from all staff for the usage of corporate information on a personal or work-issued mobile device.
3.23. Portable devices should not be passed between individuals when staff changes occur without consultation with the Head of IT who will work with the commissioned IT Service to re-assign the asset and ensure appropriate documentation is completed. Those who have not been identified as users of a portable device such as a laptop will not be able to use it for any purposes.
Page 119 of 187
3.24. New staff, including those on secondment, are not permitted to use any equipment that they bring with them without prior approval of the CCG’s commissioned IT Service.
3.25. NHS Doncaster CCG staff leaving the organisation or going on secondment may not take NHS Doncaster CCG equipment with them and it should be returned in the first instance to their Line Manager.
3.26. NHS Doncaster CCG portable devices are marked with Asset Numbers which users should keep a record of and add to the Asset Register.
3.27. USB sticks, if not managed appropriately, pose a serious threat to security. They are capable of storing large amounts of information and yet are very small and therefore easily lost or stolen. Only those USB sticks issued by NHS Doncaster CCG are permitted to be used in conjunction with the NHS Doncaster CCG’s information assets or to hold NHS Doncaster CCG information. All USB sticks issued by NHS Doncaster CCG will be encrypted to protect the contents should the device be lost or stolen.
Under no circumstances should an unencrypted memory stick be used to store any sensitive or confidential information that is owned by or controlled by NHS Doncaster CCG. When it is necessary to deliver training or a presentation using a non-NHS owned PC or laptop, and there is no viable alternative to using a USB stick then consideration should be given to taking a NHS Doncaster CCG laptop to the event. However, if this is not possible and a memory stick is the only practicable option, the following precautions must be taken:
The USB stick should only contain the files required specifically for the event.
Sensitive data must be kept to the absolute minimum.
Files must be accessed directly from the memory stick and must not be copied onto the PC or laptop.
The memory stick must be removed from the PC or laptop when leaving it unattended and immediately the training / presentation is complete.
4. Adverse Incidents Involving Portable Devices 4.1. All incidents involving loss, theft or damage to a portable device should be
reported via the CCG’s incident reporting system and to the IT Help Desk.
4.2. The theft or potential theft of any item must also be reported to the police and a crime number should be obtained. If you are able to supply the Asset Number for the item then NHS Doncaster CCG’s commissioned IT Service will provide the full serial number to facilitate police enquiries.
4.3. The loss of any data that was not encrypted or which involves substantial amounts of encrypted information relating to individuals must be reported by telephone at the earliest opportunity to the Head of Corporate Governance
Page 120 of 187
and / or the CCG’s DPO. This may constitute a Serious Incident for onward reporting to the Information Commissioner.
5. Shared Equipment 5.1. The majority of portable IT devices are issued to and are for the use of one
named individual. In certain circumstances departments may have been issued with shared equipment for use in training, presentations etc. One individual within a directorate will be responsible for managing the logging out and in of such devices and for ensuring that these are connected to the network for updating where necessary.
Page 121 of 187
MOBILE TELEPHONE PROCEDURE
Page 122 of 187
G - MOBILE TELEPHONE PROCEDURE 1. Introduction 1.1 NHS Doncaster CCG will issue a mobile telephone to relevant staff for use
whilst on duty. The issue of mobile telephones is aimed at assisting with communication, ascertaining a speedy response, and providing a security measure for staff employed who work in isolated situations.
1.2 The issue of a mobile telephone is to ensure that staff working in isolation in a
community setting are able to make contact with a colleague or designated person and also as an aid to improve communication in unexpected and emergency circumstances.
1.3 NHS Doncaster CCG may also issue a mobile telephone to staff who are
required to undertake duties on behalf of the organisation in a setting outside of their normal base or outside normal working hours.
1.4. WiFi enabled laptops are provided to all CCG employees with remote
connectivity for authorised individuals, and therefore mobile telephones are issued purely for the purposes of verbal communication and not for access to emails or the internet.
2. Aims
2.1 The aim of this procedure is to provide guidance as to the appropriate use of mobile telephones issued by NHS Doncaster CCG.
3. Responsibilities 3.1. The Director of Strategy and Delivery, Chief Finance Officer, Chief Nurse and
Associate Director of HR and Corporate Services are responsible for identifying staff within their teams who require provision of a work mobile telephone.
3.2. Line Managers are responsible for:
Ensuring staff issued with a work mobile phone have access to and understand the content of this procedure.
Ensuring that the Acceptance of Mobile Phone form has been completed and signed (Appendix A).
Ensuring the return of the mobile telephone for: o Those employees leaving employment; o Those employees who change job roles and no longer require the use
of a mobile telephone; o Those employees who are on long term absence eg. sickness,
maternity leave, career break.
Page 123 of 187
3.2 Employees issued with a mobile telephone are responsible for:
Reading and understanding the content of this procedure.
Using the provided mobile telephone for work purposes only.
Reporting promptly any loss or theft of work mobile phone. 4. Process for Issue and Use of Mobile Telephones 4.1. The Head of IT is responsible for the issue of mobile phones to nominated
staff. 4.2. Mobile telephones are not intended to replace existing communication
systems and must be used with caution when discussing personal/clinical information. Employees must be aware of the principles of the Current Data Protection Legislation and Caldicott Principles to ensure that mobile telephones are not used to discuss patient or personal details or confidential issues in public places.
4.3. The cost of calls from a mobile telephone are expensive (including text messaging) and therefore discussion should be clear and succinct.
4.4. Text messaging should be used with caution and only in situations where the receiver is known. Texting is not a safe method of transmitting personal confidential data or commercially in confidence data and it is therefore not to be used for communicating personal identifiable, sensitive or confidential information apart from in exceptional circumstances.
4.5. Mobile telephones are issued to assist communication within the remit of working for the organisation and must not be used for making personal calls except in an emergency. Serious breaches of the use of the mobile telephone will result in disciplinary action.
4.6. Mobile telephone numbers should normally only be given to colleagues. They must not be issued to patients (unless agreed by a senior manager).
4.7. Settings to withhold the caller telephone number should be activated at all times.
4.8. In the event of an urgent need for communication, relatives / friends / childcare providers / schools should be given the employees office number or their personal mobile telephone number and should not use the work mobile phone except in an emergency.
4.9. If employees are aware of any areas where the reception is poor they must inform their line manager so that if there is a delay in picking up a message poor reception is taken into account.
4.10. Use of the mobile telephone in certain settings should be checked before use to avoid interference with electronic equipment.
Page 124 of 187
4.11. All employees are reminded that breaches of policies, including breaches of this procedure, could be regarded as misconduct or potentially as criminal activity which will be reported to the LCFS in accordance with the Counter Fraud, Bribery and Corruption Policy.
4.12. Mobile telephones issued by NHS Doncaster CCG need only be switched on when the member of staff is on duty or on call.
4.13. Where a mobile telephone allows access to the internet, this facility should not be used except in an emergency situation and this use is governed by the Internet E-mail and Social Networking Procedure.
4.14. It is the responsibility of all staff to ensure that their work mobile telephone is kept in working order and charged in readiness for the next working day.
5. Security 5.1 It is the responsibility of each member of staff to ensure the safety of the
telephone and that the batteries are charged in accordance with the manufacturer’s instructions.
5.2 Mobile telephones must not be left unattended, particularly in offices or cars,
and should be stored securely when not in use. 5.3 If a mobile telephone is stolen, lost or damaged, employees must immediately
report this by contacting the Head of Corporate Governance or Head of IT, or the Corporate Governance Manager.
5.4 Users must ensure that where security settings are available they should be
enabled at all times. This may be in the form of a PIN (personal identification number) code. It is the responsibility of the user to record the PIN securely and pass this into their line manager on return of the mobile telephone.
5.5 The deliberate misuse of a mobile telephone can be an offence under the
Fraud Act 2006 and other statutes such as the Communications Act 2003, Mobile Telephones (Reprogramming) Act 2002 and the Telecommunications Act 1984. Suspicions of fraud should be referred appropriately in accordance with the Counter Fraud, Bribery and Corruption Policy.
6. Return of Mobile Telephones 6.1 Mobile telephones will form part of the equipment issue and must be returned
when employees either leave the employment of NHS Doncaster CCG or change jobs where the job role is no longer deemed appropriate for the issue of a mobile phone.
6.2 Where a mobile phone is not being used, it should be returned to the Head of
IT as soon as possible so that the contract can be cancelled
Page 125 of 187
6.3 For those employees on long term absence eg. sickness absence, maternity
leave or a career break, they are requested to ensure that they discuss with their line manager the return of the mobile telephone during the period of absence.
6.3 When returning the mobile telephone staff must include all the equipment
provided i.e. handset, charger, and case. 6.4 All handsets will be disposed of in one of the following ways dependant on
their condition and value:
Re-allocated to another user
Repaired and allocated to another user
Disposed of securely in line with the IT asset disposal protocol via the Head of IT.
7. Safety in the Use of Mobile Telephones 7.1 Using a hand-held mobile telephone, or other hand-held device that performs
an interactive communication function by transmitting or receiving data, whilst driving is both dangerous and illegal (Amendment of the Road Vehicles (Construction and Use) Regulations 1986).
7.2 Even the use of a hands-free mobile telephone or other interactive
communication device whilst driving reduces concentration and increases the likelihood of an accident occurring. For this reason, mobile telephones and other interactive communication devices, whether hand held or hands free, must not be used by any NHS Doncaster CCG employee whilst driving and on NHS Doncaster CCG business.
7.3 ‘Driving’ for these purposes includes any time while the vehicle is on the road
and its engine is running, even if the vehicle is stationary. This includes time spent stopped at traffic lights or during other hold-ups.
7.4 ‘Interactive communication’ includes sending or receiving oral or text
messages, faxes, or still or moving images, or accessing the internet. 7.5 Mobile telephones and other communication devices should be switched to
voicemail, call diversion or a message service before beginning your journey on NHS Doncaster CCG business.
7.6 The only exception to the ban on use of mobile telephones or other interactive
communication devices, whilst driving on NHS Doncaster CCG business, is when it is necessary to contact the emergency services on 999 or 112 in the case of a real emergency, where it is unsafe or impracticable for you to stop driving in order to make the telephone call.
7.7 Any employee who disregards these rules will be subject to disciplinary
action.
Page 126 of 187
7.8 Employees are asked to be mindful when using mobile devices for texts that
the small keypads are not designed for composing lengthy correspondence in text or email mode. Where possible, staff should wait until they have access to a full sized keyboard at an appropriate workstation.
Page 127 of 187
Acceptance of Mobile Phone Form
Recipient details
Name:
Job Title:
Reason for issue of phone:
Issue approved by:
Phone details
Phone type:
Telephone number:
EMEI number:
Date issued:
Signatures
Recipient: Signature: Name: Date:
Issuing officer: Signature: Name: Date:
Phone returns
Date returned:
Receiving officer:
Form to be returned to Chief of Service for the Department, and forwarded to
by the Chief to Head of IT.
Page 128 of 187
PROCEDURE FOR REGISTERING AND
AUTHORISING COMPUTERISED
DATABASES FOR THE STORING AND
PROCESSING OF PERSONAL DATA
Page 129 of 187
H - PROCEDURE FOR REGISTERING AND AUTHORISING COMPUTERISED DATABASES FOR THE STORING AND PROCESSING OF PERSONAL DATA 1. Introduction
1.1. In order to ensure that the organisation, and its employees comply with the
Current Data Protection Legislation and Records Management: NHS Code of Practice, the following procedure must be followed for any personal (staff or patient identifiable) information that is being held, or a member of staff is considering holding, on a computerised system. This includes the completion of a Database Approval Form available from the Head of Corporate Governance. Approval will only be valid for a period of 2 years following which the database should be re-registered.
2. Purposes of Storing / Processing 2.1. The software used to store the information may be called a database (eg.
Microsoft Access), spreadsheet (eg. Microsoft Excel) or word processing package (eg. Microsoft Word). However, staff or patient identifiable information stored on any of these software applications will constitute a “database” for the purposes of this procedure.
2.2. Where a specific requirement to gather staff or patient identifiable information exists, which cannot be supported by an existing NHS Doncaster CCG system, it may be permissible to gather that data on an “in-house” database, providing the following procedure is strictly adhered to:
Approval, in advance, from the CG, must be sought on the proposed collection, storage and use of information. Users must complete the Database Approval Form which includes: o List of all data items being recorded o The source of each data item o Any parties to whom the data may be disclosed o Legal gateway eg. consent, direct patient care, legal gateway such as
Section 251, or Public Interest
The data will be kept on a confidential network drive where available (usually a restricted access area of a shared drive) and access to the information will always be controlled by user name and password.
Whenever possible, the information will be adequately anonymised.
In exceptional and authorised circumstances, if it is necessary to keep the database on a supported laptop or stand-alone computer, then the laptop or stand alone computer will have the approved encryption software installed so as to protect the data thereon, for example in case of theft; procedures for making security backup copies of the database will be implemented.
Page 130 of 187
In all cases, databases may not be copied on to any PC or computer system not belonging to the organisation without the express consent of the CG through the registration process.
The CG will receive the Database Approval Forms for signature from the Corporate Governance Manager where a record of databases will be kept on a central register.
Individuals must not undertake the development/use of any new systems for personal data management purposes until a comprehensive Risk Assessment has been carried out by the CG.
Page 131 of 187
Database Approval Form
Name of database:
Database custodian: (Information Asset Owner – the person who is responsible for the database)
Date when database went/is to go live:
Computer package used (eg. Access, Excel):
Is this a commercial application or a supported system? (These are specialised databases which have been supplied by a company i.e. not a database created by someone in the organisation)
Yes No
Has IT been involved in setting up the database? Yes No
Where is the data to be held / stored? (Highlight correct option)
NHS Doncaster CCG network drive (give letter of drive)
NHS Doncaster CCG laptop
Other (Give details)
Describe any security/back up measures used: (eg. server in a locked room, backed up daily)
Is the database to be used for:
Business Management Clinical Management Both
If Clinical management, is the database used to support clinical decision making?
Yes No
If Yes, please give details:
The purpose of collecting / processing the data:
Who has access to the database: (list names and job titles)
Is the patient aware you are holding this data?
Yes No Don’t know
What is the legal basis for storing the identifiable data? (Please specify)
Consent
Public Interest Direct Care Other Statutory Gateway
Page 132 of 187
List all data items stored on the database. Identifiers should be limited to one unless there is consent to store the data. (Printed lists may be attached instead)
Source of data i.e. where will you get the information from?
Do you share the information on the database with any other clinicians / organisations / departments / or other individuals?
Yes No
If yes, describe any print outs/emails etc with patient identifiable information sent from the database (include their name, job title, organisation (if different) and what is sent)
What steps are taken to ensure the accuracy and timeliness of the information held?
I confirm that I have read and understood the Procedure for Registering and Authorising Computerised Databases for the Storing and Processing of Personal Data.
Signature:
Date:
Name:
Job Title:
Telephone:
Basepoint:
PLEASE ENSURE THAT ANY RISKS RELATED TO THIS DATABASE ARE REPORTED TO THE RELEVANT PERSON(S) WITHIN YOUR DIRECTORATE WITH RESPONSIBILITY FOR THE RISK REGISTER. SEND THE COMPLETED FORM TO THE CORPORATE GOVERNANCE TEAM, SOVEREIGN HOUSE, HEAVENS WALK, DN4 5HZ. YOU WILL NEED TO RE-REGISTER IN TWO YEARS OR SOONER IF THERE ARE ANY CHANGES. (Corporate Services Team to forward to Caldicott Guardian for signature)
TO BE COMPLETED BY THE CALDICOTT GUARDIAN: Approved Not approved
Signature: Date:
Page 133 of 187
PASSWORD MANAGEMENT PROCEDURE
Page 134 of 187
I - PASSWORD MANAGEMENT PROCEDURE 1. Introduction 1.1. The purpose of this document is to provide guidance to staff in relation to the
correct and safe implementation and management of access to IT systems through robust password use and access controls.
1.2. The aims of this procedure are:
To ensure that all staff access IT systems through approved and appropriate passwords.
To ensure that all IT systems can only be accessed by appropriate persons through access controls.
To ensure that staff and managers are fully aware of their responsibilities for access to all systems.
To ensure that access controls are considered at the development stage of all IT based procurement and that these are implemented and audited.
2. Password Security 2.1. Managers should ensure that they register new staff and de-register staff
when they start or leave.
2.2. Password access breaches or failures should be reported to the IT Help Desk as soon as possible.
3. User Responsibility 3.1. Users are responsible for keeping their own password secure and for
changing it at regular intervals or when prompted to do so. Passwords should never be shared or given to someone else and should be changed if it is thought that it may have been disclosed.
3.2. Access to computer systems can be audited through a password trail. PCs or other devices that are already in use (user logged in) should not be used by other users, as any changes they make will be recorded in the audit trail under the logged in password.
3.3. Passwords should never be written down and kept it in the vicinity of the computer system under any circumstances.
Page 135 of 187
4. User Password Management 4.1. No individual will be given access to a PC or other device unless properly
trained and made aware of their security responsibilities.
4.2. Network passwords should be changed regularly – all systems should include password ageing to force users to change their passwords regularly.
4.3. Users with authorised access to more than one system may have the same password on all systems to which they have access. Line Managers may give different access privileges on different systems depending on job requirement.
5. Incorrect Use of Passwords 5.1. Common names must not be used and passwords a minimum of eight
characters long and strong passwords include alpha and numeric characters, other characters, and a mix of upper and lower case. Alternatively a paraphrase could be used eg. the first line of a poem or song.
5.2. Successive unsuccessful attempts to gain access via a password (usually three) will result in the user being “locked out” of the system and will require the action of the IT Help Desk.
6. Unauthorised Access via a Computer 6.1. Password control and access levels are used for all multi-user systems and
network access to software applications and systems. 6.2. An audit log file of unsuccessful log-ins to systems is kept and reported to the
appropriate password manager. A full record of all updates to the data is kept via the journal security backups.
7. New Systems – Access Controls 7.1. Anyone responsible for developments which utilise Information Technology
should ensure that full consideration is given at the planning stage to the management of access to the system most particularly when third parties are also involved.
7.2. Any business plan or specification should clearly outline the arrangements for access, the controls in place and the responsibilities of the parties involved.
7.3. CCG staff setting up any system to record or store person identifiable data must refer to the guidance in the Code of Confidentiality and the procedure for registering and authorising computerised databases for the storing and processing of personal data and obtain the agreement of the CG.
Page 136 of 187
INTERNET, EMAIL and SOCIAL MEDIA PROCEDURE
Page 137 of 187
J - INTERNET, EMAIL, MS TEAMS and SOCIAL NETWORKING PROCEDURE 1. Introduction 1.1. The purpose of this procedure is to provide guidance to staff in relation to the
correct and safe use of the organisation’s internet and email access during working time and social networking sites at all times.
1.2. The aims of this procedure are:
To ensure that all staff utilise the internet and email for the benefit of the organisation.
To ensure that all staff are aware of their responsibilities whilst using social networking sites.
To ensure that staff and managers are fully aware of their responsibilities for access to all systems.
1.3. This procedure applies to any member of staff employed by NHS Doncaster
CCG and any contractor, visitor, work experience / placement student, agency or other individual or organisation provided with access to information systems as described within this procedure.
1.4. The procedure applies to NHS email accounts used for business and personal use on CCG and non-CCG premises including from home, internet cafes and via portable media such as ipads and smart phones.
1.5. Email should be treated with the same level of attention that is given to drafting and managing letters or other forms of communication. (See Appendix J3 for best practice).
1.6. NHSmail is a secure system operated for the NHS which is approved for the sending of patient level data. It is Government accredited to restricted status and approved for exchanging clinical information with other NHSmail and Government Secure intranet users (See Appendix J3 for a list of approved domains). Due to the GSi domains all being replaced by March 2019, the CCG recommend that all emails sent to non NHSmail addresses is sent using encrypted messaging.
1.7. The NHSmail encryption feature allows users to exchange information securely with users of non-accredited or non-secure email services. Once a message is sent from NHSmail it is encrypted and protected with a digital signature to assure the recipient that the message is authentic and has not been forged or tampered with. Formatting of the message is preserved and attachments can be included. (See Appendix J2 – Encrypted Messages Procedure).
Page 138 of 187
2. Access to the Internet and Email 2.1. Access to the internet and email is provided to staff within the CCG subject to
the approval of their line manager and on completion of the appropriate documentation (see appendix J1). All staff with access are expected to use the internet and email services responsibly.
2.2. The CCG reserves the right to restrict access to certain internet sites. The CCG has adopted software to limit access to certain websites. When the site is blocked, the user will have access to an automated email system to request access for work purposes from the Head of Corporate Governance.
2.3. Access is granted only in accordance with this policy. Any member of staff or an agent of the CCG who may be discovered to be misusing the Internet and/or email facilities may be subject to disciplinary action and/or investigation by the Counter Fraud Specialist.
2.4. The Internet and email facilities are provided for approved business use. Any private use of the internet facilities should be kept to a minimum and specifically only used during recognised break periods such as lunchtime. CCG email addresses are not to be used for private business purposes as this implies the CCG has authorised the content.
2.5. In the event of suspected misuse of the Internet and email facilities the CCG reserves the right to monitor, intercept, filter or screen any material accessed that it considers inappropriate.
2.6. If you are creating or adding to a web based site, ensure you avoid the creation or transmission of material that is designed or likely to cause annoyance, inconvenience or needless anxiety, or may infringe the copyright of another person.
2.7. On no account should the CCG internet and email facilities be used for the accessing and/or transmission of language and/or images that may cause offence. Staff are prohibited from sending or forwarding any derogatory remarks about any person or organisation by organisational email. Report any potentially defamatory material to your line manager so that steps can be taken to remove the material permanently.
2.8. Access for private use is strictly limited and the access of inappropriate or
pornographic images may result in disciplinary action. Additionally, the accessing of pornographic material may result in a criminal offence and the CCG would seek Police involvement.
2.9. Remarks sent by e-mail can sometimes unwittingly cause offence and could constitute unlawful discrimination in the form of harassment. They can also lead to claims under equality legislation. Staff must not use email either internally or externally to harass anyone, (known as “cyber bullying”) where content is abusive towards other individuals even in response to abuse being directed at them. Report such instances to your line manager.
Page 139 of 187
2.10. If personal data is to be downloaded from the internet for future use on your
own database, the DPO for NHS Doncaster must be informed. This is to ensure that the purpose/s for which you wish to use the data are consistent with the current Data Protection Legislation notifications. If NHS Doncaster CCG breaches these requirements, it could be deemed a criminal offence and the organisation could face criminal action and prosecution.
2.11. Penalties for non-compliance may range from withdrawal of access rights to dismissal, for serious breaches of this procedure.
2.12. Monitoring
The CCG’s Information Governance Group is responsible for the monitoring of compliance following incidents recorded in the Information Governance incident log and through a monthly mobile device report.
All internet activity on CCG systems is logged automatically.
Monitoring logs are audited periodically.
Any monitoring will be carried out in accordance with legislation such as the Regulation of Investigatory Powers Act 2000, Telecommunications (Lawful Business Practice Practice) (Interception of Communications) Regulations 2000, the Data Protection Act, the General Data Protection Regulation, the Human Rights Act 1998 and CCG policy on monitoring and privacy.
The CCG reserves the right to retain email as required to meet its legal obligations. If there is evidence that you are not adhering to the guidelines set out in this policy, the CCG reserves the right to examine PC usage/content and to take disciplinary action, which may lead to a termination of contract and/or legal action.
There is a common misconception that email messages constitute a transitory form of communication. This misconception about how email messages can be used could result in legal action being taken against CCG or individuals. All email messages are subject to Data Protection and Freedom of Information Legislation and can also form part of the corporate record. Staff should also be aware that email messages could be used as evidence in legal proceedings.
3. Use of Email Securely 3.1. All NHS Doncaster CCG staff are provided with an nhs.net email address
which is secure within NHS Doncaster CCG, Doncaster General Practices and staff with Rotherham Doncaster and South Humber NHS Foundation Trust email accounts.
3.2. NHS mail is the secure email service approved by the Department of Health and Social Care for sharing patient identifiable and sensitive information. NHSmail, messaging and sharing can be accessed by any organisation commissioned to deliver NHS healthcare or related activities.
Page 140 of 187
3.3. NHS mail meets a set of information security controls that offer an appropriate level of protection against loss or inappropriate access. Emails sent to and from health and social care organisations must meet the secure email standards (DCB1596). NHSmail is operated and used in accordance with a set of clear policies and procedures, with detailed information on its use: https://digital.nhs.uk/services/nhsmail.
3.4. Some members of staff have NHSmail (.nhs.net) email addresses which are secure to any other NHS mail e-mail address. However the use of encrypted attachments is prohibited within NHSmail, this is because emails sent are automatically encrypted and comply with the government secure email standard.
3.5. NHS Doncaster CCG’s e-mail system complies with the Data Security requirements for NHS Digital. Its security credentials are recognised by specialist security organisations including Government Communications Headquarters, the Police and the Ministry of Defence. It is to protected by up-to-date anti-virus and anti-spam software.
3.6. Email communication sent from the Organisation email service to any non-NHSmail or non GSi email account is insecure. Unencrypted person-identifiable and / or sensitive information must never be sent outside the NHS or .GSi public sector network, either automatically or as a result of re-direction or directly. To do so is in direct contravention of NHS and Government data security requirements, and has been a prohibited practice since February 2008. Email auto-forwarding is therefore prohibited by Information Governance rules. Encrypting Messages procedures can be found in Appendix J2.
3.7. Generic mailboxes should be used where there are a group of people responsible for the same area of work to ensure that queries are answered quickly when members of the team are away from the office. Requests for the setting up of generic mailboxes must come from the Senior Manager and be approved by the Head of Corporate Governance / Caldicott Guardian. Access to the generic mailbox will be setup for the designated owner and it is this person’s responsibility to manage and delegate access for other staff members.
3.8. NHSmail may be used outside the NHS network on any computer with an internet connection. However the user is personally responsible for the information security and confidentiality of e-mail in their account and must observe the following conditions when accessing NHSmail at home or other remote locations outside the NHS:-
Log in at the NHSmail website: www.nhs.net
Always select the "public or shared computer" option
Do not save confidential information on a non-Organisation device
Only print confidential information when you are certain that you will always collect the printouts immediately and secure them
Page 141 of 187
Ensure that you are not overlooked by family members and other 3rd parties
Do not record your password on a non-Organisation device
Passwords must be memorised, not written down
Log out of the NHSmail application when not in use
Do not leave the NHSmail application logged in when unattended
Maintain an awareness of relevant Organisation policies and procedures and observe these at all times
3.9. By design NHSmail can be accessed on almost any internet enabled device.
For devices with email capability the user can synchronise their NHSmail account to them. However, staff must ensure that any device used to access NHSmail has the required level of encryption. A full list of approved devices is available on the NHSmail portal. NHSmail will enforce the PIN lock option on a device to ensure the user has to enter their correct code to unlock the device.
3.10. The CCG will review quarterly to check which devices are synchronised to NHSmail accounts to ensure the policy is being followed.
3.11. NHSmail has the functionality to remotely wipe the device if a device is lost or stolen. The user can use this functionality to remote wipe the device from the NHSmail web portal. Users should be aware that this would also delete all apps and data that are stored on the device. Alternatively the user can request this action to be completed via the IT service desk. The CCG has no liability for any loss of personal data held on the mobile device.
3.12. Organisations will use domains such as gov.uk. This new domain will ensure the security of government emails and allow departments and local authorities to have more control over commercial aspects. Email security is built into the messaging services allowing for a more efficient way for achieving security levels.
NHS staff must only use an NHSmail account (.nhs.net) to send and receive patient data to and from Local Authority staff.
3.13. NHSmail accounts stay with the person, so if you move organisations the
NHSmail account is kept. When moving your NHSmail account between health and care organisations, it is your responsibility to ensure any data relating to your role is archived appropriately and is not transferred to your new employing organisation in error. Guidance is available in the Leavers and Joiners section in the NHSmail support pages. Contact the CCGs Corporate Governance Manager to obtain the local leavers checklist.
Locally archive any role related data/emails. Ensure that job-related information that is not stored elsewhere is passed on.
Remove any personal emails you wish to keep
Put an Out of Office message on with onward contact details or your replacement contact details if required.
Page 142 of 187
3.14. CCG access to individuals mailboxes a) There may be occasions when it is necessary to access email
messages from an individual's mailbox when a person is away from the office for an extended period, for example holiday or sickness. Whilst users are entitled to expect a level of privacy in relation to their e-mail correspondence they must understand that this will not be an absolute right and that the needs of the organisation may override it in certain circumstances. The reasons for accessing an individual's mailbox are to action:
Subject access request under the Data Protection Act 2018 (incorporating the requirements of the General Data Protection Regulation)
Freedom of Information Request
Evidence in legal proceedings
Evidence in a criminal investigation
Line of business enquiry
Evidence in support of disciplinary action b) Where it is not possible to ask permission from the member of staff
whose mailbox needs to be accessed, the procedure for gaining access to their mailbox is:
Gain authorisation from the SIRO, Caldicott Guardian or Head of Corporate Governance.
Submit a request to IT Service Desk.
A record will be made of the reasons for accessing the mailbox together with the names of the people who have been given access. This will be recorded in the Information Governance Incident Report by the Corporate Governance Manager.
Inform the person whose mailbox was accessed at the earliest opportunity.
3.15. Personal Use 3.15.1. Although the CCG’s email system is meant for business use, CCG allows
the reasonable use of email for personal use if certain guidelines are adhered to: • Personal use of email must not interfere with work. • Personal emails must also adhere to the guidelines in this policy, must
not breach any of the CCG’s Policies or Procedures and must not be used for personal adverts or personal gain.
• Personal e-mails must not be sent to Organisation wide distribution lists.
• Personal emails should be kept in a separate folder, named ‘Private’. The emails in this folder should be deleted weekly so as not to clog up the system.
• The forwarding of chain letters, junk mail, jokes and executables (programs) is strictly forbidden.
Page 143 of 187
• Employees should not expect any email message composed received or sent using Doncaster CCG’s email system to be for private viewing only.
If in doubt about the appropriateness of an email, ask permission from your line manager.
3.15.2 Accessing personal email accounts using NHS devices is allowed if:
• Personal use of email must not interfere with work • Do not open emails that could contain viruses
3.15.3 The CCG will not be liable for any financial or material loss to an individual
when using email for personal use or when using personal equipment to access work email.
3.16. Monitoring
All email used on local NHS systems is monitored for viruses, malware and spam
All email (incoming and outgoing) on local NHS systems is logged automatically.
Monitoring logs are audited periodically.
The use of email is not private. The content of email is not routinely monitored but the CCG reserves the right to access, read, print or delete emails at any time.
Any monitoring or interception of communications will be carried out in accordance with legislation such as the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice Practice) (Interception of Communications) Regulations 2000, the Data Protection Act, the General Data Protection Regulation, the Human Rights Act 1998 and specific procedures around monitoring and privacy.
4. Use of MS Teams 4.1. A national roll-out of Microsoft Teams software, a workplace collaboration
platform that forms part of the Office365 suite, was accelerated by NHS Digital (NHSD) to help NHS organisations better communicate and collaborate around their responses to Covid-19, and support safe, remote working. Microsoft Teams enables users to send instant messages, make internal calls, share, edit and collaborate on files and documents in one central, secure location.
4.2. For NHS organisations running NHSmail, all staff can be granted access to Teams, subject to local administration and configuration. NHS Digital are responsible for supporting the implementation of Microsoft Teams via its NHSmail support site.
4.3. RDASH’s Health Informatics team have been designated the Local Administrators for the CCG and Primary Care Teams configuration by NHS Digital.
Page 144 of 187
4.4. Requests for Teams can only be completed by the team at RDaSH. Currently
these requests are being managed via the CCG’s Director of Digital.
4.5. Each Team is set up with an Owner who can manage certain settings for the team. Owners can add and remove Team members, add guests, change team settings, and handle administrative tasks. There can be multiple owners in a team. The Owners are responsible for making sure the Teams platform is being used appropriately.
4.6. Channels can be created under Teams to support dedicated discussion topics / expertise. There are two types of Channels:
• Standard (available and visible to everyone) and; • Private (focused private conversations with a specific audience). The CCG have set up our Teams structure to reflect our Directorates, and where required have created Channels for closer team working. There is also an organisation wide Team called DCCG - All Staff which every CCG employee has been added to as a member.
4.7. The Teams software and tools are online, and Cloud based. This capability aligns with the objectives shared in the Doncaster Place Digital Strategy and the UK Government’s ‘Cloud-First’ policy for the NHS. Any issues should be reported to the RDASH IT Servicedesk via email [email protected]
4.8. As users of the national rollout of the MS Teams platform, DCCG colleagues will be creating, storing and sending data via the NHSD managed NHSmail and O365 services (including Teams, SharePoint and OneDrive).
4.9. Microsoft Teams can be accessed from work devices via the Teams Application:
4.10. Teams can also be accessed from personal devices such as PCs, Macs and
modern smartphones:
4.11. It is safe and acceptable for staff to access Teams via their personal device and instructions can be found via the Teams FAQs on the Intranet.
4.12. Colleagues will always be prompted to log in to Teams using their secure NHSMail username and password, and are expected to take care when using
Page 145 of 187
the application via their personal device (it is best practice to not stay logged into Teams on a personal device).
4.13. Teams offers a wide range of functionality that is beneficial but can pose a
risk to the security of data we protect. Therefore you must adhere to the following:
a) Patient identifiable information can be securely stored on the platform
but best practice is for PCD to be entered into the relevant clinical systems:
Only send PCD via instant message where absolutely necessary, consider using NHSMail to NHSMail accounts as an alternative where possible
If it is essential to send PCD via Teams, then it must only be sent in an encrypted and password protected attachment from a Trust device. For guidance go here
However, PCD can be safely verbally disclosed during video and voice conferences, but
PCD should not be openly used if the Teams meeting is being recorded.
(PCD Definition: see Appendix J4).
b) If you choose to access Teams on personal devices then ensure the
device meets the following criteria:
Device is encrypted
Device is fully security updated (Patched)
Device requires authentication (ie. six Digit PIN, Complex Password, Fingerprint, FaceID)
Device locks after a maximum five minutes of inactivity
Device is not Jailbroken / Rooted
Device features a manufacturer supported Operating System (still receives security updates).
c) Do not extract or store PCD from Teams on none Trust personal or
other electronic storage devices:
Do not Copy / Paste from Teams to any other application or the device
Do not extract files or messages to any other application
Do not attach files from Teams to any other application
Do not install additional Add-ons or Apps to Teams. 4.14. Monitoring / Security NHSX & NHSD have confirmed that Office 365 (including Teams) is a secure and safe communications platform for NHS organisations to use. This national NHS version of Microsoft Teams is protected and tracked by NHSD within the NHS Secure Boundary.
Page 146 of 187
NHSD guidance states as part of the national rollout of Teams, they have only enabled access to applications where data held on the application is encrypted and resides on UK shores. This fully complies with UK and EU data protection and security standards.
5. Social Networking Sites 5.1. Access to social networking sites via the CCG’s IT system for personal use
may only be made during non-working time eg. before commencing work, during lunchtimes or after work.
5.2. The CCG recognises that social networking sites are increasingly useful communication tools and acknowledge the right of staff to freedom of expression. However, staff must be aware of the potential legal implications of material which could be considered confidential abusive or defamatory.
5.3. Staff should be aware that the CCG reserves the right to use legitimate
means to scan the web, including social networking sites, for content that it finds inappropriate.
5.4. The CCG may take disciplinary action, if necessary, against any employee who brings the organisation into disrepute by inappropriate disclosures on social networking sites or personal internet sites.
5.5. Do not upload or post any image of yourself or others in your work environment which could breach the CCG’s Confidentiality Code of Conduct and current Data Protection Legislation Procedure.
6. Security Issues 6.1. Staff must be aware of the increased risk of confidential information being
redirected via email and thus should consider the use of a different medium in certain cases.
6.2. The threat from viruses and security breaches from the use of the internet is very real. Users must be aware that information and programs downloaded from the internet may contain hidden code capable of destroying data and interfering with the network. Downloading from the internet should only be undertaken from ‘trusted’ sites. If unsure, check with the IT Helpdesk.
6.3. Information relating to individuals and third party contracts is confidential and must be protected and safeguarded from unauthorised access and disclosure. Where appropriate, sensitive or confidential information should always be transmitted in encrypted form and/or password protected.
6.4. The CCG reserves the right to monitor internet and e-mail usage in accordance with, and subject to any changes of, legislation and/or Codes of
Page 147 of 187
Practice. Staff should be aware that random checks of sites accessed from any workstation could be made at any time.
6.5. Social networking sites and blogging provide an easy means for information to leak from an organisation, either maliciously or otherwise. Once loaded to a site, the information enters the public domain and may be processed and stored anywhere globally. Reputational damage can occur.
6.6. Information obtained from the internet may not be accurate. It is the responsibility of the user to check the accuracy, adequacy or completeness if any such information and to be aware of copyright issues in accordance with the permission granted by the publisher.
6.7. Security of private passwords submitted via internet sites and during purchases cannot be guaranteed. Members of staff are allowed to access their personal banking or internet shopping sites over the CCG IT network during scheduled break times (not in working time), but it is at their own risk, security of submitted data cannot be guaranteed, and it is not recommended.
7. Reporting of Adverse Incidents 7.1. In the event of a breach of any of the above conditions, whether deliberate or
accidental, the individual discovering such a breach MUST report the incident to the Head of Corporate Governance.
7.2. In the event of a serious breach the Head of Corporate Governance will make the decision as to whether the incident warrants informing the line manager of the individual, the Local Counter Fraud Specialist, external reporting requirements and, if the incident involved patient identifiable information, the CG. The CG is responsible for ensuring that information sharing protocols have been established which govern the use of patient-identifiable information. They also ensure that security policies are in place to prevent inappropriate disclosures of information and that staff are aware of their responsibilities.
Page 148 of 187
Appendix J1 – Internet, Email and Social Networking Procedure
NHS DONCASTER CCG INTERNET, E-MAIL AND SOCIAL NETWORKING ACCESS ACCEPTABLE USE STATEMENT I, the undersigned have read, understood and agree to comply with NHS Doncaster CCG’s ” Internet, Email and Social Networking Procedure” and accept that any breach of this procedure may lead to a disciplinary offence and/or a criminal conviction. Access Principles: i) I will not knowingly access internet, email or social networking sites containing
material described in Section 2 of this procedure. ii) I will only access the internet, email or social networking sites for personal use
before or after work, or at lunchtimes. I understand that if is choose to submit my personal data over the internet (for example for internet banking or internet shopping purposes), the security of my information cannot be guaranteed, such submission is not recommended by NHS Doncaster CCG, and no liability attaches to NHS Doncaster CCG or its commissioned IT service should my information submitted in this way not be secured.
iii) I will not download files from the internet or emails unless I am confident that
the sites are ‘trusted’. If in doubt I will contact IT Helpdesk for advice. iv) I will not bring the organisation into disrepute through inappropriate
disclosures on social networking sites.
Employee’s Name:
Job Title:
Directorate/Department:
Location:
Contact Number:
Signature:
Date:
Return form to: Corporate Services Team, Sovereign House
Page 149 of 187
Appendix J2 – Encrypting Messages Procedure
1. Encrypting Messages
NHSmail provides an encryption tool which enables information to be shared securely.
When to use the NHSmail encryption feature
NHSmail users can exchange sensitive information securely with other NHSmail users, without needing to use the encryption feature. For example, sending from @nhs.net to @nhs.net.
If you are sending sensitive information outside of NHSmail, then the encryption feature should be used. The only exception is when sending to emails ending in *secure.nhs.uk
If there is doubt or uncertainty, you should use the NHSmail encryption feature. NHSmail will then encrypt the email only if the destination domain is not secure. If sending an email to multiple organisations with some secure and some insecure domains, those that are secure will receive an unencrypted email and those that are not secure will receive an encrypted email.
How to send an encrypted message
Before sending patient or sensitive data via the encryption service, it is good practice to set up the ‘encrypted channel’ which helps verify the correct recipient:
1. Send the recipient the accessing encrypted emails guide for non-NHSmail users, so they can register for the service.
2. Once the recipient of the information has registered for the encryption service and confirmed to the sender this is complete, patient and sensitive data can be sent within an email or as an attachment, subject to local governance policies.
3. Follow the steps below to send an initial encrypted email but do not include patient or sensitive information the first time. This is to ‘set-up’ the secure channel of communication and ensure the correct recipient has successfully received the email. If it is an incorrect recipient, data has not been compromised.
To send an encrypted email:
4. Log in to your NHSmail account (either via an email client such as Outlook or via the web portal at www.nhs.net).
5. Create a new email message in the normal way.
6. Ensure the recipient’s email address is correct.
Page 150 of 187
7. In the subject field of the email, enter the text [secure] before the subject of the message. The word secure must be surrounded by the square brackets for the message to be encrypted. If square brackets aren’t used, the content of the email will be sent in plain text and may potentially be exposed to interception or amendment.
8. Type the message.
9. Click on send to send the message. An unencrypted copy will be saved in your sent items folder.
Once the initial registration process has taken place, you can then send other emails with required attachments.
The service will then encrypt the message and deliver it to the intended recipient. The sent item will be stored unencrypted in your sent items folder, and any replies received will be decrypted and displayed as normal in NHSmail.
Note: [secure] is not case sensitive and [SECURE] or [Secure], for example, could also be used.
2. Accessing Encrypted Emails
The guidance for recipient of encrypted emails sent from an NHSmail account which includes:
Opening message from NHSmail
Reading encrypted emails
Sending an encrypted reply
Can be accessed using the link below:
https://s3-eu-west-1.amazonaws.com/comms-mat/Comms-Archive/Accessing+Encrypted+Emails+Guide.pdf
Page 151 of 187
Appendix J3 – Email Best Practice Introduction
The CCG considers email as an important means of communication and recognises the importance of proper email content and speedy replies in conveying a professional image and delivering good customer service.
Poorly used email is a significant source of problems for staff. The aim of issuing guidance on email is to improve the use of email as part of the way that people communicate.
The guidance provides best practice of using email and sets out expectations about how email should be used for good communication.
Email is a tremendously effective way of sharing information and managing work across organisations. However, email is only as good as the practical way in which people use it. Badly used, it can clog up people's time and systems.
Think clearly about why you are sending the email and what you are asking people to do.
The email guidance is set out under nine headings:
1. Reducing the number of emails in circulation 2. Sending emails to the right people 3. Making email content and action clear 4. Using email to send documents 5. Forwarding and replying to emails 6. Managing your own emails 7. Email writing style 8. Legal issues 9. Security issues
1. Reducing the number of emails in circulation
Do you want to reduce the number of emails you get? A good start is to reduce the number you send.
Think before you send an email. Is it the best way to communicate? Would it be easier to phone or meet in person?
Think about putting up information on the CCG intranet pages or via the GP bulletin or using the staff meetings.
Think before replying to or forwarding an email. Do you really need to reply at all or send it on?
If you find yourself getting into a repetitive email dialogue, consider two things: cut out copy recipients, and try speaking in person instead.
Page 152 of 187
Make sure that people copied in actually need to know what is being sent. Email makes copying messages too easy: don't copy people in "just in case".
When replying, don't send a "reply to all" unless it is necessary for all copy recipients to know your response.
Unless the email asks for an acknowledgement, don't send one.
2. Sending emails to the right people
Distribution lists provide useful groupings to target messages to the right groups of people. But don't misuse mailing groups by emailing with a 'scattergun' approach.
Access to distribution lists such as “all CCG staff” is restricted where possible to specific post holders. This facility must be used with due care and consideration.
Do not use distribution lists to send Personal Identifiable Information, this will ensure the correct recipients are selected and that you are able to ensure you any security is added to the email before sending to non NHSmail users.
Check with the recipient that you have the correct address before sending. There are routes for getting messages to all staff, through the
communications lead, CCG Intranet pages or staff meetings, so ensure you use the best method to communicate to staff.
3. Making email content and action clear
Make clear in the body of the text to whom the email is being sent and to whom it is being copied, especially if it is sent to people because of their role or their involvement in a group. (This is because a) it is not always clear from email addresses which people are being sent the email, and b) when emails are forwarded or copied, the email address lists don't always get included.)
The expectation is that emails are being sent "to" people who must take some sort of action. The "cc" is for people who need to know about this. Anyone else shouldn't be included.
Make clear whether the email is sent for action or information and what the recipient is being asked to do and by when.
Make clear in the subject title of the email exactly what the subject is. Avoid multiple topics in the body of the message that don't match the title.
If you really need to know an email has been received and read, ask for confirmation.
The CCG expects contact details to be given at the base of the email so people are clear who you are and can contact you, other than by email. These contact details should include job title and phone number.
4. Using email to send documents
Think about using the web as an alternative to mount the document for access, or set up file-sharing methods. Contact local IT Service Desk for more advice on this.
Think before you send something short as an attachment. It may be more effective to put the content in the email itself so that recipients can read it easily.
Page 153 of 187
If you have to send attachments, identify as clearly as possible what attachments are being sent.
NHSmail has a size limit of 35MB for sending and receiving attachments. Always check that any attachments that contain patient identifiable
information are sent securely. If you need a reply to your email by a particular date let the recipient know
this and allow a reasonable timescale. Only mark emails as urgent or of high importance if they really are urgent or
important.
5. Forwarding and replying to emails
Think before you forward emails that you have received. They may contain information that is confidential or expressly for you only.
When replying to emails, think before amending or editing text that you have been sent. It may be that quoting only part of the message is sensible. It may be easier for others reading the thread to see the full flow of the message exchanges.
When replying to an email seeking to set up a meeting, don't use 'reply to all': copy recipients don't need to know the intimate state of your diary.
When replying to email, try to scan the reply to eliminate unneeded text such as repeat addresses. Include your signature immediately below the text you are writing.
When forwarding or replying to emails, follow the same rules as you would for initiating an email, e.g. make clear to whom you are sending it and what action is needed. Also make sure the subject is the appropriate one.
6. Managing your own emails
NHSmail has a size limit of 4GB for general users which requires users to manage their mail accounts.
Do not use the NHSmail system as a file storage area. Attachments should be saved if necessary to the correct area on the file system provided by the CCG.
Delete emails or move them to folders as soon as you have read them. If you can't, mark them as important to return to later.
Email should be archived on a regular basis after which non-essential email should be removed from the Inbox, Sent Items and Deleted Items folders. Information on archiving is available in Appendix J4.
When you are on leave or unable to read email, set-up an auto-reply message. That information should make clear who can be contacted in your absence.
7. Email writing style
Refer to the NHS Doncaster CCG Corporate Imaging Styles. Keep messages short and to the point. Keep paragraphs and sentences
short: they are easier to read. Signatures must include name, job title, department, full telephone number,
and e-mail address Use the spell checker before you send out an email.
Page 154 of 187
Do not send unnecessary attachments. Avoid using UPPER CASE, as it looks as if you are SHOUTING. Asterisks
around a word are an *easy* way to add emphasis, if needed. Capitals could be used in exceptional circumstances where it is the only
reasonable way of commenting on an email point by point. Once drafted, it's a good idea to re-read your email before you press 'send'.
8. Legal issues and email
Note that emails sent from a CCG staff email address carry the same authority as letters sent on the CCG letter-headed paper.
Laws relating to written communications apply to email messages. Email should not be used for frivolous, abusive or defamatory purposes:
emails are actionable within the laws of defamation. Emails can constitute harassment and be used as evidence of such. Where the CCG detect abuse or inappropriate use they will take action to
address it.
9. Security issues Unless using encryption techniques, all email is insecure when sent to non
NHSmail accounts. Anything you record in an email may be read by others. Take great care when considering sending out personal, confidential or sensitive information by email.
Unless you are certain about the authenticity of an email, do not act on its content as it could contain a virus or be fraudulent.
Never disclose confidential information - such as passwords - in response to an email message.
If you suspect you received a virus by email, do not switch off your PC and telephone the IT Service Desk immediately.
1 Email sent to legacy secure government domains listed below will automatically be sent securely and directly to the recipient’s email system:
*.gcsx.gov.uk for local government
*.gsi.gov.uk and *.gsx.gov.uk for central government
*.cjsm.net and *.pnn.police.uk for Police/Criminal Justice
*.mod.uk for Ministry of Defence
Note the legacy local and central government email domains (gcsx.gov.uk, gsi.gov.uk and gsx.gov.uk) stopped being used and were switched off completely in March 2019, as all local and central government organisations migrate to using .gov.uk email addresses for all email communication as they adopt the government secure email standard.
Page 155 of 187
Appendix J4 – Personal Confidential Data (PCD) 1. Definitions
1.1. PCD is legally defined in the EU General Data Protection Regulation and the
UK Data Protection Act 2018, The two together form the basis for our Data Protection legislation (DPL). Under the DPL there are two distinct areas that are defined as Personal Data and as Sensitive Personal Data. Both make up that which is defined as Personal Confidential Data.
1.1.1. Personal Data
Is classed as any information relating to an identified or identifiable natural person. This is supported by detailed by reference to a series of identifiers including name, online identifiers (such as an IP address) and location data.
1.1.2. Sensitive Personal Data
The GDPR singles out some types of personal data as likely to be more sensitive, and gives them extra protection:
personal data revealing racial or ethnic origin;
personal data revealing political opinions;
personal data revealing religious or philosophical beliefs;
personal data revealing trade union membership;
genetic data;
biometric data (where used for identification purposes);
data concerning health;
data concerning a person’s sex life; and
data concerning a person’s sexual orientation.
These are also referred to as ‘special category data’. 1.2. Both Personal Data and Sensitive Personal Data are components of PCD.
Other areas that are reflected are the NHS Common Law Code of Confidentiality and the Caldicott Principles.
1.3. Links covering the above can be found here:
Guide to the general data protection regulation: What is personal data
What is special category data
Understanding the national data opt-out: Confidential patient information
Caldicott2 Principles
Page 156 of 187
1.4. Sharing Data for use in Teams
There are ways in which PCD can be shared for use in Teams. 1.4.1. The easiest is by using video or voice conferencing, although in all cases the
conference call cannot be recorded as this would breach confidentiality. Where the patient is known and the records held by all the members of, say a CHC assessment, it would be appropriate to use a pseudonymised identifier together with any of age, gender and initials. The NHS Number would not be appropriate as it is an extremely weak pseudonymiser. Date of birth and names would not be appropriate as they are a too specific identifier.
1.4.2. If both parties have access to NHS mail accounts this would be a secure method of sharing information with the other Teams contributors and again, use of video and voice conferencing would enable collaboration. The mail solution is secure and transfer of PCD would be appropriate.
1.4.3. If neither of these approaches are available and it is important to distribute the PCD by Teams, it should be transferred in encrypted format. This could mean secure password protected files and would probably depend on the file format how the encryption is carried out. P asswords would need to be shared securely and separately from the encrypted material
Page 157 of 187
P
DATA PROTECTION IMPACT ASSESSMENT
PROCEDURE
Page 158 of 187
K – DATA PROTECTION IMPACT ASSESSMENT PROCEDURE 1. Quick Reference Guide 1.1 This procedure explains the principles which form the basis for a Current Data
Protection Legislation and sets out the basic steps which all staff should understand and must follow during the initiation phase or early assessment for the development, implementation of projects at the Doncaster CCG.
1.2 Data Protection Impact Assessments (DPIAs) must be seen as a separate
process from compliance checking or data protection audit processes and is also a requirement of the DSPT which will help CCG comply with the obligations under other relevant legislation and regulations.
1.3 It is based on current legal requirements and professional best practice. 1.4 All staff, the Head of Corporate Governance, Corporate Governance
Manager, DPO, SIRO, CG and IAO must ensure they are familiar with the contents of this policy, which describes the standards of conducting DPIAs.
1.5 This document should be read in conjunction with the other aspect of the IG
Policy and their associated documentation as available on the Intranet and public folders.
2 Introduction 2.1 The published advancements in data protection legalisation: the current Data
Protection Legislation places a legal obligation on CCG to conduct a screening for all projects which include but not limited to the use of information, data and technologies.
2.2 The aim of this procedure is to provide staff with information that promotes good practice and compliance with the GDPR and other statutory requirements provided by our Supervisory Authority, the ICO. 2.3 Additionally the procedure reflects the minimum requirements under the conditions of Article 35 of the current Data Protection Legislation places a
legal obligation on CCG. 2.4 The CCG is committed to treating people with dignity and respect in accordance with the Equality Act 2010 and Human Rights Act 1998. Throughout the production of this policy due regard has been given to the elimination of unlawful discrimination, harassment and victimisation (as cited in the Equality Act 2010).
Page 159 of 187
3. Purpose 3.1 The purpose of this procedure is to ensure that risks to the rights and privacy of individuals are minimised while allowing the aims of the project to be met whenever possible. 3.2 This procedure provides a standardised approach towards identifying, assessing and mitigating data protection and privacy risk and assists towards the delivery of compliance with legal statutory requirements. 3.3 Risks can be identified and addressed at an early stage by analysing how the proposed uses of data, technology and processes will work in practice. This analysis can be tested by consulting with the stakeholders who will be working on, or affected by, the project. 4. Background 4.1 Infringing on the freedoms and rights as well as the privacy of individuals can damage reputations, services, organisations and individuals. Because harm can present itself in different ways, demonstrable evidence that consideration has been given to the sources of data protection and privacy risks is a legal requirement. 4.2 DPIAs are widely used in the UK, especially by government departments and
agencies, local authorities, NHS trusts as well as private organisations. 4.3 The Data Protection Impact Assessment (DPIA) process is the result of an
extensive analysis of existing DPIA processes; essentially altering the scale, scope and complexity of the way in which DPIA’s are conducted at CCG.
5. Scope
5.1. The DPIA is an integral part of the development and implementation of projects at CCG and must be applied to all “projects”, allowing greater scope for influencing how the project will be implemented.
5.2 We recognise that as a member of staff tasked with accomplishing project
objectives and outcomes, it may not define that member of staff as a trained project manager so it is likely that projects could be recognised and delivered in different ways. Therefore all staff must recognise that a DPIA form and declaration must be completed and submitted to IG in the following circumstances and situations:
The use of a trial period of technology, modalities or products which use data or information
The use of charitable or free technology or products which use data or information
Page 160 of 187
Publishing personal identifiable or sensitive information or data on the internet or in other publically available media types
Procurement of technology, modalities or products which use data or information
De-commissioning or disposal of technology, modalities or products which use data or information
A change to existing processes or technology, modalities and products which will significantly amend the way data or information is handled
The implementation or development of new processes, technology, modalities or products which involve the use of data or information
Collection, retrieval, obtaining, recording or holding of new data or information.
6. Duties
6.1 The SIRO and Senior Managers must ensure that this procedure policy is adhered to by all staff within the CCG.
6.2 The “responsible project lead” must: 6.2.1 Examine the project at earliest possible stage and make an initial
assessment of data protection and privacy risks, by ensuring a DPIA form and declaration is completed and submitted to Governance by e-mail ([email protected]).
6.2.2 Accept accountability where some of the screening (Appendix K1, Section 1A and B) questions within the DPIA form apply to a project; therefore, it is likely that a full DPIA must be undertaken (Appendix K1, Section 1A, 1B and 2).
6.2.3 Recognise that should a full DPIA deemed to be necessary, there is a legal
obligation at this stage for the DPO to be involved and the current DPIA outcome must be integrated into the project plan before the project is developed and implemented.
6.2.4 Communicate with Head of Corporate Governance, DPO, Head of Information Technology, IAO and other key stakeholders with the frequency and formality that they deem necessary.
6.2.5 Manage potential sources of risk and concerns as they arise, escalating to the
senior business or technical roles as required.
6.2.6 Should a full DPIA (Appendix K1, Section 1A, 1B and 2) be necessary, communicate with the Head of Corporate Governance / DPO to work towards finalising any conclusions and recommendations.
6.2.7 Where the conclusions and recommendations have been provided by the DPO and are: Accepted: Demonstration that consideration has been given to the
Page 161 of 187
sources of potential risk through the completion of a DPIA outcome form. Additionally conclusions and recommendations are integrated into the main project plan. Not Accepted: Demonstration that consideration has been given to the sources of potential risk through formally providing the rationale of non-acceptance by the completion of a DPIA outcome form. Additionally conclusions and recommendations are integrated into the main project plan.
6.2.8 Co-operate and provide the ICO evidence of the updated project plan and DPIA, if requested.
6.3 It is the responsibility of the IG team to: 6.3.1 Carry out an evaluation of the submitted DPIA form (Appendix K1, Section 1A
and 1B) and declaration, to address the initial sources of potential risk.
6.3.2 Provide the responsible project lead with guidance, if required. 6.3.3 Provide the responsible project lead and DPO with any recommendations or
conclusions that seem necessary.
6.3.4 Escalate any uncooperative actions such as not accepting the risks, not carrying out mitigating tasks etc. to the SIRO and CG.
6.4 The DPO must:
6.4.1 Carry out an evaluation of the full DPIA (Appendix K1, Section 1A, 1B and 2) to identify potential risks and sources.
6.4.2 Escalate any uncooperative actions to the SIRO and CG. 6.4.3 Provide the responsible project lead and IAO with any recommendations and
conclusions that seem necessary from the evaluation. 6.4.4 Escalate unaccepted conclusions and recommendations to the ICO, IG Group
and SIRO. 6.4.5 Communicate with the Governance team, Information Technology, the
responsible project lead, ICO, SIRO and IAO with the frequency and formality that they deem necessary.
6.4.6 Feedback relevant communication from the ICO to the responsible project
lead, IG Group and SIRO to ultimately work towards the final steps of the DPIA.
6.5 It is the responsibility of Information Technology to review the technical
and security documentation to the project and provide the DPO with data and cyber security recommendation(s) and conclusion(s).
Page 162 of 187
6.6 It is the responsibility of the IAO to develop and manage the standard operating procedures and data quality processes for the appropriate use of the information defined within the project. 6.7 Human Resources Department is responsible for ensuring compliance with this policy and procedure and providing guidance and direction. 7. Key Principles (Frequently Asked Questions) 7.1 What is a DPIA?
Also known as PIA, a DPIA it is a tool to help CCG and staff, identify and reduce or fix any data protection or privacy risks before the project outcome.
This DPIA process has been designed for use within the CCG settings and demonstrates compliance with Data Protection law.
7.2 What is the purpose of a DPIA?
An effective DPIA can reduce the risks or potential harm to individuals through scenarios such as the misuse of sensitive information or unlawful disclosure of information.
It can also help design more efficient and effective processes for handling sensitive data.
7.3 What is the basis for a DPIA?
A DPIA form (Appendix K1, Section 1A and 1B) and declaration must be undertaken for all projects which involve the use of the use of data, technologies and processes.
This also includes a change that will significantly amend the way in which data
is handled, regardless whether a full data protection and privacy assessment was deemed to be necessary by the IG team. 7.4 What are the risks of not conducting a DPIA?
Ultimately there are financial penalties of €10 million or 2% of annual turnover (whichever is higher) with the possibility of proceedings imposed by the ICO.
7.5 Who should carry out a DPIA?
The DPIA form and declaration (Appendix K1, Section 1A and 1B) must be completed by any member of staff who is a person responsible for accomplishing project objectives and outcomes.
Page 163 of 187
Should a full DPIA (Appendix K1, Section 1A, 1B and 2) be deemed as necessary it is likely that multiple staff (including the supplier), involved in delivering the project will need to contribute towards conducting the full DPIA. It is essential that the person(s) conducting the full DPIA have a clear knowledge of the project and proposed uses of information and technology.
7.6 When should a DPIA be conducted?
The DPIA form and declaration must be undertaken in the early phases of a project / system. Refer to Appendix K2 for the Stages of a DPIA.
If some of the screening questions within DPIA form apply to the system / project; it is likely that a full DPIA must be undertaken.
At this stage the DPO must be involved and the outcomes must be integrated into the project plan before the project is developed and implemented.
7.7 What is the outcome of a DPIA?
The effective outcome of a DPIA should be the minimisation of risks; Demonstration that consideration has be given to the sources of potential risk and compliance with Data Protection law.
7.8 Where can I find more information?
Useful information can be found on the Intranet. There is also publically available information regarding DPIA’s, available on the ICO website.
8. Training 8.1 The requirement to undertake DPIA training is included within the annual
Statutory and Mandatory IG training.
8.2 Training for how to undertake a DPIA is not required. However, If additional information is required, the ICO has developed a DPIA Handbook (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/) or if there is uncertainty contact the please IG team.
9. Additional Requirements 9.1 In order to accomplish the process the responsible project lead will
require access to the DPIA form and declaration in addition to its associated documents, all of which are available from IG Team and / or the Intranet.
Page 164 of 187
10. Compliance With This Policy 10.1 All staff are expected to apply the policy correctly, in instances where this is
proven not to be the case, an investigation will be undertaken and appropriate consequences applied.
10.2 The accountability code within Article 5(2) to the Current Data Protection
Legislation requires CCG demonstrate compliance with the principles. Therefore CCG have a legal obligation to implement technical and organisational measures such as DPIA’s to demonstrate that data protection has been integrated to processing activities by design and by default.
10.3 Under the current Data Protection Legislation, the Cabinet Office and the DoH
mandate the use of DPIA’s within the DSPT.
11. Legal Considerations 11.1 The CCG regards all identifiable personal information relating to patients as
confidential. The CCG will undertake or commission annual assessments and audits of its compliance with legal requirements. The CCG regards all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise.
11.2 The CCG has established and will maintain policies to ensure compliance with
the Current Data Protection Legislation, Human Rights Act, the Common Law Duty of Confidence and the Confidentiality NHS Code of Practice.
11.3 The CCG has established and will maintain policies for the controlled and appropriate sharing of patient information with other agencies, taking account of relevant legislation. 11.4 Failure to comply with the data protection regulations could result in
reputational damage to CCG and may carry financial penalties imposed by the ICO, or other regulatory action.
11.5 Under the current Data Protection Legislation, there are two tiers of administrative fine that can be imposed:
11.5.1 The maximum fine for the first tier is €10,000,000 or in the case of an undertaking up to 2% of total annual global turnover (not profit) of the preceding financial year, whichever is greater.
11.5.2 The second tier maximum is €20,000,000 or in the case of an undertaking up to 4% of total annual global turnover (not profit) for the preceding financial year whichever is greater. 11.5.3 The fines within each tier relate to specific articles within the Regulation that the organisation has breached.
Page 165 of 187
11.5.4 As a general rule, organisations who fail to comply with current Data
Protection Legislation principles will result in a fine within tier one, while data breaches of an individual’s privacy, rights and freedoms will result in a fine within tier two.
11.5.5 Failure to evidence that data protection has been integrated to processing activities by design and by default, by ensuring a DPIA has been carried out could result in a tier one fine. 11.6 The IG legal compliance requirements are linked to the CCG’s disciplinary procedures as appropriate. 11.7 Where the law is unclear, a standard may be set, as a matter of policy, which clearly satisfies the legal requirement and may exceed some interpretations of the law. 12. References Acknowledgement: ICO Handbook on PIA, December 2015 Billie-Jo Croft (IAMC) and (IGO) NHS Doncaster CCG Data Protection Officer 13. Review 13.1 This policy is reviewed on a triennial basis as a minimum or more frequently, as required by NHS England, DoH, NHS Digital and the ICO, to ensure the sections still comply with the current legal requirements and professional best practice, to provide value to the Policy. 13.2 If the users of this Policy encounter a section that is no longer required or
does not hold value, she or he is encouraged to report this to IG for review. 14. Monitoring Compliance With This Document 14.1 The CCG will monitor compliance with this policy through the IG Group.
Please note that once completed the following sections (1 to 3) should be detached from the remaining document prior to being included in the
organisations Publication Scheme.
Page 166 of 187
Data Protection Impact Assessment
(DPIA (full))
Please complete all questions with as much detail as possible and then contact the Corporate Governance Team ( ) prior to seeking approval. [email protected]
Section 1A: System / Project General Details
Project title: Click here to enter text.
Objective: Click here to enter text.
Background: Why is the new system/change in system required? Is there an approved business case?
Click here to enter text.
Relationships: For example, with other Trust’s, organisations.
Click here to enter text.
Other related projects: Click here to enter text.
Project Manager: Name: Click here to enter text.
Title: Click here to enter text.
Department: Click here to enter text.
Telephone: Click here to enter text.
Email Click here to enter text.
Information Asset Owner: All information systems/assets must have an Information Asset Owner (IAO). IAO’s should normally be a Head of Department/Service.
Name: Click here to enter text.
Title: Click here to enter text.
Department: Click here to enter text.
Telephone: Click here to enter text.
Email Click here to enter text.
Information Asset Administrator: Information systems/assets may have an Information Asset Administrator (IAA) who reports the IAO. IAA’s are normally System Managers/Project Leads.
Name: Click here to enter text.
Title: Click here to enter text.
Department: Click here to enter text.
Telephone: Click here to enter text.
Email Click here to enter text.
Customers and other stakeholders:
Click here to enter text.
Appendix K1
Page 167 of 187
Section 1B: System / Project Screening
Question Response
Data Items
1. Will the initiative / system / project / process (referred to thereafter as ‘project’) contain identifiable or Personal Confidential Data (PCD)? If answered ‘No’, go to question 2.
☐ Yes ☐ No
If yes, who will this data relate to:
☐ Patient
☐ Staff
☐ Other: Click here to enter text.
2. Does the initiative / system / project / process pseudonymised information that can be re-identified as PCD? If answered ‘No’ to questions 1 and 2, a full DPIA is not required. If answered ‘Yes’ to question 2, go to question 3.
☐ Yes ☐ No
3. Can the pseudonymised information be reidentified as PCD within the CCG? If answered ‘Yes’ to question 3, a full DPIA is required. If answered ‘No’, a full DPIA is not required.
☐ Yes ☐ No
Page 168 of 187
Section 2: Data Protection Impact Assessment (Full DPIA) Key Questions
Question Response
Data Items
4. Please state purpose for the collection of the data: For example, patient care, commissioning, research, audit, evaluation.
Click here to enter text.
5. Please tick the data items that are held in the system Personal Sensitive
☐ Name ☐ Address
☐ Post Code ☐ Date of Birth
☐ GP Practice ☐ Date of Death
☐ NHS Number ☐ NI Number
☐ Medical History ☐ Trade Union membership
☐ Political opinions ☐ Religion
☐ Ethnic Origin ☐ Sexuality
☐ Criminal offences
☐ Other:
6. What consultation/checks have been made regarding the adequacy, relevance and necessity for the collection of personal and/or sensitive data for this project?
Click here to enter text.
7. How will the information be kept up to date and checked for accuracy and completeness?
Click here to enter text.
Data processing
8. Will a third party be processing data?
☐ Yes ☐ No
If no, please go to the Confidentiality section.
9. Is the third party contract/supplier of the project registered with the Information Commissioner?
☐ Yes ☐ No
Organisation: Click here to enter text. Data Protection Registration Number: Click here to enter text.
Page 169 of 187
Question Response
10. Has the third party supplier completed a Data Security and Protection Toolkit Return?
☐ Yes ☐ No
If yes, please give organisation code and state whether or not the Assertions were fully met Click here to enter text. If the Assertions were not met, please request a copy of the improvement plan and provide it with this assessment.
11. Does the third party/supplier contract(s) contain all the necessary Information Governance and Data Security clauses regarding Data Protection and Freedom of Information?
☐ Yes ☐ No
12. Will other third parties (not already identified) have access to the project? Include any external organisations.
☐ Yes ☐ No
If so, for what purpose? Click here to enter text. Please list organisations and by what means of transfer: Click here to enter text.
Confidentiality
13. Please outline what privacy/fair processing notices and leaflets will be provided. A copy of the privacy/fair processing notice and leaflets must be provided.
Click here to enter text.
14. Does the project involve the collection of data that may be unclear or intrusive? Are all data items clearly defined? Is there a wide range of sensitive data being included?
☐ Yes ☐ No
15. Are you relying on individuals (patients/staff) to consent to the processing of personal identifiable or sensitive data?
☐ Yes ☐ No
If yes, what type of consent will be sought?
☐ Explicit ☐ Implicit
How will that consent be obtained and by whom? Click here to enter text. If no, which legal basis/justification is being used instead?
☐ Medical purpose ☐ Public Interest
☐ Court Order ☐ Other: Click here to enter text.
Page 170 of 187
Question Response
16. How will consent, non-consent, objections or opt-outs be recorded and respected?
Click here to enter text.
17. Will the consent cover all processing and sharing/disclosures?
☐ Yes ☐ No
If not, please detail: Click here to enter text.
18. What process is in place for rectifying/blocking data? What would happen if such a request were made?
Click here to enter text.
Engagement
19. Has stakeholder engagement taken place?
☐ Yes ☐ No
If yes, how have any issues identified by stakeholders been considered? Click here to enter text. If no, please outline any plans in the near future to seek stakeholder feedback: Click here to enter text.
Data Sharing
20. Does the project involve any new information sharing between organisations?
☐ Yes ☐ No
If yes, please describe: Click here to enter text. Please provide a data flow diagram.
21. Has the Information Sharing Agreement ben submitted to the Head of Corporate Governance / DPO and approved?
☐ Yes ☐ No
If not, please detail: Click here to enter text. Please provide an Information Sharing Agreement.
Data Linkage
22. Does the project involve linkage of personal data with data in other collections, or significant change in data linkages? The degree of concern is higher where data is transferred out of its original context (eg. the sharing and merging of datasets can allow for a collection of a much wider set of information than needed and identifiers might be collected/linked which prevents personal data being kept anonymously)
☐ Yes ☐ No
If yes, please provide a data flow diagram.
Page 171 of 187
Question Response
Information Security
23. Who will have access to the information within the system? Please refer to roles/job titles.
Click here to enter text.
24. Is there a useable audit trail in place for the project? For example, to identify who has accessed a record?
☐ Yes ☐ No
☐ Not applicable
If yes, please outline the audit plan: Click here to enter text.
25. Describe where will the information be kept/stored/accessed?
Click here to enter text.
26. Please indicate all methods in which information will be transferred
☐ Fax ☐ Email (Unsecure/Personal)
☐ Email (Secure/nhs.net) ☐ Internet (unsecure – eg. http)
☐ Telephone ☐ Internet (secure – eg. https)
☐ By hand ☐ Courier
☐ Post – track/traceable ☐ Post – normal
☐ Other: Click here to enter text.
27. Does the project involve privacy enhancing technologies? Encryption; 2 factor authentication, new forms of pseudonymisation.
☐ Yes ☐ No
If yes, please give details: Click here to enter text.
28. Is there a documented System Level Security Policy (SLSP) or process for this project? A SLSP is required for new systems.
☐ Yes ☐ No
If yes, please provide a copy.
Privacy and Electronic Communications Regulations
29. Will the project involve the sending of unsolicited marketing messages electronically such as telephone, fax, email and text? Please note that seeking to influence an individual is considered to be marketing.
☐ Yes ☐ No
If yes, what communications will be sent? Click here to enter text. Will consent be sought prior to this?
☐ Yes ☐ No
Records Management
30. What are the retention periods for this data? Please refer to the Records Management: NHS Code of Practice.
Click here to enter text.
Page 172 of 187
31. How will the data be destroyed when it is no longer required?
Click here to enter text.
Information Assets and Data Flows
32. Has an Information Asset Owner been identified and does the Information Asset Register require updating?
☐ Yes ☐ No
If yes, include a complete Information Asset Register entry. The Information Asset Register is held by the Head of Corporate Governance.
33. Have the data flows been captured?
☐Yes ☐No
If yes, include a complete Information Asset Register entry.
Business Continuity
34. Have the requirements for business continuity been considered?
☐ Yes ☐ No
If yes, please detail: Click here to enter text.
Open Data
35. Will (potentially) identifiable and/or sensitive information from the project be released as Open Data (be placed in to the public domain)?
☐ Yes ☐ No
If yes, please describe: Click here to enter text.
Data Processing Outside of the EEA
36. Are you transferring any personal and/or sensitive data to a country outside the European Economic Area (EEA)?
☐ Yes ☐ No
If yes, which data and to which country? Click here to enter text.
37. Are measures in place to mitigate risks and ensure an adequate level of security when the data is transferred to this country?
☐ Not applicable
☐ Yes ☐ No
If yes, who completed the assessment? Click here to enter text.
Page 173 of 187
Section 3: Review and Approval Assessment completed by
Name: Click here to enter text.
Title: Click here to enter text.
Sent electronically or Signed:
☐
Date: Click here to enter text.
Assessment reviewed by Head of Corporate Governance
Name: Click here to enter text.
Title: Click here to enter text.
Reviewed electronically or Signed:
☐ Endorsement by IG Subject Matter Expert.
Date: Click here to enter text.
Information Governance Approval from the SIRO or Caldicott Guardian
Name: Click here to enter text.
Title: Click here to enter text.
Electronic Approval or Signed
☐ The Information Governance Approval.
Date: Click here to enter text.
Data Protection Officer Approval
Name: Click here to enter text.
Title: Click here to enter text.
Electronic Approval or Signed
☐ The Data Protection Officer Approval.
Date: Click here to enter text.
Page 174 of 187
Stages of a Data Protection Impact Assessment A DPIA has the following key stages. It may be that, subject to the analysis, the DPIA does not proceed beyond the first stage. The first-stage screening tool to be used where a DPIA is required, refer to page 155-6. In all instances, contact the Head of Corporate Governance and / or DPO for advice and assistance in completing a DPIA. DPIA stages: Assessment Objective How to do it
Initial assessment
Examines the project at an early stage, identifies
stakeholders, makes an initial assessment of privacy risk and decides which level of
assessment is necessary.
Completing an initial assessment (DPIA): Make sure you use an up to date version of documents such as the terms of reference or the project initiation document. Create a team to oversee and conduct the DPIA which represents the project team and privacy professionals within your organisation. Start to list the people, groups and organisations that might have a stake in the project, or be affected by it. The ICO website provides guidance: data-protection-impact-assessments guidance on the ICO webiste on the completion of a DPIA.
Full-scale DPIA
Conducts a more in-depth internal assessment of privacy risks and liabilities. Analyses privacy
risks, consults widely with stakeholders on privacy concerns and brings forward solutions to
accept, mitigate or avoid them.
Completing a full-scale DPIA: See which of the stakeholders are best placed to provide effective feedback and decide on your list of consultees. Hold some preliminary discussions with key stakeholders if this helps. Remember that this consultation can be completed alongside other forms of consultation. Use what works best for you – focus groups, open meetings or written consultations. Ensure that you complete your own, internal privacy risk analysis while the consultation is going on. Compare consultation responses with your own internal analysis and identify the privacy problems and solutions. Set out action points and a date when they will be revisited and reviewed.
Appendix K2
Page 175 of 187
Assessment Objective How to do it
Privacy law compliance
check
Focuses on compliance with various “privacy” laws such as Human Rights Act, Regulation of
Investigatory Powers Act and Privacy and Electronic Communications Regulations as well
as current Data Protection Legislation. Examines compliance with statutory powers, duties and prohibitions in relation to use and
disclosure of personal information.
Legal compliance checks and data protection compliance checks: Remember that you do not need to have conducted a DPIA in order to check that your project is compliant with current Data Protection Legislation and other legal requirements.
Data protection
compliance check
Checklist for compliance with DPA. Usually
completed when the project is more fully formed.
Review
Sets out a timetable for reviewing actions taken
as a result of a DPIA and examines their effectiveness. Looks at new aspects of the
project and assesses whether they should be subject to a DPIA.
Review: Once you have set a date for reviewing the action points, make sure it goes in everyone’s calendar.
Page 176 of 187
Example risks
Risks to individuals
i. Inadequate disclosure controls increase the likelihood of information being shared inappropriately.
ii. The context in which information is used or disclosed can change over time, leading to it being used for different purposes without people’s knowledge.
iii. New surveillance methods may be an unjustified intrusion on their privacy. iv. Measures taken against individuals as a result of collecting information about
them might be seen as intrusive. v. The sharing and merging of datasets can allow organisations to collect a much
wider set of information than individuals might expect. vi. Identifiers might be collected and linked which prevent people from using a
service anonymously. vii. Vulnerable people may be particularly concerned about the risks of
identification or the disclosure of information. viii. Collecting information and linking identifiers might mean that an organisation is
no longer using information which is safely anonymised. ix. Information which is collected and stored unnecessarily, or is not properly
managed so that duplicate records are created, presents a greater security risk. x. If a retention period is not established information might be used for longer than
necessary. Corporate risks
i. Non-compliance with the Current Data Protection Legislation or other legislation can lead to sanctions, fines and reputational damage.
ii. Problems which are only identified after the project has launched are more likely to require expensive fixes.
iii. The use of biometric information or potentially intrusive tracking technologies may cause increased concern and cause people to avoid engaging with the organisation.
iv. Information which is collected and stored unnecessarily, or is not properly managed so that duplicate records are created, is less useful to the business.
v. Public distrust about how information is used can damage an organisation’s reputation and lead to loss of business.
vi. Data losses which damage individuals could lead to claims for compensation. Compliance risks
i. Non-compliance with the Current Data Protection Legislation. ii. Non-compliance with the Privacy and Electronic Communications Regulations
(PECR). iii. Non-compliance with sector specific legislation or standards. iv. Non-compliance with human rights legislation.
Page 177 of 187
INFORMATION SECURITY
/ IT PROCEDURE
Page 178 of 187
K – INFORMATION SECURITY / IT PROCEDURE 1. Quick Reference Guide
1.1. This procedure defines the Information Security / IT procedures for the CCG.
It reflects that the CCG utilises a combination of locally managed information assets in addition to ICT services provided by Rotherham Doncaster and South Humber NHS Foundation Trust.
1.2. This procedure takes into account the IG aims and expectations set out within the Information Security Management: Code of Practice for the NHS and the Health and Social Care Information Centre (HSCIC), now known as NHS Digital. Information security enables information to be processed and shared with appropriate safeguards in place. It ensures the protection of information and assets as well as identifying and acting on threats to that security.
1.3. All staff, the Head of Corporate Governance, Corporate Governance Manager, DPO, SIRO, CG and IAO must ensure they are familiar with the contents of this procedure.
1.4. This procedure should be read in conjunction with the other aspects of the IG Framework and their associated documentation as available on the Intranet and public folders.
2 Introduction 2.1 The aim of this procedure is to provide staff with the requirements for effective
information security management. The objectives are to establish and maintain the security and confidentiality of information, information systems, applications and networks owned, used or held by the CCG by:
Ensuring that all members of staff are aware of and fully comply with the
relevant legislation as described in this and other IT / IG policies and procedures.
Describing the principles of security and explaining how they shall be implemented in the organisation.
Introducing a consistent approach to security, ensuring all members of staff fully understand their own responsibilities.
Creating and maintaining within the organisation a level of awareness of the need for Information Security as an integral part of the day to day business.
Protecting information assets under the control of the organisation.
Page 179 of 187
3. Scope
3.1. The procedure applies to all business functions within the CCG and all third party services that provide a service on behalf of the CCG. The procedure covers data, information systems, networks, physical environment and relevant personnel who support these functions. It relates to both manual and electronic information transmitted across the NHS private network.
4. Duties
4.1. Head of Corporate Governance
The Head of Corporate Governance is the Information Governance Lead for the CCG and is responsible for managing and implementing the procedure on a day to day basis with support from the Corporate Governance Manager. The Information Governance Lead will:
ensure that staff are aware of their responsibilities and accountability for information security and provide support to the SIRO, IAOs and other staff,
ensure that regular risk assessments for local information assets are completed and will monitor any potential and actual information/cyber security incidents and breaches.
4.2. Head of IT
The Head of IT is the CCG's IT Lead under the Service Level Agreement between RDaSH and the CCG for ICT services. The Head of IT provides expert advice to the SIRO, Head of Corporate Governance IAOs and other staff.
4.3. RDaSH IT Department
4.3.1. RDaSH currently provides the CCG with ICT services. RDaSH IT department
is responsible for ensuring that network computer equipment will be housed in a controlled and secure environment and protected with a combination of technical and non-technical measures.
4.3.2. The RDaSH IT department is responsible for ensuring that network backup procedures are documented and undertaken and that business continuity and disaster recovery plans are produced for the network.
4.3.3. The IT department will provide the CCG with regular assurance that the services supplied to the CCG comply fully with the Information Security related requirements of the DSPT.
4.3.4. RDaSH will provide the CCG with assurance that regular risk assessments are undertaken with respect to the services and network supplied to the CCG.
Page 180 of 187
4.4. All Staff
All staff are responsible for information security and therefore must understand and comply with this procedure. Each member of staff:
shall be responsible for the operational security of the information systems they use and should ensure that they understand what information they are using, how it should be protectively handled, stored and transferred
should ensure they understand what procedures, standards and protocols exist for the sharing of information with others
shall comply with the security requirements that are currently in force, and shall also ensure that the confidentiality, integrity and availability of the information they use is maintained to the highest standard
should ensure that they understand their personal responsibility for raising any information security concerns with the Information Governance Lead and know how to report a suspected breach of information security within the CCG.
4.5. Contractors and Other Organisations Contracts with external organisations that allow access to the CCG's information systems shall be in operation before access is allowed. Access will be agreed between the Head of Corporate Governance and Head of IT. These contracts shall ensure that the staff or sub-contractors of the external organisation shall comply with all appropriate security policies. 5. Access Control
5.1. Authorised Access
5.1.1. The principles applied to access control will be consistent across all systems.
Access rights will be granted on a “need to have” basis and all access that is not expressly granted is forbidden. All access rights are subject to formal authorisation. The level of access control will be proportionate to the sensitivity of the information and the identified risks relating to the system or service.
5.1.2. A formal procedure will be followed for both user registration (permanent and
temporary) and de-registration. Each user will be assigned a unique user ID by IT RDaSH; this will enable their actions to be attributed to them via audit trails and activity logs. Sharing of user IDs is normally forbidden as this could lead to actions being attributed to the wrong person.
5.1.3. It is the responsibility of the IAO of each system to maintain satisfactory procedures for user access to that system. It is a general principle that users must always have individual access that is verified by a user name and password or alternative access controls such as Smartcards. In addition, the following must be observed, whenever relevant.
Page 181 of 187
All new starters to the organisation must receive a mandatory induction, which includes security and confidentiality awareness raising. It is the responsibility of all Line Managers to ensure that all new staff are properly inducted, and to arrange for access to all necessary ICT systems at an appropriate level, in line with relevant local procedures, to adequately perform their duties.
Access to the computer account of other members of staff is only available in an emergency, and then only with verified authorisation from the Head of Department / Service and Head of Corporate Governance.
All staff (permanent and temporary) will have an email account. Access to the account of other members of staff is only available via proxy access with the permission of the user. Emergency access is only available with verified authorisation from Head of Department / Service or Head of Corporate Governance.
Email services should be used in accordance with the Internet, Email and Social Networking Procedure.
Access to the internet and email services must be authorised by the Line Manager and accessed in compliance with the Internet, Email and Social Networking Procedure.
It is the responsibility of Line Managers to inform the RDaSH IT Service Desk of any staff terminating their employment, immediately on notice being given to enable arrangements for removal of access. When a user leaves the Trust or changes job roles, their access rights will be changed or revoked as appropriate; any additional access rights for their new role must be suitably authorised.
5.1.4. Line Managers must consult with the Head of Corporate Governance when
deciding on the level of access that staff require, taking into consideration such issues as segregation of duties and sharing of expertise. Systems should have a clear role based access model to record which staff group have access to which parts of a system.
5.1.5. Review of User Access Rights To maintain effective control, access rights will be reviewed at regular intervals by the Line Manager to ensure they are still appropriate to the users’ needs. Any change of user position, such as promotion, demotion, termination of employment or change of role within the organisation should trigger a review for that user.
5.1.6. Periodic checks will be made for redundant user IDs, by the Corporate
Governance Team, which will be disabled or removed as appropriate. To maintain the integrity of audit trails and activity logs, redundant user IDs will not be reissued to a different user. Where appropriate, standard user access profiles will be used to simplify the process of granting access rights.
Page 182 of 187
5.2. Privileged Access Management
5.2.1. Privileged access is that which is above the normal user level and enables the
user to override or change system or application controls. As misuse (either deliberate or accidental) can have serious consequences, privileged access must be carefully managed and restricted to those individuals whose job requirements clearly justify it. The level of access granted must be limited to the minimum required to carry out the user’s job function.
5.2.2. Privileged access should be assigned to a different user ID from the one used for standard user access. Privileged access must be explicitly authorised before it is granted, and must be recorded in a formal register. Wherever possible, the need for privileged access should be minimised by the use of system routines.
5.2.3. Privileged access will explicitly authorised before it is granted, and be recorded in a formal register by IT RDaSH.
5.3. Unauthorised Access
Unauthorised access must be avoided at all times. To avoid unnecessary access, all users must either log out of all person based systems whenever not in use or left unattended or activate their password protected screensavers. Whenever screens are left unattended, users can lock their screens by pressing the Windows key and L or Ctrl+Alt+Delete then Enter.
5.4. Computer Misuse Act 1990
Under the Act ‘hacking’ and the introduction of computer viruses are criminal offences. The purpose of the Act is to make provision for securing computer material against unauthorised access or modification. It makes unauthorised access to a computer, programs or data an offence. Staff should report any viruses, suspected viruses or suspicious emails (which could contain viruses) to the RDaSH IT Service Desk.
6. Information Security Framework
6.1. Electronic Data Security 6.1.1. All contracts must include a confidentiality clause, binding staff to maintain a
proper level of security to all sensitive and confidential information that they may encounter as part of their employment.
6.1.2. All data entered onto a system or captured manually must be held accurately and should conform to the Data Quality Policy and Procedure.
6.1.3. No data must be held that breaches the Data Protection Act 2018 incorporating the requirements of the General Data Protection Regulation
Page 183 of 187
(GDPR) or formal notification and guidance issued by the Department of Health. All personal identifiable information must also be used in accordance with the Caldicott Principles.
6.1.4. No member of staff will be allowed to access information until Line Managers are satisfied that they understand and agree the responsibilities under Data Protection legislation and organisational policies.
6.1.5. The CCG has a responsibility to ensure that data is held securely as a precaution against technical problems. Any files containing person identifiable information should be saved onto a network file server and not on the computer’s local drive (i.e. C: Drive). This ensures that information is backed up on a daily basis. If staff do not have access to a network drive, it is the responsibility of the department or service to ensure information is backed up on a daily basis and this back up copy is encrypted and held securely. In these circumstances, contact the RDaSH IT Service Desk or the Headf of Corporate Governance for advice and guidance.
6.1.6. Staff should not store person identifiable information on mobile devices (e.g. laptops, PDAs, memory sticks etc). If there is a specific business requirement for this process, this must be approved by the Caldicott Guardian and the device must be installed with appropriate encryption software (requested through the Corporate Governance Team).
6.1.7. If there is a requirement to copy or transfer information between systems (whether bulk data or individual records), employees should ensure that any confidential information remains secure and that the recipient system has the same or greater standard of security protection. This should also be approved by the Information Governance Group, the Head of Corporate Governance and / or the Caldicott Guardian. Staff should also refer to the Internet, Email and Social Networking Procedure.
6.1.8. The RDaSH IT Department will ensure all network drives on critical network servers are backed up in accordance to written backup procedures and these will be stored securely.
6.1.9. Information that is no longer required should be disposed of or archived securely and in line with the Records Management Code of Practice for Health and Social Care 2016. Anything that contains personal and/or confidential information that does not require archiving must comply with local confidential waste procedures (i.e. shredding, use of confidential waste bins).
6.2. Network Access Control
6.2.1. Access to networks and services is managed by IT RDaSH, as per the Access Control Procedure V3 and RDaSH IT Security Policy.
Page 184 of 187
6.3. System Access Control
6.3.1. System access control is managed by IT RDaSH, as per the Access Control
Procedure V3 and RDaSH IT Security Policy. 6.4. Application and Information Access Control
6.4.1. Information access restriction and sensitive system isolation is managed by IT
RDaSH, as per the Access Control Procedure V3 and RDaSH IT Security Policy.
6.5. Physical Security 6.2.1 All staff must wear identification badges when attending events / meetings
offsite. Persons entering non-public areas should be challenged and asked to produce some form of identity or asked to sign into the building if on a specific business activity.
6.2.2 All computer assets including hardware and software will be recorded with the
RDaSH IT Service Desk. 6.2.3 Computer equipment must be sited appropriately to minimise the risk of
damage such as fire, flood or accidental damage. Common hazards include drinks, food and overstraining of leads when a machine is moved.
6.2.4 Paper records must be filed in fire retardant filing systems. 6.2.5 Personal confidential information must not be left on desks when unoccupied.
All confidential information must be locked away when not in use. 6.2.6 All personal confidential information when printed, faxed or photocopied must
be cleared from printers, faxes and photocopiers immediately and, when no longer required, destroyed securely in accordance with confidential waste disposal procedures.
6.2.7 When vacating meeting rooms or shared areas the area must be checked by
the meeting participants to ensure that no data, regardless of format has been left behind. All whiteboards must be cleaned of information and used flipchart pages must be removed and disposed of securely.
Page 185 of 187
Appendix 1 - Equality Impact Assesment Form
Subject of equality analysis
Information Governance Framework – Strategy, Policy and Procedure
Type Tick
Policy √
Strategy
Business case
Commissioning service redesign
Contract / Procurement
Event / consultation
Owner Name: Cheryl Rollinson
Job Title: Head of Corporate Governance
Date 28 August 2020
Assessment Summary
Update to the CCG’s framework in relation to information governance in light of news ways of working required during Covid19. This includes references to Microsoft Teams.
Stakeholders
Tick
Staff √
General public
Service users
Partners
Providers
Other
Data collection and consultation
National NHS Digital information around the procurement and roll out of Microsoft Teams. National DPIA for Office 365. Relevant employees have been involved in the review of this framework.
Page 186 of 187
Protected characteristic
Positive Neutral Negative
Negative: What are the risks?
Positive: What are the benefits / opportunities?
Age
x
This policy applies to all regardless of age
Disability
x
This policy applies to all regardless of disability.
This Strategy is not currently available in other formats. The assumption is that all staff will have the correct
physical equipment on their desktops to ensure that they
will be able to view this document. The CCG website
does provide the facility to view documents in larger
fonts.
Gender
x
This policy applies to all regardless of gender
Race
x
This policy applies to all staff regardless of race/ethnicity. Analysis of employee data
indicates that the percentage of white employees is reflective of the local
population. However, the proportion of
BME staff is lower than that of the local population it
serves All staff require competencies
which include the ability to read and understand English or to request the information in another format available to
them.
Religion & Belief
x
This policy applies to all regardless of religion or belief
Page 187 of 187
Sexual
Orientation
x
This policy applies to all, regardless of sexual
orientation
Gender
reassignment
x
This policy applies to all regardless of
transgender/gender reassignment
Pregnancy &
Maternity
x
This policy applies to all regardless of pregnancy or
maternity
Marriage & Civil
Partnership
x
This policy applies to all regardless of marriage or civil
partnership
Social Inclusion / Community Cohesion
x This policy applies to all.
Conclusion & Recommendations including any resulting action plan
The assumption is that all staff have the appropriate electronic mechanisms such as hardware and software to ensure that they will be able to view this document. The CCG website does provide the facility to view documents in larger fonts. The CCGs internal ‘portal’ and external website signpost individuals to alternative formats such as large print, braille or another language. Responsible lead: CCG Communications.
Review date November 2021
Please return the Equality Analysis Form to the Corporate Governance Manager: [email protected]
