Policy for Code of Conduct on Confidentiality and Information Security Authorship: Information Governance Group Policy Type Commissioning and Community Services Policy Approved Date: March 2010 Approved Committee Group: Executive Management Team Review Date: March 2013 Equality Impact Assessment: Completed - Screening Policy Reference No: NCP/31 If your first language is not English, or if you would like this document in a format for people who are blind or have visual problems, we can make arrangements to help you. Please contact Phone: 01482 672156 Textphone: 01482 315747 Nëse dëshironi ndihmë me këtë dokument, ju lutemi telefononi 01430 457351 Eğer bu döküman ile ilgili olarak yardım istiyorsanız, lütfen 01430 457353 numaralı telefonu arayınız. Potrzebujesz pomocy w zrozumieniu tego dokumentu? Zatelefonuj pod 01430 457367 NHS East Riding of Yorkshire Page 2 of 24 Information Governance Manager Tony Hammond Revised July 2010 POLICY AMENDMENTS Amendments to the Policy will be issued from time to time. A new amendment history will be issued with each change. Amendment Date of Issue Issued by Nature of Amendment 18/09/2009 T Hammond Information security policy merged Reference Information Asset Owner and Asset Management added 21/05/2010 NHS East Riding of Yorkshire T Hammond Page 3 of 24 General Update to all sections Information Governance Manager Tony Hammond Revised July 2010 Contents 1 Introduction ................................................................................................................................................................ 5 2 Objectives, Aim and Scope........................................................................................................................................ 6 2.1 Objectives .......................................................................................................................................................... 6 2.2 Policy aim .......................................................................................................................................................... 6 2.3 Scope ................................................................................................................................................................ 6 3 Duty of Confidence .................................................................................................................................................... 6 4 Responsibilities for Information Security .................................................................................................................... 7 5 Legislation ................................................................................................................................................................. 8 6 Information Security Framework ................................................................................................................................ 8 6.1 Access Control................................................................................................................................................... 8 6.2 Classification of Sensitive Information ............................................................................................................... 8 6.3 Protection from Malicious Software ................................................................................................................... 9 6.4 User media ........................................................................................................................................................ 9 6.5 Monitoring System Access and Use .................................................................................................................. 9 6.6 Accreditation of Information Systems .............................................................................................................. 10 6.7 System Change Control ................................................................................................................................... 10 6.8 Intellectual Property Rights .............................................................................................................................. 10 6.9 Business Continuity and Disaster Recovery Plans .......................................................................................... 10 6.10 Information Asset Management ....................................................................................................................... 10 7 Confidentiality .......................................................................................................................................................... 11 7.1 Protecting information ...................................................................................................................................... 11 7.2 Storage of Confidential Information ................................................................................................................. 11 7.3 Disclosing and Using Confidential Patient Information .................................................................................... 12 7.3.1 Obligations .............................................................................................................................................. 12 7.3.2 Protecting Patient Information ................................................................................................................. 12 7.4 Use of Internal and External Post .................................................................................................................... 13 7.5 Faxing personal information............................................................................................................................. 13 7.6 E-mailing information ....................................................................................................................................... 13 7.7 Telephone enquiries ........................................................................................................................................ 14 7.8 Disposal of information .................................................................................................................................... 15 7.9 Passwords ....................................................................................................................................................... 15 7.10 Working from home ......................................................................................................................................... 15 7.11 Abuse of Privilege ............................................................................................................................................ 16 8 General Principles ................................................................................................................................................... 16 8.1 Security incident .............................................................................................................................................. 16 8.2 Copying of Software ........................................................................................................................................ 16 8.3 Informing Service Users .................................................................................................................................. 17 8.4 Providing choice to service users .................................................................................................................... 17 8.5 Improve wherever possible .............................................................................................................................. 18 9 Use and disclosure of service user information ....................................................................................................... 18 9.1 The Caldicott Principles ................................................................................................................................... 18 9.2 Obtaining Service User Consent...................................................................................................................... 18 9.3 Recording explicit consent ............................................................................................................................... 19 9.4 Refusal/limitations on consent ......................................................................................................................... 19 9.5 Service users who are unable to consent ........................................................................................................ 20 9.6 Reviewing consent ........................................................................................................................................... 20 9.7 Answering service user questions about consent ............................................................................................ 20 9.8 Exemptions to the requirement for consent ..................................................................................................... 21 9.8.1 Overriding public interest ........................................................................................................................ 21 10 9.8.2 Legal requirement ................................................................................................................................... 22 9.8.3 Section 60 of the Health and Social Care Act. ........................................................................................ 22 Further information and contacts.......................................................................................................................... 23 Appendix A ........................................................................................................................................................................ 24 NHS East Riding of Yorkshire Page 4 of 24 Information Governance Manager Tony Hammond Revised July 2010 1 Introduction All employees working in the NHS are bound by a legal duty of confidentiality to protect personal information they may come into contact with during the course of their work. This is not just a requirement of their contractual responsibilities but also a requirement within the Data Protection Act 1998 and, in addition, for health professionals through their own professional Codes of Conduct. This means that employees are obliged to keep any person identifiable information strictly confidential e.g. service user and employee records. Disclosures and sharing of person identifiable information is governed by the requirements of Acts of Parliament and government guidelines. It should be noted that employees also come into contact with non-person identifiable information which should also be treated with the same degree of confidentiality e.g. business in confidence information. This policy applies to all employees of NHS East Riding of Yorkshire (NHSERY), contract, temporary and agency staff and other people working on NHSERY premises. The principle behind this policy is that no employee shall breach their legal duty of confidentiality, allow others to do so, or attempt to breach any of NHSERY security systems or controls in order to do so. This policy applies to all electronic and manual information systems. This policy should be read in conjunction with: • The Data Protection Act 1998 • The Data Protection (Processing of Sensitive Personal Data) Order 2000 • The Human Rights Act 1998 • The Computer Misuse Act 1990 • The Health and Safety at Work Act 1974 • Regulation of Investigatory Powers Act 2000 • Freedom of Information Act 2000 • Health & Social Care Act 2001 • The Copyright Designs and Patents Act 1988 • Common Law Duty of Confidence This policy has been produced to protect staff by making them aware of the correct procedures so that they do not inadvertently breach any of these requirements. Members of staff should also follow the Code of Conduct issued by the professional body to which they are affiliated, where applicable. NHS East Riding of Yorkshire Page 5 of 24 Information Governance Manager Tony Hammond Revised July 2010 2 Objectives, Aim and Scope 2.1 Objectives The objectives of NHSERY Policy for Code of Conduct on Confidentiality and Information Security are to preserve: • Confidentiality - Access to Data shall be confined to those with appropriate authority. • Integrity – Information shall be complete and accurate. All systems, assets and networks shall operate correctly, according to specification. • Availability - Information shall be available and delivered to the right person, at the time when it is needed. 2.2 Policy aim The aim of this policy is to establish and maintain the security and confidentiality of information, information systems, applications and networks owned or held by the organisation by: • • • • • Ensuring that all members of staff are aware of and fully comply with the relevant legislation as described in this and other policies. Describing the principles of security and explaining how they shall be implemented in the organisation. Introducing a consistent approach to security, ensuring that all members of staff fully understand their own responsibilities. Creating and maintaining within the organisation a level of awareness of the need for Information Security as an integral part of the day to day business. Protecting information assets under the control of the organisation. 2.3 Scope This policy applies to all information, information systems, networks, applications, locations and users of NHSERY systems supplied under specific contract. 3 Duty of Confidence All employees are responsible for maintaining the confidentiality of information gained during their employment by NHSERY. All staff will sign Appendix A to confirm that they have read and understood this policy. Confidential information can be anything that relates to service users, staff (including non-contract, volunteers, bank and agency staff, locums, student placements), their family or friends, however stored. NHS East Riding of Yorkshire Page 6 of 24 Information Governance Manager Tony Hammond Revised July 2010 For example, information may be held on paper, floppy disc, CD, computer file or printout, video, photograph or even heard by word of mouth. It includes information stored on portable devices such as laptops, palmtops, mobile phones, blackberries and digital cameras. It can take many forms including medical notes, social care information, audits, employee records, occupational health records etc. It also includes any company information e.g. Trust confidential information. Person-identifiable information is anything that contains the means to identify a person, e.g. name, address, postcode, date of birth, NHS number, National Insurance number etc. Please note even a visual image (e.g. photograph) is sufficient to identify an individual. Certain categories of information are legally defined as particularly sensitive and should be most carefully protected by additional requirements stated in legislation (e.g. information regarding sexually transmitted diseases, HIV and termination of pregnancy). During your duty of work you should consider all information to be sensitive, even a service user’s name and address. The same standards should be applied to all information you come into contact with. 4 Responsibilities for Information Security The Executive Director responsible for Informatics will have strategic responsibility for Information Security. On a day-to-day basis the Associate Director of Performance and Informatics shall be responsible for managing and implementing the policy and related procedures. Information and Communications Technology services are provided under a service level agreement. The service provider will ensure that an Information Security Management System is in place and working effectively. The service provider will provide a named manager who will act as the Information Systems Security Manager for NHSERY. Line managers are responsible for ensuring that their permanent and temporary staff and contractors are aware of: • • • The information security policies applicable in their work areas Their personal responsibilities for information security How to access advice on information security matters All staff shall comply with information security procedures including the maintenance of data confidentiality and data integrity. Failure to do so may result in disciplinary action. This policy shall be maintained, reviewed and updated by the Information Governance Manager. This review shall take place as appropriate. Line managers shall be individually responsible for the security of their physical environments where information is processed or stored. Each member of staff shall be responsible for the operational security of the information systems they use. Each system user shall comply with the security requirements that are currently in force, and shall also ensure that the confidentiality, integrity and availability of the information they use is maintained to the highest standard. NHS East Riding of Yorkshire Page 7 of 24 Information Governance Manager Tony Hammond Revised July 2010 Contracts with external contractors that allow access to the organisation’s information systems shall be in operation before access is allowed. These contracts shall ensure that the staff or sub-contractors of the external organisation shall comply with all appropriate security policies. 5 Legislation NHSERY is obliged to abide by all relevant UK and European Union legislation. The requirement to comply with this legislation shall be devolved to employees and agents of NHSERY, who may be held personally accountable for any breaches of information security for which they may be held responsible. 6 Information Security Framework 6.1 Access Control Only authorised personnel who have a justified and approved business need shall be given access to restricted areas containing information systems or stored data. Access to information shall be restricted to authorised users who have a bona-fide business need to access the information. Access to computer facilities shall be restricted to authorised users who have business need to use the facilities. Access to data, system utilities and program source libraries shall be controlled and restricted to those authorised users who have a legitimate business need e.g. systems or database administrators. Authorisation to use an application shall depend on the availability of a licence from the supplier. 6.2 Classification of Sensitive Information NHSERY shall implement appropriate information classifications controls, based upon the results of formal risk assessment and guidance contained within the Information Governance Toolkit to secure their NHS information assets. The classification NHS Confidential – shall be used for patients’ clinical records, patient identifiable clinical information passing between NHS staff and between NHS staff and staff of other appropriate agencies. In order to safeguard confidentiality, the term “NHS Confidential” shall not be used on correspondence to a patient in accordance with the Confidentiality: NHS Code of Practice. Documents so marked shall be held securely at all times in a locked room to which only authorised persons have access. They shall not be left unattended at any time in any place where unauthorised persons might gain access to them. They should be transported securely in sealed packaging or locked containers. Documents marked NHS Confidential not in a safe store or in transport should be kept out of sight of visitors or others not authorised to view them. NHS East Riding of Yorkshire Page 8 of 24 Information Governance Manager Tony Hammond Revised July 2010 The classification NHS Restricted - shall be used to mark all other sensitive information such as financial and contractual records. It shall cover information that the disclosure of which is likely to: • • • • • • • adversely affect the reputation of the organisation or it’s officers or cause substantial distress to individuals; make it more difficult to maintain the operational effectiveness of the organisation; cause financial loss or loss of earning potential, or facilitate improper gain or disadvantage for individuals or organisations; prejudice the investigation, or facilitate the commission of crime or other illegal activity; breach proper undertakings to maintain the confidence of information provided by third parties or impede the effective development or operation of policies; breach statutory restrictions on disclosure of information; disadvantage the organisation in commercial or policy negotiations with others or undermine the proper management of the organisation and its operations. NHS Restricted documents should also be stored in lockable cabinets 6.3 Protection from Malicious Software The organisation shall use software countermeasures and management procedures to protect itself against the treat of malicious software. All staff shall be expected to co-operate fully with this policy. Users shall not install software on the organisation’s property without permission from the Associate Director of Performance and Informatics. Users breaching this requirement may be subject to disciplinary action. Further information can be found in the Internet, Intranet and Email Policy (N3). 6.4 User media Removable media of all types that contain software or data from external sources, or that have been used on external equipment, require the approval of Information Systems Security Manager before they may be used on trust systems. Such media must also be fully virus checked before being used on the organisation’s equipment. Users breaching this requirement may be subject to disciplinary action. 6.5 Monitoring System Access and Use An audit trail of system access and data use by staff shall be maintained and reviewed on a regular basis. NHSERY has in place routines to regularly audit compliance with this and other policies. In addition it reserves the right monitor activity where it suspects that there has been a breach of policy. The Regulation of Investigatory Powers Act (2000) permits monitoring and recording of employees’ electronic communications (including telephone communications) for the following reasons: • • Establishing the existence of facts Investigating or detecting unauthorised use of the system NHS East Riding of Yorkshire Page 9 of 24 Information Governance Manager Tony Hammond Revised July 2010 • • Preventing or detecting crime Ascertaining or demonstrating standards which are achieved or ought to be achieved by persons using the system (quality control and training) • In the interests of national security • Ascertaining compliance with regulatory or self-regulatory practices or procedures • Ensuring the effective operation of the system. Any monitoring will be undertaken in accordance with the above act and the Human Rights Act 1998. 6.6 Accreditation of Information Systems The organisation shall ensure that all new information systems, applications and networks include a security plan and are approved by the Information Systems Security Manager before they commence operation. 6.7 System Change Control Changes to information systems, applications or networks shall be reviewed and approved by the Information Systems Security Manager. 6.8 Intellectual Property Rights The organisation shall ensure that all information products are properly licensed and approved by the Information Systems Security Manager. Users shall not install software on the organisation’s property without permission from the Information Systems Security Manager. Users breaching this requirement may be subject to disciplinary action. 6.9 Business Continuity and Disaster Recovery Plans The organisation shall ensure that business impact assessment, business continuity and disaster recovery plans are produced for all mission critical information, applications, systems and networks. 6.10 Information Asset Management Information Assets (IA) are identifiable and definable assets owned or contracted by an organisation which are ‘valuable’ to the business of that organisation. Information assets will likely include the computer systems and network hardware, software and supporting utilities and staff that are required to achieve processing of this data. Non-computerised records systems should also have an asset register containing relevant file identifications and storage locations. The word ‘owner’, when used in this requirement, is taken from the ISO 27002 Information Security Management standard. It should not be confused with the term ‘data owner’, as used by the Data Protection Act 1998. The standard defines an owner as a member of staff senior enough to make decisions concerning the asset at the highest level. The Information Asset Owner (IAO) can assign day to day responsibility for each Information Asset to an Information Asset Administrator (IAA) or other manager, and NHS East Riding of Yorkshire Page 10 of 24 Information Governance Manager Tony Hammond Revised July 2010 this should be formalised in job descriptions. The role of the IAO is to understand what information is held, what is added and what is removed, how information is moved, who has access and why. As a result they should be able to understand and address risks to the information and to ensure that information is fully used within the law for the public good. The Information Asset Owner will also be responsible for providing reports to the Senior Information Risk Officer (SIRO), a minimum of annually on the assurance and usage of their asset. It is vital that all NHS organisations establish programmes that ensure their IAs are identified and assigned to an IAO. The SIRO should oversee a review of the asset register to ensure it is complete and robust. Information Assets should be documented in an organisation asset register. In order to establish corporate coherence it should be possible for a single asset register to be created for the organisation. As a priority, it is essential that all critical Information Assets are identified and included in this asset register, together with details of the “Information Asset Owner” and risk reviews undertaken or planned. To improve its usability and maintainability, the Information Asset register may be service, rather than location, based. Each Information Asset Owner should be aware of what information is held, and the nature and justification of information flows to and from the assets they are responsible for. 7 Confidentiality 7.1 Protecting information Service users’ health and social care information and their interests must be protected through following measures in this policy. 7.2 Storage of Confidential Information Paper-based confidential information should always be kept locked away and preferably in a room that is locked when unattended. Confidential personal information should be saved on to a network drive. If removable media is used e.g. memory stick, CD then the media should be encrypted and kept in locked storage when not in use. All portable electronic devices are also encrypted due to the risk of being lost or stolen when taken away from the office and there have been well publicised cases in the national media where this has occurred. All staff are responsible for the security of any data and in the event that any such information is transported from the organisations premises will be expected to take all necessary steps to ensure its continued security. Device and Port control have been implemented in NHSERY and staff are expected to observe these as a basis for ensuring security of data for which they are responsible. In the event that security is breached, this Policy would be evidential in terms of any decision to take further action including disciplinary action. Any breach of this type will be reported as an incident using NHSERY incident reporting policy. NHS East Riding of Yorkshire Page 11 of 24 Information Governance Manager Tony Hammond Revised July 2010 7.3 Disclosing and Using Confidential Patient Information Patients must be made aware of information disclosures that need to take place in order to provide them with high quality care. In particular, clinical governance and clinical audits, which are important elements of the care cycle, may not be obvious to patients and should be drawn to their attention. Similarly, patients may be aware of the need to share information between members of their care team but may not be aware of the organisations involved or the partnership arrangements established within jointly provided care teams. Guidance issued in the NHS ERY Information Sharing Protocol be followed as these are complementary to this policy and the “Caldicott, Data Protection & Privacy Impact Policy”. In all cases, the effort made to inform patients should reflect the breadth of the required disclosure. Some uses of confidential information do not contribute to or support health and social care provision; however, they do provide benefits to society (e.g. medical research, protecting the health of the public, health service management and financial management). 7.3.1 Obligations This policy and “Caldicott, Data Protection & Privacy Impact Policy” apply to all staff, contractors and volunteers. Specific problems or barriers to change need to be highlighted and referred to the Caldicott Guardian. NHS ERY will ensure that staff receive appropriate training in the maintenance of a “Confidentiality Service” and are made aware of the requirements set out in the “Confidentiality Code of Practice” and other confidentiality agreements/information sharing protocols developed to support partnership working. Third party, stakeholders or contracted organisations that work directly with NHS ERY staff, should ensure that the policy around this code of conduct is followed at all times. In certain circumstances, third party suppliers working in the NHS ERY organisation will be subject to confidentiality agreements and where possible, evidence of confidentiality regulation conformance in their own organisation should be compliant with local and/or national arrangements. 7.3.2 Protecting Patient Information All staff should ensure compliance with established Partnership Information Sharing Protocols and Operational Service Specific Information Sharing Agreements. Staff working in partnership with other organisations should ensure that they are fully aware of the information sharing protocol(s) in operation. Accurate and secure personal health information is an essential part of patient health care. NHSERY goal is for a service that works in partnership with other organisations and has clearly established and communicated protocols for sharing information. NHS East Riding of Yorkshire Page 12 of 24 Information Governance Manager Tony Hammond Revised July 2010 7.4 Use of Internal and External Post All correspondence containing personal information should always be addressed to a named recipient and department. Internal mail containing confidential data should only be sent in a securely sealed new envelope with a confidential marking in line with your department’s procedures. External Mail must also observe these rules. Special care should be taken with personal information sent in quantity, such as case notes, or collections of service user records on paper, floppy disc or other media. These should be sent by Recorded Delivery or by NHS courier, to safeguard that these are only seen by the authorised recipient(s). Original Health/Social care records should not be transferred outside the Trust. If a client moves to another area the Medical Records Department will send a copy of the notes on request by recorded delivery. Electronic media should be encrypted. Advice on how to encrypt files is available from IT Helpdesk telephone: 01482 347999 7.5 Faxing personal information • • • • • Faxes should always be addressed to named recipients and be marked “Confidential”. Confirm the fax number with the recipient and ask them to acknowledge receipt of the fax. Always check the number to avoid misdialling before you press the send key If your fax machine stores numbers in memory, always check that the number held is correct and current before sending sensitive information. Request a report sheet to confirm that the transmission has been successful. For further information refer to the Safe Haven Procedures. 7.6 E-mailing information Personal Data should only be sent using a NHS.net mail account to another NHS.net mail account. For further information on sending emails beyond the immediate NHS patch see the Internet, Intranet and email Policy (N3). In all instances the following guidelines must be observed: • Consider if email is the best way to send the data. Whenever possible patient or person identifiable information, particularly that of a confidential nature, should be sent via the normal postal system and marked as confidential and addressee only. If the recipient can access the same shared drive as the sender the document could be placed on the drive for both to access. The document should be password protected, see the Internet, Intranet and email Policy (N3). • Limit the number of recipients of the message to as few as possible. • Double check that you have the correct recipient(s) before pressing the “send” button. Messages containing personal data sent to the wrong recipient will be classed as a breach of confidentiality and will be reported as an adverse incident, even if it is another NHS employee. NHS East Riding of Yorkshire Page 13 of 24 Information Governance Manager Tony Hammond Revised July 2010 • Staff should edit their entry in the global address book to provide information such as location, address and phone number. This will ensure the identification of the correct recipient, particularly for staff who share the same name with others in NHSERY and from other local NHS organisations detailed in the global address book. • Limit the amount of data to only that which is needed for the purpose it is being sent. Do not send more, just in case the recipient needs it. • Send to email addresses that are person specific unless the e-mail can be dealt with by any member of the team reading the e-mail (e.g. request for a medical record send to medical records e-mail). • Mark the message as NHS Confidential in the subject as well as in the message properties. • Be aware that e-mail can be forwarded by the initial recipient to third parties against your wishes or by accident. • Do not use person identifiable information in subject titles and document names e.g. use a unique identifier or initials instead of the person’s name. • Include a note to say that the receiver of patient identifiable data is responsible for the security and confidentiality of that data and should not pass it on to anyone else, via any method, who does not have a justified ‘need to know’. • Any attachments should be password protected, see Internet, Intranet and Email (N3) Policy for guidance on how to do this. Do not include the password in the body of the message. Transmit the password by other means, such as telephone (as you will know you have spoken to the right person). • When in receipt of personal data remove it from your email system as soon as possible and file it appropriately, either electronically or on paper. • Do not keep personal data on email for longer than is necessary. • Where there is a more formal method for the communication of information, such as ‘web-based’ referral system then that should be used. • If ‘delegate’ access is granted to other people to your inbox, consider whether they need to see any personal data you receive. 7.7 Telephone enquiries Information should only be given over the telephone if you are confident of the identity of the caller. If you are not, you should always take a number, verify it independently and call back via their switchboard where possible. Always check whether they are entitled to the information they request. Information on service users should only be released on a need-to-know basis. If in doubt, check with your line manager or the Information Governance Manager. NHS East Riding of Yorkshire Page 14 of 24 Information Governance Manager Tony Hammond Revised July 2010 7.8 Disposal of information When disposing of paper-based person-identifiable information or confidential information always use ‘Confidential Waste’ sacks/shredders. Computer printouts should either be shredded or disposed of as paper-based confidential waste. Floppy discs/CDs/Videos containing confidential information must be either reformatted or destroyed securely. Any magnetic media requiring disposal, requires guidance from IT Helpdesk telephone: 01482 347999. Computer files with confidential information no longer required must be deleted from both the PC and the server if necessary. Computer hard disks are destroyed/disposed of by the IT experts within the Health Informatics Service. For further information refer to the Protocol for the Secure Disposal of Hard Drives. 7.9 Passwords Personal passwords issued to or created by employees should be regarded as confidential and those passwords must not be communicated to anyone. • Passwords should not be written down. • Passwords should not relate to the employee or the system being accessed. • Passwords should not be shared with colleagues. A joint directory should be set up if you need to access information on a colleague’s computer e.g. to cover annual leave. For further advice, please contact the IT Help Desk. No employee should attempt to bypass or defeat the security systems or attempt to obtain or use passwords or privileges issued to other employees. Any attempts to breach security should be immediately reported, via your line manager, using the Adverse Incident Procedure. 7.10 Working from home If you need to take personal information out of the office to work from home you need to gain approval from your manager. If they agree, you would need to ensure the following are considered and remember that there is personal liability under the Data Protection Act 1998 and your contract of employment for breach of these requirements: • Ensure you have authority to take the records. This will need to be granted by your line manager. • If you are taking manual records please follow your localised tracking system to ensure there is a record that you have these records, where you are taking them and when they will be returned. Records should be removed for the minimum amount of time possible. • Make sure they are put in the locked boot of the car or carried on your person while being transported from your work place to your home. NHS East Riding of Yorkshire Page 15 of 24 Information Governance Manager Tony Hammond Revised July 2010 If you transfer data from your work computer to your home computer using electronic disc, CD, memory stick or any other means of electronic storage you must ensure that, when your work is complete. All information is removed from your home computer and at no stage left where it can be accessed by family members or friends. Computer records on electronic disc, CD and memory stick MUST be virus checked before being loaded onto any of the organisations systems – especially any which can be accessed via the network. 7.11 Abuse of Privilege It is strictly forbidden for employees to look at any information relating to their own family, friends or acquaintances unless they are directly involved in the service user’s clinical care or with the employees’ administration on behalf of the organisation. Action of this kind will be viewed as a breach of confidentiality and may result in disciplinary action. If you have concerns about this issue please discuss with your line manager. 8 General Principles • • • Do not talk about service users in public places or where you can be overheard. Do not leave any medical records or confidential information lying around unattended. Make sure that any computer screens, or other displays of information, cannot be seen by others. 8.1 Security incident A Security Incident is any event that has or could: - • cause an unauthorised disclosure of confidential information • put the integrity of a computer system or data at risk • put the availability of the system or information at risk • have an adverse impact e.g. embarrassment to the NHS. All incidents or information indicating a suspected or actual security breach should be reported, via your line manager, using the Adverse Incident Procedure. Any I.T. breaches should be reported both to your line manager and to the I.T. Service Desk. 8.2 Copying of Software All computer software used with the organisation is regulated by license agreements. A breach of the agreement could lead to legal action against the organisation and/or the offender (member of staff). It is important that software on the PCs/systems used for work purposes must not be copied and used for personal use. This would be a breach of the license agreement. NHS East Riding of Yorkshire Page 16 of 24 Information Governance Manager Tony Hammond Revised July 2010 8.3 Informing Service Users Service users must be made aware that the information they give may be recorded, may be shared in order to provide them with care, and may be used to support clinical audit and other work to monitor the quality of care provided. Staff should consider whether service users would be surprised to learn that their information was being used in a particular way – if so, then they are not being effectively informed. In order to inform service users properly, staff must: • Check where practicable that “Your information – Our key to your best health care” information leaflet has been read and understood. • Make clear to service users when information is recorded or when health records will be accessed; • Make clear to service users when staff are or will be disclosing information to others; • Check that service users are aware of the choices available to them in respect of how their information may be disclosed and used; • Check that service users have no concerns or queries about how their information is disclosed and used • Answer any queries personally or direct the service user to the Caldicott and Data Protection Officer (infogov@erypct.nhs.uk) who can answer their questions; • Respect the right of service users and facilitate them in exercising their right to have access to their health records. Further details can be found in the Guidance for informing service users about the uses of their information. 8.4 Providing choice to service users Service users have different needs and values – this must be reflected in the way they are treated, both in terms of their medical condition and the handling of their personal information. What is very sensitive to one person may be casually discussed in public by another – just because something does not appear to be sensitive does not mean that it is not important to an individual service user in his or her particular circumstances. Staff must: • Ask service users before using their personal information in ways that do not directly contribute to, or support the delivery of, their care • Respect service users’ decisions to restrict the disclosure or use of information, except where exceptional circumstances apply, see Section 9.8 • Communicate effectively with service users to ensure they understand what the implications may be if they choose to agree to or restrict the disclosure of information • Note any restrictions placed by the service user in their medical record and on their computer record Further details can be found in the Guidance for informing service users about the uses of their information. NHS East Riding of Yorkshire Page 17 of 24 Information Governance Manager Tony Hammond Revised July 2010 8.5 Improve wherever possible It is not possible to achieve best practice overnight. Staff must: • Be aware of the issues surrounding confidentiality and seek training or support where uncertain in order to deal with them appropriately • Report possible breaches or risk of breaches by using the Adverse Incident Procedure 9 Use and disclosure of service user information The following section deals with the uses and disclosures of service user information, including the issue of consent. Further information can be found in; • • General Protocol for Sharing Information between Agencies in Kingston upon Hull and the East Riding of Yorkshire Caldicott and Data protection Policy • Clinical Audit and Effectiveness Strategy 9.1 The Caldicott Principles The use and disclosure of service user information must comply with the following principles: - • Justify the purpose of using service user information. • Only use the information when absolutely necessary. • Use the minimum necessary information. • Access to the information should be on a strict need to know basis. • Everyone should be aware of their responsibilities in respect of confidentiality. • Understand and comply with the law for example the Data Protection Act 1998. 9.2 Obtaining Service User Consent Information provided in confidence should not be used or disclosed in a form that might identify a service user without his or her consent, subject to certain exemptions, see 9.8. Where patients have been informed of: - • the use and disclosure of their information associated with their health care and NHS East Riding of Yorkshire Page 18 of 24 Information Governance Manager Tony Hammond Revised July 2010 • the choices that they have and the implications for choosing to limit how information may used or shared, then information may be disclosed to provide the service user with treatment and care without explicit consent. Explicit consent is required for any purpose other than the provision of healthcare, unless anonymised information is being used / disclosed. Explicit consent should be obtained at the earliest opportunity. In order to gain consent, the service user must be informed of: • what information is to be shared • who it is to be shared with • the purpose for sharing the information. It should be made clear to the service user that they have the right to withhold their consent (see Section 9.4) Ideally, consent should be sought from the member of staff/team who collected the confidential information. In some circumstances, an organisation requiring information for a further purpose may have already gained consent. A copy of the signed consent should be obtained prior to the release of information. 9.3 Recording explicit consent Explicit consent should be in writing with a copy given to the individual and a copy placed in the individual’s file. If consent is obtained verbally, this should be documented in the individual’s file. Wherever possible, a service area should use an appropriate standard consent form to record consent. Clinical audit and research projects requiring explicit consent will retain the explicit consent form with the project documentation. 9.4 Refusal/limitations on consent Service users do have the right to object to information they provide in confidence being disclosed to a third party in a form that identifies them, even if this is someone who might provide essential healthcare, subject to certain exemptions (see Section 9.8). They may also limit the consent given. Where service users are competent to make such a choice and where the consequences of the choice have been fully explained, the decision should be respected. This is no different from a service user exercising his or her right to refuse treatment. In such circumstances staff should: • • Clearly establish the concerns of the service user and look at whether there is a technical or procedural way of satisfying the consent without unduly compromising care. Explore the options for providing an alternative form of care or to provide care through alternative arrangements. NHS East Riding of Yorkshire Page 19 of 24 Information Governance Manager Tony Hammond Revised July 2010 • Assess the options that might be offered to the service user, balancing the risks, staff time and other costs attached to each alternative that might be offered against the risk to the service user of not providing healthcare. Careful documentation of the decision making process and the choices made by the service user must be included within the service user’s record or the explicit consent form that will be included in the service user’s record. Any restrictions placed by the service user must be noted in the medical record and an alert placed on the inside cover of their medical record and on their computer record. If the service user chooses not to give consent, to revoke consent or to limit their consent then they should be informed that this may limit the services that can be provided to them. Service users should be informed that if consent is revoked, it may not be possible to retrieve information already shared. In exceptional circumstances, it will be possible to proceed with the information sharing without explicit consent (see Section 9.2). 9.5 Service users who are unable to consent Where a service user is incapacitated and unable to consent, information should only be disclosed in the service user’s best interests, and then only as much information as is needed to support their care. Any previously expressed wishes, informed by the views of relatives or carers as to the likely wishes of the service user, should be taken into account. If a service user has made his or her preferences about information disclosures known in advance, this should be respected. Decisions to disclose and the justification for disclosing should be noted in the service user’s records. 9.6 Reviewing consent In most cases consent will endure for as long as the processing to which it relates continues. However, consent may need to be reviewed if, for example, the purpose for which the information is to be shared has changed, or the information is to be given to different agencies other than originally agreed with the service user. 9.7 Answering service user questions about consent When seeking explicit consent, service users should be given the opportunity to talk to someone they can trust and of whom they can ask questions. The service user should be given support and explanations about any form that they are required to sign. If the member of staff is unable to answer the service user’s questions, the service user should be directed to the Caldicott and Data Protection Officer. (infogov@erypct.nhs.uk) NHS East Riding of Yorkshire Page 20 of 24 Information Governance Manager Tony Hammond Revised July 2010 9.8 Exemptions to the requirement for consent There are certain circumstances when personal information given in confidence may be used or disclosed without the service user’s consent, these are: - 9.8.1 Overriding public interest Personal data may be disclosed to prevent and support detection, investigation and punishment of serious crime and/or to prevent abuse or serious harm to others. Decisions to disclose in these circumstances must be made on a case by case basis, justifying that the public good that would be achieved by the disclosure outweighs both the obligation of confidentiality to the individual service user concerned and the broader public interest in the provision of a confidential service. A record must be made of any such circumstances, so that there is clear evidence of the reasoning used and the circumstances prevailing. Disclosures in the public interest should also be proportionate and be limited to relevant details. It may be necessary to justify such disclosures to the courts or to regulatory bodies and a clear record of the decision making process and the advice sought is in the interest of both staff and the organisation. A decision not to disclose information that could prevent the risk of harm to the patient or others should also be documented and the justification for not disclosing noted. Wherever possible the issue of disclosure should be discussed with the individual concerned and consent sought. Where this is not forthcoming, the individual should be told of any decision to disclose against his/her wishes. This will not be possible in certain circumstances, e.g. where the likelihood of a violent response is significant or where informing a potential suspect in a criminal investigation might allow them to evade custody, destroy evidence or disrupt an investigation. Consideration should also be given to the disclosure of anonymised information – at least at the outset. For example, if a patient disclosed that Dr X sexually assaulted a patient and the patient does not agree to be named, the concern may be reported without revealing the identity of the patient. The disclosure may reveal a cluster of complaints or a pattern of behaviour. It should be made clear to the patient that there is a duty to protect the safety of other NHS patients and their identity may need to be revealed in the future. The disclosure of partial information will need to be reviewed by the relevant healthcare professional to ensure that the information given has allowed sufficient action to be taken that is in proportion to the risk. An example of such a disclosure is where a patient continues to drive, against medical advice, when unfit to do so. In such circumstances the healthcare professional should disclose relevant information to the medical adviser of the DVLA. (GMC Confidentiality: Protecting and Providing Information – September 2000). If further advice is required on disclosing information in such circumstances, please seek advice from the Caldicott and Data Protection Officer. (infogov@erypct.nhs.uk). NHS East Riding of Yorkshire Page 21 of 24 Information Governance Manager Tony Hammond Revised July 2010 9.8.2 Legal requirement Some statutes place a strict requirement on clinicians or other staff to disclose information. Care should be taken however to only disclose the information required to comply with and fulfil the purpose of the law. If staff have reason to believe that complying with a statutory obligation to disclose information would cause serious harm to the service user or another person, they should seek legal advice. The main requirements to disclose are detailed on the Department of Health web-site at http://www.dh.gov.uk/PublicationsAndStatistics/Publications/PublicationsPoli cyAndGuidance/PublicationsPolicyAndGuidanceArticle/fs/en?CONTENT_ID =4069253&chk=jftKB%2B The courts, including coroner’s courts, and some tribunals and persons appointed to hold inquiries have legal powers to require that information that may be relevant to matters within their jurisdiction be disclosed. This does not require the consent of the service user whose records are to be disclosed but he/she should be informed, preferably prior to disclosure. Disclosures must be strictly in accordance with the terms of a court order and to the bodies specified in the order. Where staff are concerned that a court order requires disclosure of sensitive information that is not relevant to the case in question, they may raise ethical concerns with the judge or presiding officer. If however the order is not amended it must be complied with. 9.8.3 Section 60 of the Health and Social Care Act. Section 60 of the Health and Social Care Act 2001 makes it lawful to disclose and use confidential patient information in specified circumstances where it is not currently practicable to satisfy the common law confidentiality obligations. This does not create new statutory gateways, so the processing must still be for a lawful function, but does mean that the confidentiality obligations do not have to be met, e.g. consent does not have to be obtained. Even where these powers apply however, the Data Protection Act 1998 also continues to apply. This is intended primarily as a temporary measure until anonymisation measures or appropriate recording of consent can be put in place. The Government has made it clear that it will only introduce such requirements where necessary and upon the advice of the independent statutory Patient Information Advisory Group (PIAG). See: www.dh.gov.uk/PublicationsAndStatistics/Publications/PublicationsPolicyAnd Guidance/PublicationsPolicyAndGuidanceArticle/fs/en?CONTENT_ID=4069 253&chk=jftKB%2B for more details, including guidance on applications for support. Where the powers provided by this legislation are used to support the processing of confidential patient information there will be additional safeguards and restrictions on the use and disclosure of the information. These may differ from case to case and change over time where the process of annual review required by the legislation results in more stringent safeguards being applied. NHS East Riding of Yorkshire Page 22 of 24 Information Governance Manager Tony Hammond Revised July 2010 10 Further information and contacts Further guidance regarding confidentiality and patients' consent to use their health records can be found in the Confidentiality: NHS Code of Practice. A copy of this document can be obtained from the Caldicott and Data Protection Officer (infogov@erypct.nhs.uk). Further information may also be found in the following policies and procedures available on the Intranet. • • • Access to Medical Records Protocol Caldicott and Data Protection Policy General Protocol for Sharing Information between Agencies in Kingston upon Hull and the East Riding of Yorkshire • Records Management Policy • Guidance for informing service users about the uses of their information • Internet, Intranet and E-mail (N3) Policy • Safe Haven Procedures If you have any questions relating to this Code please speak to your line manager or alternatively contact: Caldicott and Data Protection Officer – (infogov@erypct.nhs.uk). NHS East Riding of Yorkshire Page 23 of 24 Information Governance Manager Tony Hammond Revised July 2010 Appendix A Your personal responsibility concerning security and confidentiality of information (relating to patients, staff and the organisation) During the course of your time with NHSERY, you may acquire or have access to confidential information which must not be disclosed to any other person unless in pursuit of your duties or with specific permission given by a person on behalf of the organisation. This condition applies during your relationship with NHSERY and after the relationship ceases. Confidential information includes all information relating to the organisation and its patients and employees. Such information may relate to patient records, telephone enquiries about patients or staff, electronic databases or methods of communication, use of fax machines, hand-written notes made containing patient information etc. If you are in doubt as to what information may be disclosed, you should check with your line manager. The Data Protection Act 1998 regulates the use of computerised information and paper records of identifiable individuals (patients and staff). NHSERY is registered in accordance with this legislation. If you are found to have made an unauthorised disclosure you may face legal action. I understand that I am bound by a duty of confidentiality and I have read and understood this Policy and the requirements of the Data Protection Act 1998. PRINT NAME: SIGNATURE: DATE: Please retain a copy of this agreement. The original must be forward to the Personnel Department for inclusion in your record. NHS East Riding of Yorkshire Page 24 of 24 Information Governance Manager Tony Hammond Revised July 2010
© Copyright 2024