Personal Identifiable Information Policy

Size: px
Start display at page:

Download "Personal Identifiable Information Policy"

Transcription

1 Personal Identifiable Information Policy Page 1 of 24

2 Document Management Title of document Type of document Description IG2 Personal Identifiable Information Policy Policy This Policy supports the Information Governance Policy and policy sets out the high level policy framework and principles adopted by NHS Northamptonshire (NHSN) and NHS Milton Keynes (NHSMK) and associated organisations to govern the appropriate use of information, (i.e. Information Governance) within the environments it delivers it s service. Target audience This Policy applies to all Cluster employees, the Commissioning Support Hub, non-executive directors, trainees, contractors, temporary staff, researchers, trainers and consultants who may be involved in the processing of information at any level in the organisation, or who have access to areas where information is stored within the organisation. This policy will be strongly recommended to independent practitioners as good practice guidance. Author Department Directorate Gareth Lawrence Information Governance Commissioning Support Organisation Approved by Information Governance Steering Group, CMT Date of approval 16 th January 2012, 8 th February 2012 Version Number 1.0 Next review date April 2013 Related documents Procedures Information Disclosure, Privacy Impact Assessment, Information Sharing, Safe Haven Page 2 of 24

3 Superseded documents NHSN and NHSMK Data protection policies MK Confidential information policy IM&T 07 Confidentiality and disclosure Internal distribution External distribution Availability Intranet and to all staff informing them of policy update and asking them to read it External websites All ratified policies, strategies, procedures and protocols are published on the Trust Intranet and Public Website. Contact details (of main contact for this document) Name: Gareth Lawrence Address: Francis Crick House Summerhouse Road, Moulton Park, Northampton NN3 6BF Tel Page 3 of 24

4 Table of Contents 1. Introduction 5 2. Scope 5 3. Definitions Personal Identifiable Information / Sensitive Information Other definitions 7 4. Key Obligations Data Protection Act Confidentiality Consent Caldicott Legal requirements for using patient data for non healthcare purposes 5. Disclosing information When information may be disclosed Passing on information without consent Public interest disclosure NHS disclosure models Legal and professional obligations Commissioning organisations Roles and Responsibilities Information sharing Equality and Diversity Monitoring and review Education and training 16 Appendix A Statutes and NHS Obligations 17 Appendix B - Policy impact analysis 23 Page 11 Change Control Version Date Change /12 Presented to IGSG Page 4 of 24

5 1. Introduction The IG Policy sets out the commitment of the organisation to fulfil it s statutory obligations with respect to personal data and adhere to the NHS Codes of Practice for handling personal information. This Policy applies to NHS Northamptonshire (NHSN) and NHS Milton Keynes (NHSMK) which are still the legal entities registered with the Information Commissioner to process personal data. The Cluster does not yet exist as a legal entity. This Policy expands on the Information Governance Policy to indicate broadly how the organisation operates to fulfil that commitment. The Policy is supported by detailed procedures for handling personal data. 2. Scope This policy applies to all information which identifies an individual, or information which when used with other information could be used to identify and individual. This covers information relating to patients, staff or any other third party, of whether it is received or generated by the organisation. The Policy applies to Personal Identifiable Information (PII) regardless of the format in which it is held. 3. Definitions 3.1 Person Identifiable Information / Sensitive Information Person Identifiable Information. This relates to information about a person which would enable that person s identity to be established. This might be fairly explicit such as an unusual surname or isolated postcode or items of different information which if taken together could allow the person to be identified. All information that relates to an attribute of an individual should be considered as potentially capable of identifying them to a greater or lesser extent. Sensitive Information. This can be broadly defined as that which if lost or compromised could affect individuals, organisations or the wider community. This is wider than, but includes, personal information defined as sensitive under the Data Protection Act 1998, eg an individual s bank account details are likely to be deemed sensitive but the definition may also include financial or security information about an organisation. Page 5 of 24

6 All person identifiable and sensitive information should be protected but there are two key categories (A and B below) that should be afforded the highest protection status. These categories are what HM Government - Cabinet Office Data Handling Review referred to as protected personal data (see David Nicholson letters available from the Knowledge Base Resources). This is information which, if wrongly released or lost could cause harm or distress to individuals. Protected personal data as a minimum must include all information falling into one or both of categories A or B below. Category A: Any information that links one or more identifiable living person with information about them which, if released, would put them at significant risk of harm or distress. Group 1: one or more of the pieces of information which can be used along with public domain information to identify an individual combined with Group 2: information about that individual whose release is likely to cause harm or distress Name / addresses (home or business or both) / postcode / / telephone numbers/driving licence number / date of birth [Note that driving licence number is included in this list because it directly yields date of birth and first part of surname] Sensitive personal data as defined by s2 of the Data Protection Act 1998: racial or ethnic origin political opinions religious beliefs or other beliefs of a similar nature membership of a trade union physical or mental health or condition sexual life the commission or alleged commission of any offence or any proceedings or sentencing relating to any offence committed or alleged to have been committed. Sensitive personal data will also include: DNA or finger prints / bank, financial or credit card details / mother's maiden name / National Insurance number / Tax, benefit or pension records / employment record / school attendance or records / material Page 6 of 24

7 relating to social services including child protection and housing. These are not exhaustive lists. Organisations should determine whether other information they hold should be included in either group 1 or 2 Category B: Any information about 21 or more identifiable individuals, other than information sourced from the public domain. This could be a database with multiple entries containing facts mentioned in group 1, or an electronic folder, disc, or paper records containing 21 or more records about individuals. Again, this is a minimum standard. Information on smaller numbers of individuals may warrant protection because of the nature of the individuals, nature or source of the information, or extent of information. 3.2 Other definitions Healthcare Medical Purposes Primary Use Non Healthcare Medical Purposes Secondary Use Non Healthcare Purposes Notice/ Privacy Notice/ Fair processing notice. Data controller Data subjects Data processor Secondary use Uses which directly contribute to the diagnosis, care and treatment of an individual ; or the audit/assurance of the quality of the healthcare provided. Preventative medicine, medical research, financial audit and the management of health [and social] care services. Mandatory reporting e..g. Cancer registries Court reports Police reports A statement which indicates what data will be collected, to what use the data will be date, who is responsible for the data. A person who (either alone, or jointly, or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. An individual who is the subject of personal data Any person (other than an employee of the data controller) who processes data on behalf of the data controller. Primary use of patient data covers two types, those that directly contribute to the diagnosis, care and treatment of an individual and those used in the audit/assurance of the quality of healthcare provider. Other uses of the data, that is the non-direct care usage referred to above, are usually known as secondary uses. Examples of secondary uses are commissioning, payment by results (PbR), performance management, capacity planning, service redesign and benchmarking. These Page 7 of 24

8 examples indicate that secondary uses occur in all types of NHS organisations, namely commissioners, providers, SHAs, PHOs and regulators as well as associated data processors under the Data Protection Act, such as FESC or other third party service providers. Section 251 This relates to section 251 of the NHS Act 2006 (originally enacted under Section 60 of the Health and Social Care Act 2001). It allows the common law duty of confidentiality to be set aside in specific circumstances where anonymised information is not sufficient and where patient consent is not practicable. Applications for approval to use Section 251 support are considered by the Ethics and Confidentiality Committee of the National Information Governance Board for Health and Social Care 4. Key Legal Obligations The are a number of statutes and NHS obligations which direct the organisation on how PII should be handled both legally and ethically, the key ones are listed below and a summary of the contents and references to the documents are held in Appendix A: The NHS Code of Confidentiality The Data Protection Act The Human Rights Act The NHS Constitution The NHS Care Record Guarantee Caldicott Guidelines Common Law Duty of Confidentiality Access to Health Records Act Professional Codes of Conduct The two key laws which govern use of PII are the Data Protection Act and the Common Law Duty of Confidentiality. The Data Protection Act sets how organisations should collect hold and share personal and sensitive personal information. A duty of confidence arises when one person discloses information to another (e.g. patient to clinician) in circumstances where it is reasonable to expect that the information will be held in confidence. It is a legal obligation that is derived from case law; is a requirement established within professional codes of conduct; and Page 8 of 24

9 must be included within NHS employment contracts as a specific requirement linked to disciplinary procedures. The NHS also assures confidentiality through adhering to the Caldicott Principles and adhering to legal requirements for using patient data for non healthcare purposes. 4.1 Data Protection Act There are a number of principles which underpin the legal and appropriate handling of personal information, which are encapsulated in the Data Protection Act. All processing of data to which the Act applies must comply with 8 principles which are reproduced below. The first principle is particularly important as it emphasises that processing must be fair and lawful in the context of the common law and other UK legislation. Generally it will be complied with if all the following conditions are met: the common law of confidentiality and any other applicable statutory restrictions on the use of information are complied with; the data subject was not misled or deceived into giving the data; the data subject is given basic information about who will process the data and or what purpose; in the case of health data, one of the conditions in both Schedules 2 and 3 to the Act is satisfied. The Act aims to: Protect personal information Inform patients and staff how information is used Give choice to patients and staff, who may want confidentiality or access to records Set a legal standard for accuracy and relevance Set a legal standard for updating data Set a legal standard for archiving, and later shredding or destroying data which is no longer needed It provides rights of access to personal data and empowers the subjects of personal data to ensure that their information is processed fairly and in accordance with their rights. It provides remedies for failures to comply with the Act, including correction and restriction of further processing, as well as compensation where unlawful processing has resulted in damage to a person to whom the data relates. The Data Protection Principles are. Personal data shall be processed fairly and lawfully Page 9 of 24

10 4.2 Confidentiality Personal data shall be obtained for one or more specified and lawful purpose(s) and shall not be further processed in a manner incompatible with that purpose(s) Personal data shall be adequate, relevant and not excessive in relation to those purposes Personal data shall be accurate and where necessary kept up to date Personal data shall not be kept for longer than is necessary for that purpose Personal data shall be processed in accordance with the rights of the data subject under this Act Appropriate technical and organisation measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss destruction or damage. Personal data shall not be transferred to countries outside the EEA without adequate protection The patient /healthcare professional relationship is always confidential, but personal information about staff may also be confidential. The confidentially model outlined below is taken form the NHS Code of Practice, but the principles of protect, inform, provide choice and improve apply equally to information provided by staff. The confidentiality model outlines the requirements that must be met in order to provide patients with a confidential service. Record holders must inform patients of the intended use of their information, give them the choice to give or withhold their consent as well as protecting their identifiable information from unwarranted disclosures. These processes are inter-linked and should be ongoing to aid the improvement of a confidential service. The four main requirements are: PROTECT look after the patient s information; INFORM ensure that patients are aware of how their information is used; PROVIDE CHOICE allow patients to decide whether their information can be disclosed or used in particular ways. To support these three requirements, there is a fourth: IMPROVE always look for better ways to protect, inform, and provide choice. These are expanded in the following sections and explored in more detail in Annex A. Page 10 of 24

11 4.3 Consent Consent matters are discussed in more details in the Code. Staff with any queries over consent should contact Information Governance. 4.4 Caldicott The recommendations of the Caldicott Committee defined the confidentiality agenda for NHS organisations for a number of years. Central to the recommendations was the appointment in each NHS organisation of a Guardian of person-based clinical information to oversee the arrangements for the use and sharing of clinical information. A key recommendation of the Caldicott Committee was that every use or flow of patient-identifiable information should be regularly justified and routinely tested against the principles developed in the Caldicott Report. Principle 1 Justify the purpose(s) for using confidential information Principle 2 Only use it when absolutely necessary Principle 3 Use the minimum that is required Principle 4 Access should be on a strict need-to-know basis Principle 5 Everyone must understand his or her responsibilities Principle 6 Understand and comply with the law 4.5 Legal Requirements for Using Patient Data for Non Healthcare Purposes It is a legal requirement that when patient data is used for purposes not involving the direct care of the patient, i.e. Secondary Uses, the patient should not be identified unless other legal means hold, such as the patient's consent or Section 251 approval. This is set out clearly in the NHS policy and good practice guidance document 'Confidentiality: the NHS Code of Practice', which states the need to 'effectively anonymise' patient data prior to the non-direct care usage being made of the data. Page 11 of 24

12 Data cannot be labelled as primary or secondary use data - it is the purpose of the disclosure and the usage of the data that is either primary or secondary. This means that even where it is justifiable to hold data in identifiable form, it becomes essential to ensure that only authorised users are able to have identifiable data disclosed to them. Pseudonymisation is concerned with enabling the NHS to undertake secondary use of patient data in a legal, safe and secure manner. The overall aim of implementing pseudonymisation is to facilitate: 1. The legal and secure use of patient data for secondary purposes by the NHS (and other organisations involved in the commissioning and provision of NHS-commissioned care) 2. NHS business to no longer use identifiable data in its non-direct care related work wherever possible 3. NHS business processes to continue to be effective in supporting the day-to-day operation of the NHS. More detail on pseudonymisation is available in the Pseudonymisation Implementation Guidance 1 5. Disclosing Information 5.1 When information may be disclosed Information may be passed on to another party as long as the individuals are provided with adequate information regarding the possible uses of their information and the individuals consent is obtained or the data falls within the provisions for release of the Data Protection Act (see above). If consent is obtained, information can only be discussed in accordance with the terms of the consent given. 5.2 Passing on information without consent It may sometimes be necessary to pass on information without consent, for example: In order to protect children or safeguard a vulnerable adult from significant harm In order to protect the vital interest of the patient / client In order to prevent or detect, or to support prosecution in respect of serious arrestable offence. The definition of serious crime is not entirely clear. Murder, manslaughter, rape, treason, kidnapping, child abuse or other cases where individuals have suffered serious harm may all warrant breaching confidentiality. Serious harm to the security of the state or to public order and crimes that involve substantial financial gain or loss will also generally fall within this category. In contrast, theft, fraud or damage 1 Pseudonymisation Implementation Guidelines Page 12 of 24

13 to property where loss or damage is less substantial would generally not warrant breach of confidence. Where required by Statute or Court Order 5.3 Public interest disclosure Passing on information can in some instances be justified for other reasons, for instance to protect public interest. The key principle to apply here is that of proportionality. Whilst it would not be reasonable and proportionate to disclose confidential patient information to a researcher where patient consent could be sought, if it is not practicable to locate a patient without unreasonable effort and the likelihood of detriment to the patient is negligible, disclosure to support the research might be proportionate. Other factors e.g. ethical approval, servicing and safeguards, anonymised information, pseudonymised information and/or clear deletion policies etc might also influence a decision on what is proportionate. It is important not to equate "the public interest" with what may be "of interest" to the public. The NHS has produced guidance on public interest disclosures 2 The decision in circumstances such as these, where no Policy exists or where there is uncertainty over disclosure can only be made with approval of The Caldicott Guardian, the Head of Information Governance, the Data Privacy Officer. 5.4 NHS Disclosure Models The NHS Code of Confidentiality sets out the arrangements for disclosing personal information under a variety of circumstances to support direct healthcare, medical purposes (such as research) and purposes unrelated to healthcare. The disclosure modules are established as procedures within the organisation. 5.5 Legal and Professional Obligations 3 There are a range of complex legal and professional obligations that limit, prohibit or set conditions in respect of the management, use and disclosure of information and, similarly, a range of statutes that permit or require information to be used or disclosed. 2 Confidentiality: NHS Code of Practice Supplementary Guidance: Public Interest Disclosures nce/dh_ Guidance on Legal and Professional Obligations Page 13 of 24

14 NHS Information Governance - Guidance on Legal and Professional Obligations is best practice guidance, which outlines the likely impact of these provisions primarily to NHS information but also includes some social care requirements. 6. Commissioning Organisations Commissioning organisations hold personal data on their staff, and personal data on the healthcare of the patients for whom services are commissioned. The particular issues facing commissioning organisations which have collected information for a given a purpose are: can the identifiable data which has been collected be lawfully used in an identifiable format or does it need pseudonymising? Can the data be shared with another organisation (e.g. healthcare organisation, Social Services, the Police) to deliver a service or conduct a service review lawfully (in accordance with the patients rights and expectations)? Do the care pathways which are commissioned secure the confidentiality of patient data. The organisation also holds (GP) records of deceased patients and those patients who have deregistered with a GP and have not registered elsewhere. The organisation provides access to those records under the Data Protection Act for living individuals and under the Access to Health Records Act for the deceased. 7. Roles and Responsibilities The Chief Executive has overall accountability for organisational compliance with statutory and obligations and NHS guidance. The Chief Executive has delegated responsibility for patient confidentiality to the Medical Director who is the organisation s Caldicott Guardian. The Head of Information Governance is the nominated Data Protection Officer for the organisation who maintains the registration with the Information Commissioner and is the point of contact with the Information Commissioners Office (ICO). The Senior Information Risk Owner has a responsibility to ensure that systems and processes are managed to minimise the risk of breaches of confidentiality. Information Governance Steering Group is the formal group of the Trust responsible for advising on data protection policy and strategy via the Quality and Risk Committee. Page 14 of 24

15 Information Governance is responsible for: Operational responsibility for reviewing policies and procedures Supporting and advising the Caldicott Guardian and staff on day-to-day data protection and information sharing issues as they arise Maintaining an inventory of Data Owners for sets of information and records Maintaining an inventory of information sharing protocols Conducting data compliance audits including checks on data usage Facilitating and delivering training sessions Ensuring subject access requests are handled in compliance with legislation Ensuring that no new systems containing personal identifiable data or new uses of existing systems are introduced without appropriate checks to ensure that confidentiality and security exist. Acting as the initial point of contact for data protection, confidentiality and privacy queries and complaints. 8. Information Sharing New initiatives will be subject to a Privacy Impact Assessment, to ensure the privacy of patients/staff and the security of the data. Sharing personal information with partners will be supported by information sharing agreements (where the data is provided to another data controller) or will be conducted under a contracts (where another party is processing data on behalf of the organisation) Information flows into and out of the organisation will be regularly mapped and risk assessed to determine the appropriateness and security of the information disclosure. 9. Equality and Diversity The organisation recognises the diversity of the local community and those in its employment; and aims to provide a safe environment free from discrimination and a place where all individuals are treated fairly, with dignity and appropriately to their need. The organisation recognises that equality impacts on all aspects of its day-to-day operations and has produced an impact assessment framework for all policies. This Policy as been assessed against this framework and the results presented in Appendix B. 10. Monitoring and review Page 15 of 24

16 The success and compliance of handling personal information will be assessed in a number of ways. Oversight of compliance will be through the Information Governance Steering Group. The annual Information Governance Toolkit return is the primary NHS assessment of compliance with protecting personal information through training, polices, procedures, flow mapping and audits. Breaches of confidentiality or near misses will be recorded as incidents, investigated and reported through the IGSG. 11. Education and Training All staff receive DH training in IG annually, which includes protecting personal information. Compliance with training is included in the IGT return. Page 16 of 24

17 Appendix A Statutes and NHS Obligations NHS Constitution 4 You have the right to be Treated with dignity and respect in Accordance with your Human Rights (Section 2a) You have the right to privacy and confidentiality and to expect the NHS to keep your confidential information safe and secure. (Section 2a) You have the right of access to your own health records. These will always be used to manage your treatment in your best interests. NHS Code of Confidentiality 5 The Code is a guide to required practice for those who work within or under contract to NHS organisations concerning confidentiality and patients consent to the use of their health records. It is a key component of emerging information governance arrangements for the NHS. Whilst directed at NHS staff, the Code is also relevant to any one working in and around health. This includes private and voluntary sector staff. The document introduces the concept of confidentiality; describes what a confidential service should look like; provides a high level description of the main legal requirements; recommends a generic decision support tool for sharing/disclosing information; lists examples of particular information disclosure scenarios. The Data Protection Act The Data Protection Act 1998 seeks to protect individuals by controlling the collection, use, storage and movement of personal data. It gives individuals the right of privacy, to know the purposes for which their information is being held and processed; to access the information which forms their personal data and in some circumstances the right to prevent its use. Individuals can also take action to prevent processing which is likely to result in damage or distress, to rectify, block, erase or destroy any data that is inaccurate, and where appropriate, to make a claim for compensation. The Act places legal obligations on everyone who records and uses personal data (Data Controllers). They must always process information fairly and lawfully, meaning that data subjects (patients) must be informed about what information is collected and what it is used for. The information must not then be used for any other purpose. Data Protection Principles: Data shall 1. be collected and processed fairly and lawfully The purpose for which personal data is collected and processed should be made clear to the data subject. Data subjects should not be deceived or misled as to the purpose for which their personal data is held or used. Personal data should only be obtained from a person who is legally authorised to supply it. Personal data must be processed in accordance with Schedule 1 of the act and sensitive personal data should be processed in accordance with Schedules 1 and 2 of the Act. 4 Handbook to the NHS Constitution pdf 5 NHS Code of Confidentiality pdf Page 17 of 24

18 2. be obtained only for the specific and lawful purposes described in the register entry, and shall not be further processed in any manner incompatible with that purpose or those purposes Personal data held for one purpose should not be used for another, e.g. research data should not be used for direct marketing. All personal data held must be within terms of a register entry or be specifically exempt from registration. Personal data must not be disclosed to any person not described in the register entry for that data collection. Details of persons to whom data may be disclosed and by whom are contained in the registration. When deciding whether to disclose data Departments should also consider what disclosure procedures were outlined to data subjects when they gave permission for their data to be held. If data subjects have been told that data will only be released with their permission data should not be released without permission, regardless of the register entry. 3. be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are held All personal data held must be clear in meaning, and convey sufficient information for others to understand them. This is particularly important where specific action is required. Only information that is necessary should be kept. Records should be unambiguous, accurate and professionally worded. Any abbreviations should be widely agreed. Opinions should be clearly distinguishable from matters of fact. Sensitive data must only be held if really necessary. 4. be accurate and, where necessary, be kept up to date Personal data must not be inaccurate or misleading to any matter of fact. This is equally applicable to information received from a third party. The source of information should always be included on records. Unauthorised abbreviation of names is inaccurate data. 5. be held no longer than is necessary for the registered purpose The wide range of reasons for the University to hold personal data makes it impossible to lay down absolute rules about how long particular items of personal data should be retained. The NHS have a recommended retention schedule for certain kinds of data but as a general rule the destruction of data should be treated on a case-by-case basis. Failure to remove data when its purpose has been served is a breach of the Act. 6. be processed in accordance with the rights of the data subjects under the Act Individuals have a statutory right to be told whether information about them is being processed, what the information is, its source, the purposes for which it is going to be processed, to whom it might be disclosed, and the logic involved in any automatic decision process (for example the underlying logic of the computer programme). The Act also provides that individuals may have access to data held about them and, if appropriate, to have the data corrected or deleted. If the information is sensitive, individuals must be asked for their explicit consent to the processing of that information. The Data Controller has a limited right only to make decisions affecting individuals based solely on the automatic decision processing of information about them. 7. be held under secure conditions, together appropriate technical and organisational measures to prevent unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data Access to personal data must be permitted only for the purposes necessary for the efficient discharge of bona fide duties. The personal or private use of personal data held by the NHS is strictly forbidden. Page 18 of 24

19 It is important to consider the sensitivity of the data processed, the locations where data are stored and security measures necessary to hold data securely. 8. not be transferred to a country or territory outside the European Economic Area, unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data Personal data must not be transferred to a country outside European Economic Area unless: explicit consent has been obtained from the data subject(s); the data has been completely anonymised; that country ensures an adequate level of protection for data subjects; a contract is in place with the recipient of the personal data, which puts the necessary safeguards in place. Schedules 2 & 3 of the 1st Principle of the Data Protection Act Conditions for Processing (Schedule 2 of the Act) At least one of the following conditions must be met in the case of all processing of personal data (except where a relevant exemption applies):- The data subject has given their consent to the processing (see paragraph 1.6 below), The processing is necessary:- a) for the performance of a contract to which the data subject is a party, or b) for the taking of steps at the request of the data subject with a view to entering into a contract. The processing is necessary to comply with any legal obligation to which the data controller is subject, other than an obligation imposed by contract. The processing is necessary in order to protect the vital interests of the data subject. The Commissioner considers that reliance on this condition may only be claimed where the processing is necessary for matters of life and death, for example, the disclosure of a data subject's medical history to a hospital Casualty Department treating the data subject after a serious road accident. The processing is necessary:- a) for the administration of justice, b) for the exercise of any functions conferred by or under any enactment, c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or d) for the exercise of any other functions of a public nature exercised in the public interest. The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case because of prejudice to the rights and freedoms or legitimate interests of the data subject. The Secretary of State may by order specify particular circumstances in which this condition is, or is not, to be taken to be satisfied. Conditions for Processing Sensitive Data (Schedule 3 of the Act) At least one of these must be satisfied, in addition to at least one of the conditions for processing (which apply to the processing of all personal data), before processing of sensitive personal data can claim to have been lawful in accordance with the first Principle. The data subject has given their explicit consent to the processing of the personal data (see paragraph below). The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment. The Secretary of State may by order specify cases where this condition is either excluded altogether or only satisfied upon the satisfaction of further conditions. The processing is necessary- Page 19 of 24

20 a) in order to protect the vital interests of the data subject or another person, in a case where:- consent cannot be given by or on behalf of the data subject, or the data controller cannot reasonably be expected to obtain the consent of the data subject, or b) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld. The processing:- a) is carried out in the course of its legitimate activities by any body or association which exists for political, philosophical, religious or trade-union purposes and which is not established or conducted for profit, b) is carried out with appropriate safeguards for the rights and freedoms of data subjects, c) relates only to individuals who are either members of the body or association or who have regular contact with it in connection with its purposes, and d) does not involve disclosure of the personal data to a third party without the consent of the data subject. Caldicott Guidelines 6 Each organisation handling patient data has must establish a Caldicott Guardian who is responsible for the strategic management of confidentiality in the organisation and providing advice on confidentiality issues. There are 6 Caldicott Principles for handling personal information: 1. Justify the purpose(s) Every proposed use or transfer of patient-identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed by an appropriate guardian. 2. Don't use patient-identifiable information unless it is absolutely necessary Patient-identifiable information items should not be used unless there is no alternative. 3. Use the minimum necessary patient-identifiable information Where use of patient-identifiable information is considered to be essential, each individual item of information should be justified with the aim of reducing identifiability. 4. Access to patient-identifiable information should be on a strict need to know basis Only those individuals who need access to patient-identifiable information should have access to it, and they should only have access to the information items that they need to see. 5. Everyone should be aware of their responsibilities Action should be taken to ensure that those handling patient-identifiable information, both clinical and non-clinical staff, are aware of their responsibilities and obligations to respect patient confidentiality. 6. Understand and comply with the law Every use of patient-identifiable information must be lawful. Someone in each organisation should be responsible for ensuring that the organisation complies with legal requirements. NHS Care Record Guarantee 7 The NHS Care Record Guarantee for England sets out the rules that govern how patient information is used in the NHS and what control the patient can have over this. It is based on professional 6 Caldicott Guardian Manual NHS Care Record Guarantee Page 20 of 24

21 guidelines, best practice and the law and applies to both paper and electronic records. Whilst not a legal document, the Guarantee could be used as the basis for a complaint. The NHS Care Record Guarantee includes information on: people's access to their own records, how access to an individual's healthcare record will be monitored and policed and what controls are in place to prevent unauthorised access, options people have to further limit access, access in an emergency, what happens when someone is unable to make decisions for themselves. The delivery of joined up care requires effective and accurate sharing of information between health and social care. The NHS Care Record Guarantee for England and the Social Care Record Guarantee for England together form a basis for transparent, legal and secure information sharing. Human Rights Act The Human Rights Act includes two articles relevant to confidentiality of personal information. Article 8 - right to respect for private and family life Article 10 - Freedom of expression and exchange of information and opinions Both articles address the prevention of disclosure of information received in confidence. Access to Health Records Act 1990 Access to Health Records Act Health records of the deceased are public records and governed by the provisions of the Public Records Act 1958 and the Access to Health Records Act This permits the use and sharing of the information within them in only limited circumstances. Relatives and next of kin do not have an automatic right to access health records: they have to provide evidence that they are the personal representative of the deceased or have a claim arising out of the individual s death. If the deceased patient requested during their lifetime that a note to the effect that access be denied to some or all of the record be included in the record then information should not be disclosed. Access to individual health records for live persons are covered under the Data Protection Act as subject access requests. Computer Misuse Act 1990 The computer misuse Act 1990 makes it illegal to access data or computer programs without authorisation. The computer Misuse Act identifies three offences: 1. to access data or programs held on computer without authorisation. For example, to view test results on a patient in whose care you are not directly involved or to obtain/view information about friends and relatives. On conviction an offender is liable to a custodial sentence of six months, a fine or both. 2. to access data or programs held in a computer without authorisation with the intention of committing further offences, for example fraud or blackmail. On conviction an offender is liable to a custodial sentence of up to five years, a fine or both. Page 21 of 24

22 3. to modify data or programs held on computer without authorisation. On conviction an offender is liable to a custodial sentence of up to five years, a fine or both. Page 22 of 24

23 Appendix B Policy Impact Assessment Screening Tool Name of Directorate: Medical Policy being assessed: Personal Identifiable Information Policy Date of Assessment: 14 November 2011 Assessment Carried out by: Information Governance Lead Policy Title Who is affected Statutory requirements Full Assessment Needed Yes / No Personal Identifiable Information Policy This policy applies to all Cluster and Hub employees, nonexecutive directors, trainees, contractors, temporary staff, researchers, trainers and consultants who may be involved in the processing of personal information at any level in the organisation. Common law duty of Confidence Data Protection Act 1998 Human Rights Act 1998 Freedom of Information Act 2000 Access to Health Records Act 1990 (where not superseded by the Data Protection Act) No Priority High / Medium / Low Computer Misuse Act 1990 (amended in 2005) Children Act Page 23 of 24

24 NHS Trusts and PCT s (Sexually Transmitted Diseases Regulations) 2000 Crime and Disorder Act 1998 Electronic Communications Act 2000 Regulation of Investigatory Powers Act 2000 NHS Code of Confidentiality Records Management NHS Code of Practice Information Security Management NHS Code of Practice Page 24 of 24

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Document Number 2010/35/V1 Document Title Data Protection Policy Author Nic McCullagh Author s Job Title Information Governance Manager Department IM&T Ratifying Committee Capacity

More information

CLINICAL SERVICES POLICY & PROCEDURE (CSPP No. 25) Clinical Photography Policy in the Pre-Hospital Setting. January 2017

CLINICAL SERVICES POLICY & PROCEDURE (CSPP No. 25) Clinical Photography Policy in the Pre-Hospital Setting. January 2017 CLINICAL SERVICES POLICY & PROCEDURE (CSPP No. 25) Clinical Photography Policy in the Pre-Hospital Setting January 2017 DOCUMENT INFORMATION Author: Mark Ainsworth-Smith Consultant in Pre-hospital Care

More information

Principles of Data Sharing for GPs and LMCs

Principles of Data Sharing for GPs and LMCs Principles of Data Sharing for GPs and LMCs August 2013 www.lmc.org.uk This advice is based on careful examination of the relevant legislation and guidance but it does not constitute a formal legal opinion.

More information

STEP BY STEP SCHOOL. Data Protection Policy and Privacy Notice

STEP BY STEP SCHOOL. Data Protection Policy and Privacy Notice Data Protection Policy and Privacy Notice 1 Contents 1. Aims... 3 2. Legislation and guidance... 3 3. Definitions... 3 4. The data controller... 4 5. Data protection principles... 4 6. Roles and responsibilities...

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Version Number 5 Version Date March 2017 Policy Owner Chief Information Officer Author Information Governance Manager First approval or date July 2013 last reviewed Staff/Groups

More information

I SBN Crown copyright Astron B31267

I SBN Crown copyright Astron B31267 I SBN 0-7559- 0875-9 Crown copyright 2003 Astron B31267 9 780755 908752 w w w. s c o t l a n d. g o v. u k NHS Code of Practice on Protecting Patient Confidentiality 1 INTRODUCTION 1.1 Accurate and secure

More information

Standard Operating Procedures (SOP) Research and Development Office

Standard Operating Procedures (SOP) Research and Development Office Standard Operating Procedures (SOP) Research and Development Office Title of SOP: Principles of Data Collection and Storage SOP Number: 8 Supercedes: 1.0 Effective date: August 2013 Review date: August

More information

Sample. Information Governance. Copyright Notice. This booklet remains the intellectual property of Redcrier Publications L td

Sample. Information Governance. Copyright Notice. This booklet remains the intellectual property of Redcrier Publications L td First name: Surname: Company: Date: Information Governance Please complete the above, in the blocks provided, as clearly as possible. Completing the details in full will ensure that your certificate bears

More information

Privacy Policy - Australian Privacy Principles (APPs)

Privacy Policy - Australian Privacy Principles (APPs) Policy New England North West Health Ltd (Trading as HealthWISE New England North West) will be referred to as HealthWISE for the purposes of this document. HealthWISE recognises that Information Privacy

More information

How we use your information. Information for patients and service users

How we use your information. Information for patients and service users How we use your information Information for patients and service users What we record about you Pennine Care NHS Foundation Trust provides mental health and community health services to people living in

More information

Fair Processing Notice or Privacy Notice

Fair Processing Notice or Privacy Notice Fair Processing Notice or Privacy Notice What is a Fair Processing or Privacy notice? A privacy notice is an oral or written statement that individuals are given when information is collected about them.

More information

GPs as data controllers under the General Data Protection Regulation

GPs as data controllers under the General Data Protection Regulation GPs as data controllers under the General Data Protection Regulation The GDPR is an EU Regulation which will be directly applicable in the UK on 25 May 2018. It should be read alongside the forthcoming

More information

Standards conduct, accountability

Standards conduct, accountability Standards of conduct, accountability and openness Standards of conduct, accountability and openness Throughout this document: members refers to all members of a board the Chair, the non-executives, the

More information

DOCUMENT CONTROL Title: Use of Mobile Phones and Tablets (by services users & visitors in clinical areas) Policy. Version: Reference Number: CL062

DOCUMENT CONTROL Title: Use of Mobile Phones and Tablets (by services users & visitors in clinical areas) Policy. Version: Reference Number: CL062 DOCUMENT CONTROL Title: Version: Reference Number: Use of Mobile Phones and Tablets (by services users & visitors in clinical areas) Policy 5 CL062 Scope: This Policy applies all employees of the Trust,

More information

SM-PGN 01- Security Management Practice Guidance Note Closed Circuit Television (CCTV)-V03

SM-PGN 01- Security Management Practice Guidance Note Closed Circuit Television (CCTV)-V03 Security Management Practice Guidance Note Closed Circuit Television (CCTV)-V03 Date Issued Issue 7 Sep 17 Issue 8 Dec 17 Issue 9 Mar 18 Planned Review September- 2018 SM-PGN 01- Part of NTW(O)21 Security

More information

REVIEWED BY Leadership & Privacy Officer Medical Staff Board of Trust. Signed Administrative Approval On File

REVIEWED BY Leadership & Privacy Officer Medical Staff Board of Trust. Signed Administrative Approval On File The Alexandra Hospital, Ingersoll PRIVACY POLICY SUBJECT-TITLE Privacy Policy REVIEWED BY Leadership & Privacy Officer Medical Staff Board of Trust DATE Oct 11, 2005 Nov 8, 2005 POLICY CODE DATE OF ORIGIN

More information

Fair Processing Strategy

Fair Processing Strategy Fair Processing Strategy March 2014 Fair Processing Strategy v8 2014.03.25 Page 1 of 15 NHS England INFORMATION READER BOX Directorate Medical Operations Patients and Information Nursing Policy Commissioning

More information

Access to Records Procedure under Data Protection Act 1998 Access to Health Records Act 1990

Access to Records Procedure under Data Protection Act 1998 Access to Health Records Act 1990 Access to Records Procedure under Data Protection Act 1998 Access to Health Records Act 1990 Procedure approved by: Executive Group Date: 14 November 2014 Next Review Date: September 2016 Version: 1.0

More information

POLICY STATEMENT PRIVACY POLICY

POLICY STATEMENT PRIVACY POLICY POLICY STATEMENT PRIVACY POLICY Version: 3.0 Issue Date: 01/07/2009 Last Review: 10/02/2016 Issued By: General Manager APPROVAL This policy has been approved by the Boards of METRO Church Australia and

More information

The NHS Constitution

The NHS Constitution 2 The NHS Constitution The NHS belongs to the people. It is there to improve our health and wellbeing, supporting us to keep mentally and physically well, to get better when we are ill and, when we cannot

More information

A Case Review Process for NHS Trusts and Foundation Trusts

A Case Review Process for NHS Trusts and Foundation Trusts A Case Review Process for NHS Trusts and Foundation Trusts 1 1. Introduction The Francis Freedom to Speak Up review summarised the need for an independent case review system as a mechanism for external

More information

Student Privacy Notice

Student Privacy Notice Student Privacy Notice Queen s University Belfast collects, holds and processes personal information or data relating to its students. We need to do this in order for the University to carry out its functions

More information

JOB DESCRIPTION. Standards and Compliance. Call Centres - Wakefield, York and South Yorkshire. No management responsibility

JOB DESCRIPTION. Standards and Compliance. Call Centres - Wakefield, York and South Yorkshire. No management responsibility JOB DESCRIPTION Position/Title: Clinical Advisor NHS 111 Band: Directorate/Department: Location: Band 5 (Indicative) Standards and Compliance Call Centres - Wakefield, York and South Yorkshire Accountable

More information

PRIVACY MANAGEMENT FRAMEWORK

PRIVACY MANAGEMENT FRAMEWORK PRIVACY MANAGEMENT FRAMEWORK Section Contact Office of the AVC Operations, International and University Registrar Risk Management Last Review July 2014 Next Review July 2017 Approval SLT14/7/176 Effective

More information

JOB DESCRIPTION. Service Manager AMH Inpatient Services. Enhanced CRB with Both Barred List Check

JOB DESCRIPTION. Service Manager AMH Inpatient Services. Enhanced CRB with Both Barred List Check JOB DESCRIPTION JOB TITLE: BAND: HOURS AND: DURATION Service Manager AMH Inpatient Services Agenda for Change Band 8B As specified in the job advertisement and the Contract of Employment AGENDA FOR CHANGE

More information

Compliance with Personal Health Information Protection Act

Compliance with Personal Health Information Protection Act Compliance with Personal Health Information Protection Act Ontario s Personal Health Information & Protection Act (PHIPA) governs the collection, use and disclosure of personal health information by midwives

More information

INFORMATION TECHNOLOGY, MOBILES DIGITAL MEDIA POLICY AND PROCEDURES

INFORMATION TECHNOLOGY, MOBILES DIGITAL MEDIA POLICY AND PROCEDURES INFORMATION TECHNOLOGY, MOBILES AND DIGITAL MEDIA POLICY AND PROCEDURES Updates Who Updated Comments Aug annually Lewis External version TABLE OF CONTENTS AIMS AND LEGISLATION... 3 MOBILE PHONES PARENTS/CARERS

More information

NHS England Complaints Policy

NHS England Complaints Policy NHS England Complaints Policy 1 NHS England INFORMATION READER BOX Directorate Medical Operations Patients and Information Nursing Policy Commissioning Development Finance Human Resources Publications

More information

NATIONAL HEALTH SERVICE, ENGLAND

NATIONAL HEALTH SERVICE, ENGLAND D I R E C T I O N S NATIONAL HEALTH SERVICE, ENGLAND The Health and Social Care Information Centre (Establishment of Information Systems for NHS Services: Data Services for Commissioners) Directions 2013

More information

JOB DESCRIPTION DIRECTOR OF SCREENING. Author: Dr Quentin Sandifer, Executive Director of Public Health Services and Medical Director

JOB DESCRIPTION DIRECTOR OF SCREENING. Author: Dr Quentin Sandifer, Executive Director of Public Health Services and Medical Director JOB DESCRIPTION DIRECTOR OF SCREENING Author: Dr Quentin Sandifer, Executive Director of Public Health Services and Medical Director Date: 1 November 2017 Version: 0d Purpose and Summary of Document: This

More information

Reservation of Powers to the Board & Delegation of Powers

Reservation of Powers to the Board & Delegation of Powers Reservation of Powers to the Board & Delegation of Powers Status: Draft Next Review Date: March 2014 Page 1 of 102 Reservation of Powers to the Board & Delegation of Powers Issue Date: 5 April 2013 Document

More information

JOB DESCRIPTION. As specified in the job advertisement and the Contract of. Lead Practice Teacher & Clinical Team Leader

JOB DESCRIPTION. As specified in the job advertisement and the Contract of. Lead Practice Teacher & Clinical Team Leader JOB DESCRIPTION JOB TITLE: Student Health Visitor BAND: Agenda for Change Band 5 HOURS AND: DURATION As specified in the job advertisement and the Contract of Employment AGENDA FOR CHANGE (reference No)

More information

Policy for Overseas Visitors

Policy for Overseas Visitors Policy for Overseas Visitors Please be aware that this printed version of the Policy may NOT be the latest version. Staff are reminded that they should always refer to the Intranet for the latest version.

More information

Implied Consent Model and Permission to View

Implied Consent Model and Permission to View NHS CRS - Summary Care Record, Implied consent model and Permission to view Programme NPFIT Document Record ID Key Sub-Prog / Project Summary Care Record NPFIT-SCR-SCRDOCS-0025.02 Prog. Director James

More information

Data Protection Privacy Notice

Data Protection Privacy Notice Data Protection Privacy Notice Introduction This document explains why information is collected about you by the UK Renal Registry (UKRR) and how your information may be used this is called a Fair Processing

More information

Guidance for care providers in Scotland using CCTV (closed circuit television) in their services

Guidance for care providers in Scotland using CCTV (closed circuit television) in their services Guidance for care providers in Scotland using CCTV (closed circuit television) in their services www.careinspectorate.com 1 This guidance draws on similar guidance produced by the Care Quality Commission

More information

General Policy. Code of Conduct

General Policy. Code of Conduct 1. Policy Statement 2. Purpose 3. Scope 4. Associated Policies and Procedures 5. Associated Documents General Policy Code of Conduct This Code of Conduct affirms that SAE Institute Pty Ltd ( the Institute,

More information

NHS Constitution The NHS belongs to the people. This Constitution principles values rights pledges responsibilities

NHS Constitution The NHS belongs to the people. This Constitution principles values rights pledges responsibilities for England 8 March 2012 2 NHS Constitution The NHS belongs to the people. It is there to improve our health and well-being, supporting us to keep mentally and physically well, to get better when we are

More information

ACCESS TO HEALTH RECORDS POLICY & PROCEDURE

ACCESS TO HEALTH RECORDS POLICY & PROCEDURE ACCESS TO HEALTH RECORDS POLICY & PROCEDURE Primary Intranet Location Version Number Next Review Year Next Review Month Legal Services V3 2018 January Current Author Author s Job Title Department Approved

More information

Privacy Code for Consumer, Customer, Supplier and Business Partner Data

Privacy Code for Consumer, Customer, Supplier and Business Partner Data Privacy Code for Consumer, Customer, Supplier and Business Partner Data Introduction JACOBS DOUWE EGBERTS is committed to the protection of personal data of its Consumer, Customers, Suppliers and Business

More information

Deputise and take charge of the given area regularly in the absence of the clinical team leader who has 24 hour accountability and responsibility.

Deputise and take charge of the given area regularly in the absence of the clinical team leader who has 24 hour accountability and responsibility. JOB DESCRIPTION AND Public Health Nurse School Nurse PERSON SPECIFICATION FOR: AGENDA FOR CHANGE BAND: Band 6 HOURS AND DURATION; As specified in the job advertisement and the Contract of Employment AGENDA

More information

AUSTRALIAN RESUSCITATION COUNCIL PRIVACY STATEMENT

AUSTRALIAN RESUSCITATION COUNCIL PRIVACY STATEMENT AUSTRALIAN RESUSCITATION COUNCIL PRIVACY STATEMENT Personal Information The Australian Government website provides detailed information on the Rights and responsibilities with respect to Privacy Law on

More information

Policy No. AD I1 ** Information from collection to retention shall be managed according to relevant legislation.

Policy No. AD I1 ** Information from collection to retention shall be managed according to relevant legislation. Community Living and Respite Services Inc. (CLRS) Policy No. AD I1 ** Issue No. 6 Issue Date: May 2005, August 2009February 2011Renamed Previously Information Privacy Policy. Revised Date February 2011,

More information

Office of the Australian Information Commissioner

Office of the Australian Information Commissioner Policy and Procedure Name Privacy Policy and Procedure Version 1.0 Approved By Chief Executive Officer Date Approved 19/10/2016 Review Date 30/06/2017 Opportune Professional Development in accordance with

More information

Research Code of Practice

Research Code of Practice National Foundation for Educational Research Research Code of Practice Why have a Code of Practice? A wide range of individuals and organisations contribute to the work carried out by the National Foundation

More information

Contract of Employment

Contract of Employment JOB DESCRIPTION AND PERSON SPECIFICATION FOR Deputy Sister / Deputy Charge Nurse AGENDA FOR CHANGE BAND Band 6 HOURS AND DURATION As specified in the job advertisement and the Contract of Employment AGENDA

More information

Handout 8.4 The Principles for the Protection of Persons with Mental Illness and the Improvement of Mental Health Care, 1991

Handout 8.4 The Principles for the Protection of Persons with Mental Illness and the Improvement of Mental Health Care, 1991 The Principles for the Protection of Persons with Mental Illness and the Improvement of Mental Health Care, 1991 Application The present Principles shall be applied without discrimination of any kind such

More information

DATA PROTECTION ACT (1998) SUBJECT ACCESS REQUEST PROCEDURE

DATA PROTECTION ACT (1998) SUBJECT ACCESS REQUEST PROCEDURE DATA PROTECTION ACT (1998) SUBJECT ACCESS REQUEST PROCEDURE Date effective from: 1 st September 2014 Review date: 1 st September 2017 Version number: 4.0 See Document Summary Sheet for full details Date

More information

High Dependency Unit, Highgate Hospital

High Dependency Unit, Highgate Hospital JOB DESCRIPTION TITLE: RESPONSIBLE FOR: RESPONSIBLE TO: ACCOUNTABLE TO: SUMMARY OF POSITION: Critical Care Sister / Charge Nurse High Dependency Unit, Highgate Hospital Nursing Services Manager Hospital

More information

Occupational Health Privacy Notice

Occupational Health Privacy Notice In addition Occupational Health Privacy Notice This Privacy Notice explains what personal information we collect from you, how we store this personal information, how long we retain it and with whom and

More information

DATA PROTECTION POLICY (in force since 21 May 2018)

DATA PROTECTION POLICY (in force since 21 May 2018) DATA PROTECTION POLICY (in force since 21 May 2018) This Data Protection Policy is issued by IDM Südtirol - Alto Adige, with registered office in Piazza della Parrocchia n. 11 39100, Bolzano (hereinafter

More information

Application for Recognition or Expansion of Recognition

Application for Recognition or Expansion of Recognition Application for Recognition or Expansion of Recognition Notes for applicants All Applicants Should Read This Section This form is for applicants who are: o applying to become a recognised awarding organisation

More information

BARNET LOCAL MEDICAL LIAISON MEETING

BARNET LOCAL MEDICAL LIAISON MEETING BARNET LOCAL MEDICAL LIAISON MEETING To be held from 2.00 pm 3.30 pm on Thursday 5 September 2013 in Room2, Deansbrook House, Edgware Community Hospital, Burnt Oak Broadway HA8 0AD AGENDA 1.0 Welcome and

More information

ACCESS TO HEALTH RECORDS POLICY & PROCEDURE

ACCESS TO HEALTH RECORDS POLICY & PROCEDURE ACCESS TO HEALTH RECORDS POLICY & PROCEDURE Document Number 2009/45 Version 3 Document Title Access to Health Records Policy & Procedure Author Karl Perryman Author s Job Title Head of Legal Services Department

More information

Information for registrants. How to renew your registration

Information for registrants. How to renew your registration Information for registrants How to renew your registration Contents Introduction 1 Renewing your registration with the HCPC 2 Paying your registration renewal fee 12 What happens if 13 Contact us 15 Keeping

More information

Garda vetting Policy Developed May 2016

Garda vetting Policy Developed May 2016 Aspire- Asperger Syndrome Association of Ireland Approval date 16.05.2016 Revision Date 16.05.2018 Responsibility for approval of policy Responsibility for implementation Responsibility for ensuring review

More information

Privacy Impact Assessment: care.data

Privacy Impact Assessment: care.data High quality care for all, now and for future generations Document Control Document Purpose Document Name Information Version 1.1 Publication Date 03/04/2014 Description Associated Documents Issued by

More information

Safeguarding Adults Policy March 2015

Safeguarding Adults Policy March 2015 Safeguarding Adults Policy 2015-16 March 2015 Document Control: Description Comment Title Document Number 1 Author Lindsay Ratapana Date Created March 2015 Date Last Amended Version 1 Approved By Quality

More information

Licensing application guidance. For NHS-controlled providers

Licensing application guidance. For NHS-controlled providers Licensing application guidance For NHS-controlled providers February 2018 We support providers to give patients safe, high quality, compassionate care within local health systems that are financially sustainable.

More information

Safeguarding Policy Children and Adults at Risk

Safeguarding Policy Children and Adults at Risk Policy Children and Adults at Risk ELT manager Responsible officer Vice Principal Academic Affairs Head of Student Support Date first approved by BoM 19 December 2011 First Review Date December 2014 Date

More information

Code of Conduct for Healthcare Chaplains

Code of Conduct for Healthcare Chaplains Code of Conduct for Healthcare Chaplains (Revised 2014) UKBHC Documentation Information Document Title Code of Conduct for Healthcare Chaplains Description The professional standards of conduct for healthcare

More information

Mental Health Commission Rules

Mental Health Commission Rules Mental Health Commission Rules Reference Number: R-S69(2)/02/2006 RULES GOVERNING THE USE OF SECLUSION AND MECHANICAL MEANS OF BODILY RESTRAINT 1 st November 2006 PREAMBLE Section 69(2) of the Mental Health

More information

THE PRIVACY ACT AND THE AUSTRALIAN PRIVACY PRINCIPLES FREQUENTLY ASKED QUESTIONS

THE PRIVACY ACT AND THE AUSTRALIAN PRIVACY PRINCIPLES FREQUENTLY ASKED QUESTIONS THE PRIVACY ACT AND THE AUSTRALIAN PRIVACY PRINCIPLES FREQUENTLY ASKED QUESTIONS CONTENTS How is Privacy governed in Australia?... 3 Does the Privacy Act apply to me?... 3 I have been told that my State/Territory

More information

Protecting and managing personal data Changes on the horizon for hospitals and other health and care organisations

Protecting and managing personal data Changes on the horizon for hospitals and other health and care organisations the voice of the NHS in Europe Briefing May 2016 Issue 23 Protecting and managing personal data Changes on the horizon for hospitals and other health and care organisations Who should read this briefing?

More information

Clinical Lead. Contract of Employment

Clinical Lead. Contract of Employment JOB DESCRIPTION AND PERSON SPECIFICATION FOR Clinical Lead AGENDA FOR CHANGE BAND Band 7 HOURS AND DURATION As specified in the job advertisement and the Contract of Employment AGENDA FOR CHANGE REF NO

More information

White Rose Surgery. How we collect, look after and use your data.

White Rose Surgery. How we collect, look after and use your data. White Rose Surgery How we collect, look after and use your data. This notice explains how The White Rose Surgery will collect, look after, use or otherwise process your personal data. Personal data is

More information

Regulation 5: Fit and proper persons: directors

Regulation 5: Fit and proper persons: directors Regulation 5: Fit and proper persons: directors Information for providers of adult social care, primary medical and dental care, and independent healthcare March 2015 The Care Quality Commission is the

More information

Information Governance: The Refresher Module (Revision and Update)

Information Governance: The Refresher Module (Revision and Update) Information Governance: The Refresher Module (Revision and Update) Introduction This is a printable copy of the Training Tracker e-learning refresher module on Information Governance. This is aimed at

More information

SAFEGUARDING CHILDEN POLICY. Policy Reference: Version: 1 Status: Approved

SAFEGUARDING CHILDEN POLICY. Policy Reference: Version: 1 Status: Approved SAFEGUARDING CHILDEN POLICY Policy Reference: Version: 1 Status: Approved Type: Clinical Policy Policy applies to : All services within SCH Serco Policy applies to (staff groups): All SCH Serco staff Policy

More information

POLICY ON JOINT WORKING WITH THE PHARMACEUTICAL INDUSTRY. Issued by: Director of Quality, Governance and Patient Safety

POLICY ON JOINT WORKING WITH THE PHARMACEUTICAL INDUSTRY. Issued by: Director of Quality, Governance and Patient Safety POLICY ON JOINT WORKING WITH THE PHARMACEUTICAL INDUSTRY Issued by: Director of Quality, Governance and Patient Safety Policy Classification: Corporate Issue No: 001 Page No: 1 of 19 Policy No. POLCP007

More information

Birmingham CrossCity Clinical Commissioning Group Deprivation of Liberty Safeguards (DoLS) Policy: Supervisory body Functions

Birmingham CrossCity Clinical Commissioning Group Deprivation of Liberty Safeguards (DoLS) Policy: Supervisory body Functions Birmingham CrossCity Clinical Commissioning Group Deprivation of Liberty Safeguards (DoLS) Policy: Supervisory body Functions Policy Number Purpose of document To ensure that that the rights of patients

More information

Safeguarding Adults Policy. General Policy GP12

Safeguarding Adults Policy. General Policy GP12 Safeguarding Adults Policy General Policy GP12 Applies to: All staff in contact with patients Committee for Approval Quality and Governance Committee Date Ratified: July 2012 Review Date: October 2013

More information

Independent Group Advising (NHS Digital) on the Release of Data (IGARD)

Independent Group Advising (NHS Digital) on the Release of Data (IGARD) Document filename: Independent Group Advising (NHS Digital) on the Release of Data (IGARD) Directorate / Programme IGSA Project IGARD Document Reference Status Final Owner Martin Severs Version 1.6 Author

More information

Getting Ready for Ontario s Privacy Legislation GUIDE. Privacy Requirements and Policies for Health Practitioners

Getting Ready for Ontario s Privacy Legislation GUIDE. Privacy Requirements and Policies for Health Practitioners Getting Ready for Ontario s Privacy Legislation GUIDE Privacy Requirements and Policies for Health Practitioners PUBLISHED BY THE COLLEGE OF DENTAL HYGIENISTS OF ONTARIO SEPTEMBER 2004 2 This booklet is

More information

Access To Health Records Policy

Access To Health Records Policy HYWEL DDA LOCAL HEALTH BOARD Access To Health Records Policy Policy Number: 249 Supersedes: All former access to health records policies Standards For Healthcare Services No/s 3.5 Version No: Date Of Review:

More information

SOP 5 PRIVACY and DATA PROTECTION

SOP 5 PRIVACY and DATA PROTECTION SOP 5 PRIVACY and DATA PROTECTION SOP Title Privacy and Data Protection SOP No. SOP 5 Author Julia Farmery Consulted Departments Lincolnshire Clinical Research Facility, Research and Development, Trust

More information

THE ADULT SOCIAL CARE COMPLAINTS POLICY

THE ADULT SOCIAL CARE COMPLAINTS POLICY THE ADULT SOCIAL CARE COMPLAINTS POLICY April 2009 Reviewed: January 2018 1 Cambridgeshire County Council Contents 1.0 Purpose Page 3 2.0 Principles Page 3 3.0 Accessing information about how to raise

More information

Draft Code of Practice FOR PUBLIC CONSULTATION

Draft Code of Practice FOR PUBLIC CONSULTATION Draft Code of Practice FOR PUBLIC CONSULTATION Foreword Data Governance Australia DGA is committed to setting industry standards and benchmarks for the responsible and ethical collection, use and management

More information

Cambridgeshire County Council Public Health Directorate. Privacy Notice, February 2017

Cambridgeshire County Council Public Health Directorate. Privacy Notice, February 2017 Cambridgeshire County Council Public Health Directorate Privacy Notice, February 2017 1. Background 1.1 The Cambridgeshire County Council Public Health Directorate has a wide range of responsibilities

More information

Working with Information Governance INFORMATION GOVERNANCE REFRESHER TRAINING WORK BOOK

Working with Information Governance INFORMATION GOVERNANCE REFRESHER TRAINING WORK BOOK Working with Information Governance INFORMATION GOVERNANCE REFRESHER TRAINING WORK BOOK Name: Date:.. Training Material & Assessment. Accreditation for Completed Assessments Included 1 IG Refresher Training

More information

Complaints Handling. 27/08/2013 Version 1.0. Version No. Description Author Approval Effective Date. 1.0 Complaints. J Meredith/ D Thompson

Complaints Handling. 27/08/2013 Version 1.0. Version No. Description Author Approval Effective Date. 1.0 Complaints. J Meredith/ D Thompson Complaints Handling Procedure Version No. Description Author Approval Effective Date 1.0 Complaints Procedure J Meredith/ D Thompson Court (Jun 2013) 27 Aug 2013 27/08/2013 Version 1.0 Procedure for handling

More information

Providing a phlebotomy service within the pre-assessment and other OPD clinics, and to perform other tests and duties within OPD as required.

Providing a phlebotomy service within the pre-assessment and other OPD clinics, and to perform other tests and duties within OPD as required. JOB DESCRIPTION Title: Location/Base: Dept.: Reporting to: Accountable for: Healthcare Assistant Outpatients Department Outpatients Senior Sister OPD Providing a phlebotomy service within the pre-assessment

More information

PRIVACY AND NATURAL MEDICINE PRACTITIONERS

PRIVACY AND NATURAL MEDICINE PRACTITIONERS PRIVACY AND NATURAL MEDICINE PRACTITIONERS Table of Contents Introduction... 3 Privacy Key Concepts... 4 Summary of a Practitioner s Privacy Obligations... 5 Collecting Information... 5 Storage and Maintenance...

More information

NHS CHOICES COMPLAINTS POLICY

NHS CHOICES COMPLAINTS POLICY NHS CHOICES COMPLAINTS POLICY 1 TABLE OF CONTENTS: INTRODUCTION... 5 DEFINITIONS... 5 Complaint... 5 Concerns and enquiries (Incidents)... 5 Unreasonable or Persistent Complainant... 5 APPLICATIONS...

More information

THE CODE. Professional standards of conduct, ethics and performance for pharmacists in Northern Ireland. Effective from 1 March 2016

THE CODE. Professional standards of conduct, ethics and performance for pharmacists in Northern Ireland. Effective from 1 March 2016 THE CODE Professional standards of conduct, ethics and performance for pharmacists in Northern Ireland Effective from 1 March 2016 PRINCIPLE 1: ALWAYS PUT THE PATIENT FIRST PRINCIPLE 2: PROVIDE A SAFE

More information

Privacy health check: Diagnosing for law reform

Privacy health check: Diagnosing for law reform Privacy health check: Diagnosing for law reform PMAANZ Conference 10 September 2016 Daimhin Warner Director (Auckland), Simply Privacy Ltd Law reform is coming: Time to get your house in order What is

More information

Overview of. Health Professions Act Nurses (Registered) and Nurse Practitioners Regulation CRNBC Bylaws

Overview of. Health Professions Act Nurses (Registered) and Nurse Practitioners Regulation CRNBC Bylaws Overview of Health Professions Act Nurses (Registered) and Nurse Practitioners Regulation CRNBC Bylaws College of Registered Nurses of British Columbia 2855 Arbutus Street Vancouver, BC Canada V6J 3Y8

More information

Employee Assistance Professionals Association of South Africa: an Association for Professionals in the field of Employee Assistance Programmes

Employee Assistance Professionals Association of South Africa: an Association for Professionals in the field of Employee Assistance Programmes Employee Assistance Professionals Association of South Africa: an Association for Professionals in the field of Employee Assistance Programmes EAPA-SA, PO Box 11166, Hatfield, 0028. Code of Ethics 2010

More information

Services. This policy should be read in conjunction with the following statement:

Services. This policy should be read in conjunction with the following statement: Policy Number Policy Title IT03 CORPORATE POLICY AND PROCEDURE FOR THE USE OF MOBILE PHONES BY SERVICE USERS IN IN- PATIENT AREAS Accountable Director Eecutive Director of Nursing and Secure Services Author

More information

SystmOne COMMUNITY OPERATIONAL GUIDELINES

SystmOne COMMUNITY OPERATIONAL GUIDELINES SystmOne COMMUNITY OPERATIONAL GUIDELINES Guidelines IM&T 11 Date: August 2007 Document Management Title of document SystmOne Community Operational Guidelines Type of document Guidelines IM&T 11 Description

More information

1.1 About the Early Childhood Education and Care Directorate

1.1 About the Early Childhood Education and Care Directorate Contents 1. Introduction... 2 1.1 About the Early Childhood Education and Care Directorate... 2 1.2 Purpose of the Compliance Policy... 3 1.3 Authorised officers... 3 2. The Directorate s approach to regulation...

More information

Implementation of the right to access services within maximum waiting times

Implementation of the right to access services within maximum waiting times Implementation of the right to access services within maximum waiting times Guidance for strategic health authorities, primary care trusts and providers DH INFORMATION READER BOX Policy HR / Workforce

More information

SOMERSET INFORMATION SHARING PROTOCOL

SOMERSET INFORMATION SHARING PROTOCOL SOMERSET INFORMATION SHARING PROTOCOL Version: 1.15 Ratified by: Date Ratified: 21 July 2014 Name of Originator/Author: Name of Responsible Committee/Individual: Date issued: 21 July 2014 Review date:

More information

Rights and Responsibilities. A guide for patients, carers and families

Rights and Responsibilities. A guide for patients, carers and families Rights and Responsibilities A guide for patients, carers and families NSW DEPARTMENT OF HEALTH 73 Miller Street North Sydney NSW 2060 Tel. (02) 9391 9000 Fax. (02) 9391 9101 www.health.nsw.gov.au This

More information

Do Not Attempt Resuscitation Policy

Do Not Attempt Resuscitation Policy Do Not Attempt Resuscitation Policy PROV 27 March 2009 1 Document Management Title of document Do Not Attempt Resuscitation Policy Type of document Policy PROV 27 Description To ensure that do not resuscitate

More information

Garda Vetting Policy (February 2018)

Garda Vetting Policy (February 2018) Garda Vetting Policy (February 2018) Approval date 18.01.2018 Revision Date Spring 2020 Responsibility for approval of policy Responsibility for implementation Responsibility for ensuring review ACORN

More information

Memorandum of Understanding. between. The General Teaching Council for Scotland. and. The Scottish Social Services Council

Memorandum of Understanding. between. The General Teaching Council for Scotland. and. The Scottish Social Services Council Memorandum of Understanding between The General Teaching Council for Scotland and The Scottish Social Services Council February 2011 Table of Contents 1 Introduction 3 2 Functions and Responsibilities

More information

Precedence Privacy Policy

Precedence Privacy Policy Precedence Privacy Policy This Policy describes how Precedence Health Care Pty Ltd (Precedence), and any company which it owns or controls, manages personal information for which it is responsible, specifically

More information

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES NOTICE OF PRIVACY PRACTICES Effective Date: 2013 Wisconsin Dental Association (800) 243-4675 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS

More information

RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY RECORDS MANAGEMENT POLICY Version: 5.1 Authorisation Committee: Date of Authorisation: 31 March 2010 Ratification Committee Level 1 documents): Date of Ratification Level 1 documents): Signature of ratifying

More information