SOP 5 PRIVACY and DATA PROTECTION SOP Title Privacy and Data Protection SOP No. SOP 5 Author Julia Farmery Consulted Departments Lincolnshire Clinical Research Facility, Research and Development, Trust consultants and Research staff. Lead Manager Dr. Tanweer Ahmed Director of LCRF and Sign and Print Name Research and Development Manager Date published 10 th March 2010 Review date of SOP 10 th March 2012 Version 1
EMPLOYEE RECORD OF HAVING READ AND UNDERSTOOD THE SOP POLICY FOR UNITED LINCOLNSHIRE HOSPITALS TRUST PRINT FULL NAME SIGNATURE DATE
Purpose: To ensure all patient s personal information and there data is stored and collected, maintained and treated with the up most confidence and respect. Adhering to patients rights of privacy within the Data Protection Act (1998), the Caldicott guardians and its principles, the Freedom of Information Act 2000 and the Health and Social Care Act 2008. Also adhering to the standards set within the UK Clinical Trial Directives 2004 and its statutory bodies and the regulatory bodies which we as professionals and NHS employees adhere to, within our contract of employment and professional duties. Applies to: All SOPs Relevant SOP Documentation Sop 6 Storage and Archiving Definitions: ULHT United Lincolnshire Hospitals Trust SOP Standard Operating Practices Policy: Human Rights Act 1998 (1998) The Stationary Office : London http://www.hmso.gov.uk/acts/acts1998/19980042.htm Department of Health (1999) Caldicott guardians Department of Health : London (Health service circular : HSC 1999/012
Freedom of Information Act 2000 Freedom of Information. Accessed on 23/11/2009 at www.dh.gov.uk/en/freedomofinformation/dh_4102350 Health and Social Care Act (2008) Department of Health. Accessed on 16/11/2009. Available at http://www.dh.gov.uk/en/publicationsandstatistics/legislation/actsandbills/he althand... NHS Modernisation Agency Essence of Care (2003) Patient focused benchmarks for clinical governance. Accessed on 16/11/2009 at http://intranet/home/homepage.htm Information Governance, Caldicott Data and Information Security ULHT Intranet Site. Accessed 16/11/2009 on intranet.. (http://intranet/applications/documents/) then go Search...Information Governance The UK Clinical Trial Regulations No. 1031, No. 2754, No. 2759, No. 1928, No. 2984, No. 941, No. 1164. Policy for Developing and Implementing Clinical Guidelines United Lincolnshire Hospitals Trust- Intranet website and Trial Master File Code of Good Research Conduct/Misconduct Policy United Lincolnshire Hospitals Trust- Intranet website and Trial Master File Confidentiality Code of Practice for the United Lincolnshire Hospitals Trust United Lincolnshire Hospitals Trust Intranet (http://intranet/applications/documents/) then go to Search..Confidentiality also available in Trial Master File Policy on Fraud, Corruption, Theft and other illegal acts United Lincolnshire Hospitals Trust Intranet (http://intranet/applications/documents/) then go Search..Fraud and misconduct. Guidance on Computer Misuse Act (1990) Information System Services Overview. Lancaster University. Accessed on 18/11/2009 at http://www.lancs.ac.uk/iss/rules/cmissue.htm.
UK CS : UK copy law : A summary. Copyright, Designs and Patents Act (1988). Accessed on 18/11/2009 at http://www.copyrightservice.co.uk/copyright/uk_law_summary Safeguarding Vulnerable Groups Act (2006) Safeguarding Vulnerable Groups Act 2006. Independent Safeguarding Authority Scheme consultation. Department of Health : Home Office. Procedure: 1. Privacy Privacy is covered in the UK Clinical Trial Regulations (2004) as having the right to.. and protection of... For the purpose of this SOP and all procedures involving subjects and/or any data which maybe classified as the following; this SOP applies as guidance for best practice. The Department of Health set out guidance though the NHS Modernisation Agency regarding patient focused bench marks for Privacy and Dignity. It is stated within this document that privacy should be interpreted as meaning being free from intrusion. They conclude that patients benefit from care that is focused upon respect for the individual. They focus on 7 factors as an agreed patient outcome for a gold standard in practice and what we should be adhering to ensure privacy is maintained and upheld with our patients. 1. Attitudes and behaviours Patients feel that they matter all of the time. 2. Personal world and personal Patients experience care in Identity an environment that actively encompasses individual values, beliefs and personal relationships. 3. Personal boundaries and space Patients personal space is actively promoted by all staff 4. Communicating with staff and Communication between Patient s staff and patients takes
place in a manner which respects their individuality 5. Privacy of patient Confidentiality Patient information is shared Of patient information to enable care, with their Consent 6. Privacy, dignity and modesty Patients care actively promotes their privacy and dignity, and protects their modesty. 7. Availability of an area for Patients and or carers can complete privacy access an area that safely provides privacy Privacy = Freedom from intrusion Dignity = Being worthy of respect Essence of Care. Patient focused benchmarks for Clinical Governance. (2003). NHS Modernisation Agency : Department of Health, London. 2. Data Protection Alongside the data protection act is the Caldicott Principles. Each Trust has a Caldicott guardian. The Caldicott guardian works hand in hand with the principles of the Data Protection Act 1998, which came into force on the 1 ST March 2000. The Caldicott guardian ensures six principles are upheld and maintained, covering information held in whatever format. These principles must be adhered to when collecting, transferring or working with any patient information. The six principles are : Justify the purpose of using confidential information Only use when absolutely necessary Not excessive, use minimum required. Access to patient identifiable information should be on a strict need-toknow basis Everyone with access to patient identifiable information should be aware of their responsibilities Understand and comply with the law. Sylvia Knight, Chief Nurse is the Caldicott Guardian for United Lincolnshire Hospitals NHS Trust.
Data Protection Act (1998) states that we must keep all personal/sensitive information/data confidential. If further goes on to state that we must never divulge more information than is required. Furthermore, patient information must only be given to authorised personnel, securely and in an appropriate manner. United Lincolnshire Hospitals NHS Trust has several Information Governance Officers and IT Security and Access Managers/employees to ensure data within the trust is maintained and upheld to these standards. Assistant Director of IT Nigel Gay Ext - 3959 Caldicott Guardian Sylvia Knight Trust HQ x 2831 Security and Access Services Manager Andrew Stocks Lincoln x 3312 Information Governance Officer Vacancy Lincoln x Data Quality Manager Sarah Harley Ext Pilgrim x 01205 445501 IT security and Access Officer Cassie Scullion Lincoln x3431 The main Data Protection points are : 1. Fairly and Lawfully processed 2. Processed for specified purpose 3. Adequate, relevant and not excessive 4. Accurate 5. Not kept longer than necessary 6. Processed in accordance with the data subjects rights 7. Secure 8. Not transferred to countries without adequate protection The rights that patients have under the Data Protection Act (1998) They have a right to know why you want to use their information and that you will use, store and dispose of it responsibly They have a right to see any data held and amend/delete/apply for compensation if any details are not correct, this is called subject access. The (MHRA) Medicine and Healthcare Products Regulation Agency state that the Data Protection Act 1998, Human Rights Act 1998 and the Freedom of Information Act are linked. Moreover they are interned to help maintain an
equal and just balance between the rights and interests of individuals. They further go on to comment that this is particularly apparent between the freedom of processing information, balanced between that of the rights and privacy, that must be maintained. As well as the above acts, the other relevant legislation that runs alongside these policies are : The Health and Social Care Act 2008. The Health and Social Care Act 2008 is split into 4 sections, two which are relevant for this document : Care Quality Commission Professional regulation These are overviewed and regulated within this piece of legislation, to ensure professional regulation and public health protection. 3. The Freedom of Information Act. The Freedom of Information Act (2000) was a response to a white paper Your Right to Know (1997). The Freedom of Information Act applies to a holistic and open approach when managing records. The act has two parts : - Under part 1 of the act, anyone may make a request for information to any authority within the public domain. They have to provide this request in writing, stating their name, address and describe the information that they require. If personal information is required, identity of the enquirer needs to be established in order to consider releasing information of a personal manner. The public authority then has a duty to confirm or deny. They must confirm or deny whether or not they hold this information, and if it does supply it, within 20 working days from the receipt of request. If the authorities are unable to find the information requested, then assistance can be obtained to locate the information requested. However, if the information can subsequently not be found, then the authorities have a duty to inform the enquirer and assistant them in making further applications. If the information is not stipulated what format they require, or what type of information they wish to see, the authority may supply the information to the requester in whatever reasonable means is acceptable. However, if a request is made which is not practical or possible, the authority has to explain why this information can-not be disseminated in this way. Part 2 of the act has 23 exemptions stating the rights to access information. Relating to laws such as data protection, law enforcement and national security. duty to confirm or deny. This statement briefly means whether or not it is in the public s interest in withholding information if the information outweighs the public interest in disclosing it. Certain exemptions have to be considered. There are Absolute exemptions and Qualified Exemptions. In
cases where a requested document contains some exempt information, only those specified exempt pieces of information can be withheld. All authorities need to inform the applicant, if a refusal of a request has been processed within 20 days from receipt of initial request. This decision must specify the exemption and state why it applies. If a decision regarding the release of information has not been clarified, the applicant must be informed of this process and given a completion date. An authority has the right to charge a fee, as per the sliding scale set. Applicant must be informed of this in writing prior to the decision. There is no obligation to supply the information until the fee is paid. If 3months lapses, and no fee the case has ended. Record Management In the act, it integrates existing rights to access public records. Covered under the Public Records Act of 1958 and 1967 with the new wider rights of access to information. Under the Freedom of Information Act (2000); all records become generally available unless specific exemptions can be applied. However, after 30 years, records become historical records and many of the freedom of Information Acts exemptions cease to apply; as to does the duty to confirm or deny rule. Please see Archiving Requirements SOP for more Information on this topic. 4. Responsibilities It is the responsibility of all individuals dealing with patients to ensure their privacy and data is maintained. Ensure it is safe, not used in any other context than its purpose and only held and transferred in methods approved by the trust. All information is to be stored on approved computers on the H drive or shared folders within the secure system set up within ULHT. Any personal information regarding patients and/or their details is to be sent by special delivery and tracked. Details not pertaining to individuals can be sent under recorded delivery.
If any breach of information of privacy is noted, please report to your line managers who will then decide whether to direct it higher. This will be based on the use of relevant SOPs and trust policies in place; dependant on the relevance and nature of the incident depends on the action. It is a responsibility of all to never share passwords and inform IT or the relevant department if you are unable to access a site or require updates. We must all be aware of the data protect policies and how it relates to us, our patients and the information we gather. Similarly, the trust s chief nurse; Sylvia Knight, is the Caldicott Guardian for the trust and the principles she upholds and protects are above. We must all familiarise ourselves with these for means of patient safety and to abide with the Health and Social Care Act 2008. All information can be sourced from either the trust intranet, local department policies, such as SOPs and the relevant personal that is in place within the trust. References: UKC CS UK Copyright law : A summary. The UK Copyright Service. Copyright, Designs and Patents Act 1988. Accessed on 18/11/2009 at http://www.copyrightservice.co.uk/copyright/uk_law_summary. Health and Social Care Act (2008) Health and Social Care Act. Department of Health. Accessed on 16/11/2009 at http://www.dh.gov.uk/en/publicationsandstatistics/legislation/actsandbills/hea lthand... NHS Modernisation Agency Essence of Care (2003) Patient focused benchmarks for clinical governance. Accessed on 16/11/2009 at
http://intranet/home/homepage.htm Information Governance, Caldicott Data and Information Security ULHT Intranet Site. Accessed 16/11/2009 on intranet.. (http://intranet/applications/documents/) then go Search...Information Governance Birmingham Women s NHS Foundation Trust. Caldicott. Accessed on 18/11/2009 at http://www.bwhct.nhs.uk/info-gov-home/info-gov-caldicott.htm Medicines and Healthcare Products Regulatory Agency (2006) Data Protection. Accessed on 16/11/2009 at http://www.mhra.gov.uk/aboutus/freedomofinformationanddataprotection/dat aprote... Freedom of Information Act (2000) Freedom of Information. Accessed on 23/11/2009 at http://www.dh.gov.uk/en/freedomofinformation/dh_4102350 This SOP will be reviewed every two years, a more updated revision of the SOP will be implemented if new local, national or international regulations change. This would therefore replace the existing document. All SOP s can be located on the Research and Development s shared file and a hard copy of all SOP s are kept in the Trial Master File