Information Governance and Code of Conduct

Transcription

1 This document is also available in other languages and formats upon request Information Governance and Code of Conduct For further information and guidance contact the Information Governance team: Tel: ext / NH588 December 2014

2 Information Governance Information Governance (IG) sits alongside Clinical Governance, Corporate Governance and Research Governance. It addresses the way an organisation handles information, particularly in relation to personal and sensitive information about patients, clients and employees. Notes All relevant information regarding IG can be found on: The Trust s Information Governance site: The Health and Social Care Information Centre: Your head of healthcare is the IG lead for your establishment and will be able to guide you to relevant information or contacts as required. IG training IG training is mandatory and has to be completed yearly. The compliance measures for updates are on a fiscal year (April to March). As such you should complete your training in April to May. This will give you compliance for the year. The Mandatory IG Training modules can be accessed via If you have any queries regarding the mandatory IG training or your IG training tool account, please contact IGSupport@nottshc.nhs.uk. If you are unable to complete the mandatory IG training via the e-learning method, please contact IGSupport@nottshc.nhs.uk or a member of the IG team. 2 23

3 Notes All staff are bound by NHS IG policies. The overarching policy is: Policy 7.0 Confidentiality and Information Governance. The main IG policy is: Policy 7.15: Information Governance Policy and Procedure. However you should be familiar with all the policies under 7.0 for further information visit the Trust website and search: Our Policies and Procedures Section 7 - Confidentiality and Information Governance Subject Access Requests Patients have the right to request access to their medical records. This is covered in: Policy 7.09: Access to Information (access as highlighted above), and Patient information leaflet, About Your Information (this leaflet should be available in all clinical areas) Access can either be: Formal (where a written request to obtain a copy of a record is submitted) Informal (where information is shared between a patient and their healthcare/social care professional care on a day-to-day basis) Third parties can request access to a patient s information. However the patient will need to authorise this. The only occasions where patient authorisation is not required are as follows: if there are child protection issues if the information is to be used for anonymous research when a court order has been produced if the patient no longer has the capacity to authorise the request 22 3

4 Confidentiality All Nursing and Midwifery Council (NMC) registered staff must adhere to The NMC Code of Practice. This can be found at Clinical staff with no professional registration should adhere to the Professional Conduct Guide. An electronic copy of this document is available on the Learning and Development area of the Trust Intranet. Post/courier A paper envelope or brown paper should be used for internal transportation with the addressee details clearly written. Private and confidential should be stamped onto the envelope and any other addresses should be deleted if using internal transit envelopes. To send confidential information by post externally: Use a tamper proof envelope for confidential information if couriered outside of the Trust transport system All staff must adhere to the Trust policy for confidentiality; 7.04: Safe and Secure Handling of Confidential Information Policy. Access via the Trust website by searching: Our Policies and Procedures Section 7 - Confidentiality and Information Governance Safe and Secure Handling of Confidential Information Further Reading Caldicott Due to increasing concerns about levels of confidentiality in and between NHS organisations, the Caldicott Committee, chaired by Dame Fiona Caldicott, was established by the Chief Medical Officer in The aim -to review the flow of patient identifiable information in the NHS. The Committee published its report in December 1997 and the NHS Executive adopted its recommendations in January Clearly label the package with the addressee details. You must include the full name and designation of the intended recipient as well as the full postal address and post code. Clearly label a return address on the reverse of the package Ensure the security of the package by either using clear polythene around the outside of the package or Sellotape to secure edges Special Delivery must be used when using the royal mail services or other external couriers. It is important to follow the above instructions when sending out information by post or courier. 4 21

5 When receiving a request for information, always ask or verify the contact number using a switchboard wherever possible. Confirm this number with the requester and then ring them back using the number provided, never give the information direct. When the requester is the patient or has delegated authority to the information, then ask for confirmation such as date of birth, appointment details, GP details or address. The responsibility of releasing information lies with the person releasing the information. Therefore, if there is a breach in data protection and confidentially, that person will be subject to relevant disciplinary action. Faxes Fax machine/s should be situated in a secure area where casual passers by cannot see the contents of incoming/outgoing faxes Only send patient identifiable information by fax when absolutely necessary and only to safe haven fax machines. Use of fax machines for transfer of identifiable information must not be common practice The fax telephone number should be verified with the recipient. Ideally pre-programme number/s into the fax machine to avoid misdialling. If there is any doubt DO NOT send the document by fax transmission A separate telephone call to the recipient should be made to confirm receipt and a confirmation sheet obtained from the fax machine indicating the transmission was successful Received faxed documents, which contain personal information, must be stored in a secure environment The responsibility for the correct dispatch of all fax messages is with the sender Use a fax cover sheet that clearly states a confidentiality statement and the name of the recipient/s. Following a request from the Secretary of State for Health, Dame Fiona Caldicott carried out a review of information sharing to ensure an appropriate balance between the protection of patient information and the use and sharing of information to improve patient care. The findings were published in a report in April 2013: Information: To Share or Not to Share The report identified principles of good practice and recommended regular review of information flow in order to maintain good practice. Caldicott now forms part of the NHS IG Framework, which facilitates a standard based approach to information sharing. The Trust s Caldicott Guardian is Dean Howells, Executive Director of Nursing, Quality and Patient Experience. The purpose of Caldicott The Caldicott principles aim to ensure the highest levels of confidentiality and security for patient identifiable information held in the NHS. Caldicott covers a number of areas of concern, ranging from keeping patients aware of what the NHS does with their information, to making sure NHS staff know about their responsibilities and good practice. And also ensuring that individual organisations have good security measures in place on their computer systems so that patient information is not easily accessible by unauthorised users. The Seven Caldicott Principles 1. Justify the purpose(s) Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian. 2. Don t use personal confidential data unless it is absolutely necessary Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s). 20 5

6 3. Use the minimum necessary personal confidential data Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out. 4. Access to personal confidential data should be on a strict need-to -know basis Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes. 5. Everyone with access to personal confidential data should be aware of their responsibilities Action should be taken to ensure that those handling personal confidential data both clinical and non-clinical staff are made fully aware of their responsibilities and obligations to respect patient confidentiality. 6. Comply with the law Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements. 7. The duty to share information can be as important as the duty to protect patient confidentiality. Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies. Best practice includes: Screens should not be left unattended with information on display Where possible lock the computer screen for short periods of time Log off systems that are no longer required or if you leave the area for a period of time Position screens to prohibit unauthorised viewing of the information on screen Do not use floppy disc/memory sticks from unknown sources (virus protection) Only install authorised software and do not download information from the internet unless you are sure that it is virus free. Mobile computing Trust mobile devices are encrypted, password protected and security applied as per the IT Security Policy. Verbal communications including telephone calls Where requests for information are received from external organisations, the appropriate delegated person should be informed. For guidance on this, look at the Trust s Corporate Records Policy which can be found on the Trust s website by searching: Our Policies and Procedures Section 7 - Confidentiality and Information Governance Corporate Records Policy Before the information is released, verification should be established that the person requesting that information has the right to do so. Before releasing any information, make sure the person requesting it has the right to do so. 6 19

7 Computer security Confidential s The Trust provides an encrypted system that allows you to choose to send secure, password protected s to external addresses. The outgoing will have the body text and any attachments encrypted and a password will be automatically generated by the system. This password then needs to be communicated to the recipient by a separate medium, such as a telephone. Passwords should not be sent via under any circumstances. By marking an as confidential, the system will automatically encrypt the when going to external addresses. Replying to an incoming that has been marked confidential would also automatically encrypt the reply. The encrypted system allows you to comply with the Trust's / Internet General (7.14) and Safe and Secure Handling of Confidential Information (7.04) policies. s sent to multiple recipients will generate a separate password for each recipient. Data Protection Act 1998 An Introduction to the Data Protection Act 1998 The Data Protection Act (DPA) 1998 came into force on 1 March It covers personal data and sensitive personal data, for example, information about living individuals. The Act replaces the Data Protection Act 1984 and repeals the Access to Medical records 1990 (which now only applies to deceased patients). Notification Notification is a statutory requirement and every organisation that processes personal information must notify the Information Commissioner s Office (ICO). Only organisations that hold paper records and do not use computers to process data are exempt from this rule although they can choose to notify the Information Commissioner s Office voluntarily. Guidance on using encrypted s is available on the IT Security area of the Trust Intranet under the page. Patient Information NHSMail is the preferred method of sending patient data, please ensure the Trust Safe Haven procedures are followed. All staff should ensure they familiarise themselves with the Trust s IT Security policy noting their responsibilities. This can be found on the Trust website by searching: Our Policies and Procedures Section 7 - Confidentiality and Information Governance Information Technology Acceptable Use Policy and Procedure 18 7

8 IG Code of Conduct What is confidentiality? A duty of confidence arises when one person discloses information to another in circumstances where it is reasonable to expect that the information will be held in confidence. For example, a service user to healthcare worker, or an employee to their manager. Information is considered confidential if it can be related in any way to a specific individual. The main areas of concern are relate to service user and staff records as well as information that has not been fully anonymised. For example an NHS number, even in the absence of other personal information, is not considered anonymous because it is still possible to trace that individual from the NHS number. Confidential information will be found in a variety of formats including paper, computerised (including portable devices such as laptops mobile phones and tablets), visual and other versions of information storage media such as digital images and photographs. In addition, it covers oral communications including the use of the telephone (including mobiles) and general conversation. Confidential Information Person-identifiable data (PID) or person-identifiable information is any item of data concerning a person that, if used singly or in conjunction with other data items, could lead to identification of that person. This type of information includes: Name Address dates of birth gender photographs and clinical images, Telephone and contact details NHS number Hospital number or other service user number Staff payroll number 8 17

9 Further reading - useful web based resources Confidentiality Code of Practice Confidentiality and disclosure of information: General Medical Services (GMS) Data Protection Act search: Department of Health: Policy and Guidance Freedom of Information Act search: Freedom of Information Act 2000 Information Commissioner s Office Department of Health security articles and useful documents Department of Health - Records Management NHS Code of Practice PublicationsPolicyAndGuidance/DH_

10 The Freedom of Information Act 2000 (FOI) What is the Freedom of Information Act? This Act gives the public a right of access to any files or information held by the Trust. There are some exemptions, but the general rule is that we have to provide the information unless we can show that there is a good, public interest, reason not to. If we refuse a request, the applicant has a right of appeal to the Information Commissioner, who is appointed by Parliament to ensure that the Act is complied with. Who can apply for information under the Act? Anybody can make a request under the Act; including commercial companies, journalists, patients and the public. They have the right to ask for any information they would like and there is no need for them to tell us why they want it. What information does the Act cover? It applies to any information held by the Trust, in any form electronic and/or paper. If your files contain scraps of paper with rough notes or comments, these are just as disclosable as official letters and memos. s have to be treated in the same way if an forms part of a decision making process, this also needs to be disclosed. To find our more about good practice regarding s visit the Trust Website and search : Our Policies and Procedures Section 7 - Confidentiality and Information Governance /Internet Policy Remember: you must write everything, including s, in a way that you would not mind them being read by members of the public and the press. Therefore, under common law, a health or social care professional wishing to disclose a patient s/client s personal information to anyone outside the team providing care should first seek the consent of that patient/client. Where this is not possible, an organisation may be able to rely on disclosure being in the overriding safeguarding interest of the individual or others or in the public interest. However, whether a disclosure is in the public interest is not a decision to be taken lightly. Solid justification is required before individual rights are set aside and specialist or legal advice should be sought before the information is disclosed. Any decision to disclose should be fully documented. Disclosures required by court order should be referred to the organisation s legal advisors as promptly as possible so that any necessary representations can be made to the court, for example to limit the information requested. If a disclosure is made which is not permitted under common law, the patient/ client could possibly bring a legal action, not only against the organisation, but also against the individual responsible for the breach. Common law is a form of law based on previous court cases decided by judges. The Act is fully retrospective. This means that it applies to all information, including that created prior to the Act coming into force. It does not apply to requests to see personal data, including health records. These are covered by the Data Protection Act 1998 and the Access to Health Records Act 1990 (if the request is to see the health records of a deceased patient)

11 Common Law Duty of Confidentiality Common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as judge-made or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent. The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider s consent. In practice, this means that all patient/client information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without their consent. It is irrelevant how old the patient/client is, or what the state of his/her mental health is; the duty still applies. Three circumstances that make the disclosure of confidential information lawful are: where the individual to whom the information relates has consented where disclosure is necessary to safeguard the individual or others, or is in the public interest where there is a legal duty to do so, for example a court order. How is an FOI request made? Requests have to be made in writing (an counts as a written request) and must be directed to the FOI lead or to foi@nottshc.nhs.uk. We have a maximum of 20 working days to confirm whether or not we have the information requested, subject to exemptions, to provide a copy. What should I do if I receive a request? Send it immediately to the FOI lead as the clock starts ticking on the 20 days as soon as the request is received. Access to Health Records Act 1990 As previously explained, patients' rights of access to health records are now governed by the provisions of the Data Protection Act The Access to Health Records Act 1990, which previously provided a right of access to non-computerised health records, has largely been repealed. However, one part of the Act that is still in force gives certain rights of access to the records of deceased patients. Access to a patient s records after death The duty of confidentiality remains after a patient has died. Under the Access to Health Records Act 1990, the personal representative of the deceased and people who may have a claim arising from the patient s death are permitted access to the records. This applies to information provided after November 1991 and disclosure should be limited to that which is relevant to the claim in question. The records should not be disclosed if it is thought that they may cause mental or physical harm to anyone if they contain third party information or if the deceased gave the information on the understanding that it would remain private. Further reading: Access the Trust s 7.09 Access to Information Policy on the Trust website by searching: Our Policies and Procedures Section 7 - Confidentiality and Information Governance Access to Information Policy 14 11

12 Subject Access Request (SAR) What is a subject access request? A subject access request (SAR) is a written request made by, or on behalf, of an individual for the information he or she is entitled to ask for under Section 7 of the Data Protection Act 1998 (DPA). The request does not have to be in any particular form. Nor does it have to include the words subject access or make any reference to the DPA. Indeed, a request may be a valid SAR even if it refers to other legislation, such as the Freedom of Information Act (FOIA). Formal requirements A SAR must be made in writing. The Trust has forms which can be used and they assist us in identifying and locating the information requested. However, we can not insist that the form is used. The law states that the requests must be dealt with within 40 days. However, the Department of Health require the NHS to complete requests within 21 days. For further guidance please speak to your Information Governance Team or igsupport@nottshc.nhs.uk. An ed or faxed request is as valid as one sent in hard copy. You should also note the following points when considering validity: You do not need to respond to a request made orally but, depending on the circumstances, it might be reasonable to do so (as long as you are satisfied about the person s identity). It is also good practice to explain to the individual how to make a valid request, rather than ignoring them. Requesters do not have to tell you their reason for making the request or what they intend to do with the information. Although it may help you to find the relevant information if they do explain the purpose of the request. If you receive a request for access to information, contact your Information Governance Team for advice and guidance on handling the request. Further reading: Access the Trust s 7.09 Access to Information Policy on the Trust website by searching: Our Policies and Procedures Section 7 - Confidentiality and Information Governance Access to Information Policy An individual has the right to request information held about them. The request, known as a SAR, must be made in writing