Policy for Code of Conduct on Confidentiality and Information Security

Transcription

Policy for Code of Conduct on Confidentiality and Information Security
Policy for Code of Conduct on
Confidentiality and Information Security
Authorship:
Information Governance Group
Policy Type
Commissioning and Community Services Policy
Approved Date:
March 2010
Approved Committee Group:
Executive Management Team
Review Date:
March 2013
Equality Impact Assessment:
Completed - Screening
Policy Reference No:
NCP/31
If your first language is not English, or if you would like this
document in a format for people who are blind or have
visual problems, we can make arrangements to help you.
Please contact
Phone:
01482 672156
Textphone:
01482 315747
Nëse dëshironi ndihmë me këtë dokument, ju lutemi telefononi 01430 457351
Eğer bu döküman ile ilgili olarak yardım istiyorsanız, lütfen 01430 457353
numaralı telefonu arayınız.
Potrzebujesz pomocy w zrozumieniu tego dokumentu? Zatelefonuj pod 01430
457367
NHS East Riding of Yorkshire
Page 2 of 24
Information Governance Manager
Tony Hammond Revised July 2010
POLICY AMENDMENTS
Amendments to the Policy will be issued from time to time. A new amendment history will
be issued with each change.
Amendment
Date of Issue
Issued by
Nature of Amendment
18/09/2009
T Hammond
Information security policy
merged
Reference
Information Asset Owner and
Asset Management added
21/05/2010
NHS East Riding of Yorkshire
T Hammond
Page 3 of 24
General Update to all sections
Information Governance Manager
Tony Hammond Revised July 2010
Contents
1 Introduction ................................................................................................................................................................ 5 2 Objectives, Aim and Scope........................................................................................................................................ 6 2.1 Objectives .......................................................................................................................................................... 6 2.2 Policy aim .......................................................................................................................................................... 6 2.3 Scope ................................................................................................................................................................ 6 3 Duty of Confidence .................................................................................................................................................... 6 4 Responsibilities for Information Security .................................................................................................................... 7 5 Legislation ................................................................................................................................................................. 8 6 Information Security Framework ................................................................................................................................ 8 6.1 Access Control................................................................................................................................................... 8 6.2 Classification of Sensitive Information ............................................................................................................... 8 6.3 Protection from Malicious Software ................................................................................................................... 9 6.4 User media ........................................................................................................................................................ 9 6.5 Monitoring System Access and Use .................................................................................................................. 9 6.6 Accreditation of Information Systems .............................................................................................................. 10 6.7 System Change Control ................................................................................................................................... 10 6.8 Intellectual Property Rights .............................................................................................................................. 10 6.9 Business Continuity and Disaster Recovery Plans .......................................................................................... 10 6.10 Information Asset Management ....................................................................................................................... 10 7 Confidentiality .......................................................................................................................................................... 11 7.1 Protecting information ...................................................................................................................................... 11 7.2 Storage of Confidential Information ................................................................................................................. 11 7.3 Disclosing and Using Confidential Patient Information .................................................................................... 12 7.3.1 Obligations .............................................................................................................................................. 12 7.3.2 Protecting Patient Information ................................................................................................................. 12 7.4 Use of Internal and External Post .................................................................................................................... 13 7.5 Faxing personal information............................................................................................................................. 13 7.6 E-mailing information ....................................................................................................................................... 13 7.7 Telephone enquiries ........................................................................................................................................ 14 7.8 Disposal of information .................................................................................................................................... 15 7.9 Passwords ....................................................................................................................................................... 15 7.10 Working from home ......................................................................................................................................... 15 7.11 Abuse of Privilege ............................................................................................................................................ 16 8 General Principles ................................................................................................................................................... 16 8.1 Security incident .............................................................................................................................................. 16 8.2 Copying of Software ........................................................................................................................................ 16 8.3 Informing Service Users .................................................................................................................................. 17 8.4 Providing choice to service users .................................................................................................................... 17 8.5 Improve wherever possible .............................................................................................................................. 18 9 Use and disclosure of service user information ....................................................................................................... 18 9.1 The Caldicott Principles ................................................................................................................................... 18 9.2 Obtaining Service User Consent...................................................................................................................... 18 9.3 Recording explicit consent ............................................................................................................................... 19 9.4 Refusal/limitations on consent ......................................................................................................................... 19 9.5 Service users who are unable to consent ........................................................................................................ 20 9.6 Reviewing consent ........................................................................................................................................... 20 9.7 Answering service user questions about consent ............................................................................................ 20 9.8 Exemptions to the requirement for consent ..................................................................................................... 21 9.8.1 Overriding public interest ........................................................................................................................ 21 10 9.8.2 Legal requirement ................................................................................................................................... 22 9.8.3 Section 60 of the Health and Social Care Act. ........................................................................................ 22 Further information and contacts.......................................................................................................................... 23 Appendix A ........................................................................................................................................................................ 24 NHS East Riding of Yorkshire
Page 4 of 24
Information Governance Manager
Tony Hammond Revised July 2010
1
Introduction
All employees working in the NHS are bound by a legal duty of confidentiality to
protect personal information they may come into contact with during the course of their
work. This is not just a requirement of their contractual responsibilities but also a
requirement within the Data Protection Act 1998 and, in addition, for health
professionals through their own professional Codes of Conduct.
This means that employees are obliged to keep any person identifiable information
strictly confidential e.g. service user and employee records. Disclosures and sharing
of person identifiable information is governed by the requirements of Acts of
Parliament and government guidelines. It should be noted that employees also come
into contact with non-person identifiable information which should also be treated with
the same degree of confidentiality e.g. business in confidence information.
This policy applies to all employees of NHS East Riding of Yorkshire (NHSERY),
contract, temporary and agency staff and other people working on NHSERY premises.
The principle behind this policy is that no employee shall breach their legal duty of
confidentiality, allow others to do so, or attempt to breach any of NHSERY security
systems or controls in order to do so. This policy applies to all electronic and manual
information systems.
This policy should be read in conjunction with:
•
The Data Protection Act 1998
•
The Data Protection (Processing of Sensitive Personal Data) Order 2000
•
The Human Rights Act 1998
•
The Computer Misuse Act 1990
•
The Health and Safety at Work Act 1974
•
Regulation of Investigatory Powers Act 2000
•
Freedom of Information Act 2000
•
Health & Social Care Act 2001
•
The Copyright Designs and Patents Act 1988
•
Common Law Duty of Confidence
This policy has been produced to protect staff by making them aware of the correct
procedures so that they do not inadvertently breach any of these requirements.
Members of staff should also follow the Code of Conduct issued by the professional
body to which they are affiliated, where applicable.
NHS East Riding of Yorkshire
Page 5 of 24
Information Governance Manager
Tony Hammond Revised July 2010
2 Objectives, Aim and Scope
2.1 Objectives
The objectives of NHSERY Policy for Code of Conduct on Confidentiality and Information
Security are to preserve:
•
Confidentiality - Access to Data shall be confined to those with appropriate
authority.
•
Integrity – Information shall be complete and accurate. All systems, assets and
networks shall operate correctly, according to specification.
•
Availability - Information shall be available and delivered to the right person, at
the time when it is needed.
2.2 Policy aim
The aim of this policy is to establish and maintain the security and confidentiality of
information, information systems, applications and networks owned or held by the
organisation by:
•
•
•
•
•
Ensuring that all members of staff are aware of and fully comply with the
relevant legislation as described in this and other policies.
Describing the principles of security and explaining how they shall be
implemented in the organisation.
Introducing a consistent approach to security, ensuring that all members of
staff fully understand their own responsibilities.
Creating and maintaining within the organisation a level of awareness of the
need for Information Security as an integral part of the day to day business.
Protecting information assets under the control of the organisation.
2.3 Scope
This policy applies to all information, information systems, networks, applications, locations
and users of NHSERY systems supplied under specific contract.
3 Duty of Confidence
All employees are responsible for maintaining the confidentiality of information gained
during their employment by NHSERY. All staff will sign Appendix A to confirm that
they have read and understood this policy.
Confidential information can be anything that relates to service users, staff (including
non-contract, volunteers, bank and agency staff, locums, student placements), their
family or friends, however stored.
NHS East Riding of Yorkshire
Page 6 of 24
Information Governance Manager
Tony Hammond Revised July 2010
For example, information may be held on paper, floppy disc, CD, computer file or
printout, video, photograph or even heard by word of mouth.
It includes information stored on portable devices such as laptops, palmtops, mobile
phones, blackberries and digital cameras.
It can take many forms including medical notes, social care information, audits,
employee records, occupational health records etc. It also includes any company
information e.g. Trust confidential information.
Person-identifiable information is anything that contains the means to identify a
person, e.g. name, address, postcode, date of birth, NHS number, National Insurance
number etc. Please note even a visual image (e.g. photograph) is sufficient to identify
an individual.
Certain categories of information are legally defined as particularly sensitive and
should be most carefully protected by additional requirements stated in legislation (e.g.
information regarding sexually transmitted diseases, HIV and termination of
pregnancy).
During your duty of work you should consider all information to be sensitive, even a
service user’s name and address. The same standards should be applied to all
information you come into contact with.
4 Responsibilities for Information Security
The Executive Director responsible for Informatics will have strategic responsibility for
Information Security. On a day-to-day basis the Associate Director of Performance and
Informatics shall be responsible for managing and implementing the policy and related
procedures.
Information and Communications Technology services are provided under a service
level agreement. The service provider will ensure that an Information Security
Management System is in place and working effectively. The service provider will
provide a named manager who will act as the Information Systems Security Manager
for NHSERY. Line managers are responsible for ensuring that their permanent and
temporary staff and contractors are aware of:
•
•
•
The information security policies applicable in their work areas
Their personal responsibilities for information security
How to access advice on information security matters
All staff shall comply with information security procedures including the maintenance of
data confidentiality and data integrity. Failure to do so may result in disciplinary action.
This policy shall be maintained, reviewed and updated by the Information Governance
Manager. This review shall take place as appropriate.
Line managers shall be individually responsible for the security of their physical
environments where information is processed or stored.
Each member of staff shall be responsible for the operational security of the
information systems they use.
Each system user shall comply with the security requirements that are currently in
force, and shall also ensure that the confidentiality, integrity and availability of the
information they use is maintained to the highest standard.
NHS East Riding of Yorkshire
Page 7 of 24
Information Governance Manager
Tony Hammond Revised July 2010
Contracts with external contractors that allow access to the organisation’s information
systems shall be in operation before access is allowed. These contracts shall ensure
that the staff or sub-contractors of the external organisation shall comply with all
appropriate security policies.
5 Legislation
NHSERY is obliged to abide by all relevant UK and European Union legislation. The
requirement to comply with this legislation shall be devolved to employees and agents
of NHSERY, who may be held personally accountable for any breaches of information
security for which they may be held responsible.
6 Information Security Framework
6.1 Access Control
Only authorised personnel who have a justified and approved business need shall be
given access to restricted areas containing information systems or stored data.
Access to information shall be restricted to authorised users who have a bona-fide
business need to access the information.
Access to computer facilities shall be restricted to authorised users who have
business need to use the facilities.
Access to data, system utilities and program source libraries shall be controlled and
restricted to those authorised users who have a legitimate business need e.g.
systems or database administrators. Authorisation to use an application shall depend
on the availability of a licence from the supplier.
6.2 Classification of Sensitive Information
NHSERY shall implement appropriate information classifications controls, based
upon the results of formal risk assessment and guidance contained within the
Information Governance Toolkit to secure their NHS information assets.
The classification NHS Confidential – shall be used for patients’ clinical records,
patient identifiable clinical information passing between NHS staff and between NHS
staff and staff of other appropriate agencies. In order to safeguard confidentiality, the
term “NHS Confidential” shall not be used on correspondence to a patient in
accordance with the Confidentiality: NHS Code of Practice. Documents so marked
shall be held securely at all times in a locked room to which only authorised persons
have access. They shall not be left unattended at any time in any place where
unauthorised persons might gain access to them. They should be transported
securely in sealed packaging or locked containers. Documents marked NHS
Confidential not in a safe store or in transport should be kept out of sight of visitors or
others not authorised to view them.
NHS East Riding of Yorkshire
Page 8 of 24
Information Governance Manager
Tony Hammond Revised July 2010
The classification NHS Restricted - shall be used to mark all other sensitive
information such as financial and contractual records. It shall cover information that
the disclosure of which is likely to:
•
•
•
•
•
•
•
adversely affect the reputation of the organisation or it’s officers or
cause substantial distress to individuals;
make it more difficult to maintain the operational effectiveness of the
organisation;
cause financial loss or loss of earning potential, or facilitate improper
gain or disadvantage for individuals or organisations;
prejudice the investigation, or facilitate the commission of crime or other
illegal activity;
breach proper undertakings to maintain the confidence of information
provided by third parties or impede the effective development or
operation of policies;
breach statutory restrictions on disclosure of information;
disadvantage the organisation in commercial or policy negotiations with
others or undermine the proper management of the organisation and its
operations.
NHS Restricted documents should also be stored in lockable cabinets
6.3 Protection from Malicious Software
The organisation shall use software countermeasures and management procedures
to protect itself against the treat of malicious software. All staff shall be expected to
co-operate fully with this policy. Users shall not install software on the organisation’s
property without permission from the Associate Director of Performance and
Informatics. Users breaching this requirement may be subject to disciplinary action.
Further information can be found in the Internet, Intranet and Email Policy (N3).
6.4 User media
Removable media of all types that contain software or data from external sources, or
that have been used on external equipment, require the approval of Information
Systems Security Manager before they may be used on trust systems. Such media
must also be fully virus checked before being used on the organisation’s equipment.
Users breaching this requirement may be subject to disciplinary action.
6.5 Monitoring System Access and Use
An audit trail of system access and data use by staff shall be maintained and
reviewed on a regular basis.
NHSERY has in place routines to regularly audit compliance with this and other
policies. In addition it reserves the right monitor activity where it suspects that there
has been a breach of policy. The Regulation of Investigatory Powers Act (2000)
permits monitoring and recording of employees’ electronic communications (including
telephone communications) for the following reasons:
•
•
Establishing the existence of facts
Investigating or detecting unauthorised use of the system
NHS East Riding of Yorkshire
Page 9 of 24
Information Governance Manager
Tony Hammond Revised July 2010
•
•
Preventing or detecting crime
Ascertaining or demonstrating standards which are achieved or ought to be
achieved by persons using the system (quality control and training)
• In the interests of national security
• Ascertaining compliance with regulatory or self-regulatory practices or
procedures
• Ensuring the effective operation of the system.
Any monitoring will be undertaken in accordance with the above act and the Human
Rights Act 1998.
6.6 Accreditation of Information Systems
The organisation shall ensure that all new information systems, applications and
networks include a security plan and are approved by the Information Systems
Security Manager before they commence operation.
6.7 System Change Control
Changes to information systems, applications or networks shall be reviewed and
approved by the Information Systems Security Manager.
6.8 Intellectual Property Rights
The organisation shall ensure that all information products are properly licensed and
approved by the Information Systems Security Manager. Users shall not install
software on the organisation’s property without permission from the Information
Systems Security Manager. Users breaching this requirement may be subject to
disciplinary action.
6.9 Business Continuity and Disaster Recovery Plans
The organisation shall ensure that business impact assessment, business continuity
and disaster recovery plans are produced for all mission critical information,
applications, systems and networks.
6.10 Information Asset Management
Information Assets (IA) are identifiable and definable assets owned or contracted by
an organisation which are ‘valuable’ to the business of that organisation. Information
assets will likely include the computer systems and network hardware, software and
supporting utilities and staff that are required to achieve processing of this data.
Non-computerised records systems should also have an asset register containing
relevant file identifications and storage locations.
The word ‘owner’, when used in this requirement, is taken from the ISO 27002
Information Security Management standard. It should not be confused with the term
‘data owner’, as used by the Data Protection Act 1998. The standard defines an
owner as a member of staff senior enough to make decisions concerning the asset at
the highest level.
The Information Asset Owner (IAO) can assign day to day responsibility for each
Information Asset to an Information Asset Administrator (IAA) or other manager, and
NHS East Riding of Yorkshire
Page 10 of 24
Information Governance Manager
Tony Hammond Revised July 2010
this should be formalised in job descriptions. The role of the IAO is to understand
what information is held, what is added and what is removed, how information is
moved, who has access and why. As a result they should be able to understand and
address risks to the information and to ensure that information is fully used within the
law for the public good. The Information Asset Owner will also be responsible for
providing reports to the Senior Information Risk Officer (SIRO), a minimum of
annually on the assurance and usage of their asset.
It is vital that all NHS organisations establish programmes that ensure their IAs are
identified and assigned to an IAO. The SIRO should oversee a review of the asset
register to ensure it is complete and robust.
Information Assets should be documented in an organisation asset register. In order
to establish corporate coherence it should be possible for a single asset register to
be created for the organisation. As a priority, it is essential that all critical Information
Assets are identified and included in this asset register, together with details of the
“Information Asset Owner” and risk reviews undertaken or planned. To improve its
usability and maintainability, the Information Asset register may be service, rather
than location, based.
Each Information Asset Owner should be aware of what information is held, and the
nature and justification of information flows to and from the assets they are
responsible for.
7 Confidentiality
7.1 Protecting information
Service users’ health and social care information and their interests must be
protected through following measures in this policy.
7.2 Storage of Confidential Information
Paper-based confidential information should always be kept locked away and
preferably in a room that is locked when unattended.
Confidential personal information should be saved on to a network drive. If
removable media is used e.g. memory stick, CD then the media should be encrypted
and kept in locked storage when not in use. All portable electronic devices are also
encrypted due to the risk of being lost or stolen when taken away from the office and
there have been well publicised cases in the national media where this has occurred.
All staff are responsible for the security of any data and in the event that any such
information is transported from the organisations premises will be expected to take all
necessary steps to ensure its continued security. Device and Port control have been
implemented in NHSERY and staff are expected to observe these as a basis for
ensuring security of data for which they are responsible. In the event that security is
breached, this Policy would be evidential in terms of any decision to take further
action including disciplinary action. Any breach of this type will be reported as an
incident using NHSERY incident reporting policy.
NHS East Riding of Yorkshire
Page 11 of 24
Information Governance Manager
Tony Hammond Revised July 2010
7.3
Disclosing and Using Confidential Patient Information
Patients must be made aware of information disclosures that need to take place in order
to provide them with high quality care. In particular, clinical governance and clinical
audits, which are important elements of the care cycle, may not be obvious to patients
and should be drawn to their attention.
Similarly, patients may be aware of the need to share information between members of
their care team but may not be aware of the organisations involved or the partnership
arrangements established within jointly provided care teams. Guidance issued in the
NHS ERY Information Sharing Protocol be followed as these are complementary to this
policy and the “Caldicott, Data Protection & Privacy Impact Policy”.
In all cases, the effort made to inform patients should reflect the breadth of the required
disclosure. Some uses of confidential information do not contribute to or support health
and social care provision; however, they do provide benefits to society (e.g. medical
research, protecting the health of the public, health service management and financial
management).
7.3.1
Obligations
This policy and “Caldicott, Data Protection & Privacy Impact Policy” apply to all staff,
contractors and volunteers. Specific problems or barriers to change need to be
highlighted and referred to the Caldicott Guardian. NHS ERY will ensure that staff
receive appropriate training in the maintenance of a “Confidentiality Service” and are
made aware of the requirements set out in the “Confidentiality Code of Practice” and
other confidentiality agreements/information sharing protocols developed to support
partnership working.
Third party, stakeholders or contracted organisations that work directly with NHS ERY
staff, should ensure that the policy around this code of conduct is followed at all times.
In certain circumstances, third party suppliers working in the NHS ERY organisation will
be subject to confidentiality agreements and where possible, evidence of confidentiality
regulation conformance in their own organisation should be compliant with local and/or
national arrangements.
7.3.2
Protecting Patient Information
All staff should ensure compliance with established Partnership Information Sharing
Protocols and Operational Service Specific Information Sharing Agreements. Staff
working in partnership with other organisations should ensure that they are fully aware
of the information sharing protocol(s) in operation.
Accurate and secure personal health information is an essential part of patient health
care. NHSERY goal is for a service that works in partnership with other organisations
and has clearly established and communicated protocols for sharing information.
NHS East Riding of Yorkshire
Page 12 of 24
Information Governance Manager
Tony Hammond Revised July 2010
7.4 Use of Internal and External Post
All correspondence containing personal information should always be addressed to a
named recipient and department.
Internal mail containing confidential data should only be sent in a securely sealed
new envelope with a confidential marking in line with your department’s procedures.
External Mail must also observe these rules. Special care should be taken with
personal information sent in quantity, such as case notes, or collections of service
user records on paper, floppy disc or other media. These should be sent by
Recorded Delivery or by NHS courier, to safeguard that these are only seen by the
authorised recipient(s).
Original Health/Social care records should not be transferred outside the Trust. If a
client moves to another area the Medical Records Department will send a copy of the
notes on request by recorded delivery.
Electronic media should be encrypted. Advice on how to encrypt files is available
from IT Helpdesk telephone: 01482 347999
7.5 Faxing personal information
•
•
•
•
•
Faxes should always be addressed to named recipients and be marked
“Confidential”.
Confirm the fax number with the recipient and ask them to acknowledge
receipt of the fax.
Always check the number to avoid misdialling before you press the send key
If your fax machine stores numbers in memory, always check that the
number held is correct and current before sending sensitive information.
Request a report sheet to confirm that the transmission has been successful.
For further information refer to the Safe Haven Procedures.
7.6 E-mailing information
Personal Data should only be sent using a NHS.net mail account to another NHS.net
mail account. For further information on sending emails beyond the immediate NHS
patch see the Internet, Intranet and email Policy (N3). In all instances the following
guidelines must be observed:
•
Consider if email is the best way to send the data. Whenever possible
patient or person identifiable information, particularly that of a confidential
nature, should be sent via the normal postal system and marked as
confidential and addressee only. If the recipient can access the same
shared drive as the sender the document could be placed on the drive for
both to access. The document should be password protected, see the
Internet, Intranet and email Policy (N3).
•
Limit the number of recipients of the message to as few as possible.
•
Double check that you have the correct recipient(s) before pressing the
“send” button. Messages containing personal data sent to the wrong
recipient will be classed as a breach of confidentiality and will be reported as
an adverse incident, even if it is another NHS employee.
NHS East Riding of Yorkshire
Page 13 of 24
Information Governance Manager
Tony Hammond Revised July 2010
•
Staff should edit their entry in the global address book to provide information
such as location, address and phone number. This will ensure the
identification of the correct recipient, particularly for staff who share the same
name with others in NHSERY and from other local NHS organisations
detailed in the global address book.
•
Limit the amount of data to only that which is needed for the purpose it is
being sent. Do not send more, just in case the recipient needs it.
•
Send to email addresses that are person specific unless the e-mail can be
dealt with by any member of the team reading the e-mail (e.g. request for a
medical record send to medical records e-mail).
•
Mark the message as NHS Confidential in the subject as well as in the
message properties.
•
Be aware that e-mail can be forwarded by the initial recipient to third parties
against your wishes or by accident.
•
Do not use person identifiable information in subject titles and document
names e.g. use a unique identifier or initials instead of the person’s name.
•
Include a note to say that the receiver of patient identifiable data is
responsible for the security and confidentiality of that data and should not
pass it on to anyone else, via any method, who does not have a justified
‘need to know’.
•
Any attachments should be password protected, see Internet, Intranet and
Email (N3) Policy for guidance on how to do this. Do not include the
password in the body of the message. Transmit the password by other
means, such as telephone (as you will know you have spoken to the right
person).
•
When in receipt of personal data remove it from your email system as soon
as possible and file it appropriately, either electronically or on paper.
•
Do not keep personal data on email for longer than is necessary.
•
Where there is a more formal method for the communication of information,
such as ‘web-based’ referral system then that should be used.
•
If ‘delegate’ access is granted to other people to your inbox, consider
whether they need to see any personal data you receive.
7.7 Telephone enquiries
Information should only be given over the telephone if you are confident of the
identity of the caller. If you are not, you should always take a number, verify it
independently and call back via their switchboard where possible.
Always check whether they are entitled to the information they request. Information
on service users should only be released on a need-to-know basis. If in doubt, check
with your line manager or the Information Governance Manager.
NHS East Riding of Yorkshire
Page 14 of 24
Information Governance Manager
Tony Hammond Revised July 2010
7.8 Disposal of information
When disposing of paper-based person-identifiable information or confidential
information always use ‘Confidential Waste’ sacks/shredders. Computer printouts
should either be shredded or disposed of as paper-based confidential waste.
Floppy discs/CDs/Videos containing confidential information must be either
reformatted or destroyed securely. Any magnetic media requiring disposal, requires
guidance from IT Helpdesk telephone: 01482 347999.
Computer files with confidential information no longer required must be deleted from
both the PC and the server if necessary. Computer hard disks are
destroyed/disposed of by the IT experts within the Health Informatics Service.
For further information refer to the Protocol for the Secure Disposal of Hard Drives.
7.9 Passwords
Personal passwords issued to or created by employees should be regarded as
confidential and those passwords must not be communicated to anyone.
• Passwords should not be written down.
• Passwords should not relate to the employee or the system being accessed.
• Passwords should not be shared with colleagues.
A joint directory should be set up if you need to access information on a colleague’s
computer e.g. to cover annual leave. For further advice, please contact the IT Help
Desk.
No employee should attempt to bypass or defeat the security systems or attempt to
obtain or use passwords or privileges issued to other employees. Any attempts to
breach security should be immediately reported, via your line manager, using the
Adverse Incident Procedure.
7.10 Working from home
If you need to take personal information out of the office to work from home you need
to gain approval from your manager. If they agree, you would need to ensure the
following are considered and remember that there is personal liability under the Data
Protection Act 1998 and your contract of employment for breach of these
requirements:
•
Ensure you have authority to take the records. This will need to be granted
by your line manager.
•
If you are taking manual records please follow your localised tracking system
to ensure there is a record that you have these records, where you are taking
them and when they will be returned. Records should be removed for the
minimum amount of time possible.
•
Make sure they are put in the locked boot of the car or carried on your
person while being transported from your work place to your home.
NHS East Riding of Yorkshire
Page 15 of 24
Information Governance Manager
Tony Hammond Revised July 2010
If you transfer data from your work computer to your home computer using
electronic disc, CD, memory stick or any other means of electronic storage you
must ensure that, when your work is complete. All information is removed from
your home computer and at no stage left where it can be accessed by family
members or friends.
Computer records on electronic disc, CD and memory stick MUST be virus checked
before being loaded onto any of the organisations systems – especially any which
can be accessed via the network.
7.11 Abuse of Privilege
It is strictly forbidden for employees to look at any information relating to their own
family, friends or acquaintances unless they are directly involved in the service user’s
clinical care or with the employees’ administration on behalf of the organisation.
Action of this kind will be viewed as a breach of confidentiality and may result in
disciplinary action. If you have concerns about this issue please discuss with your
line manager.
8 General Principles
•
•
•
Do not talk about service users in public places or where you can be
overheard.
Do not leave any medical records or confidential information lying around
unattended.
Make sure that any computer screens, or other displays of information,
cannot be seen by others.
8.1 Security incident
A Security Incident is any event that has or could: -
• cause an unauthorised disclosure of confidential information
• put the integrity of a computer system or data at risk
• put the availability of the system or information at risk
• have an adverse impact e.g. embarrassment to the NHS.
All incidents or information indicating a suspected or actual security breach should
be reported, via your line manager, using the Adverse Incident Procedure. Any I.T.
breaches should be reported both to your line manager and to the I.T. Service
Desk.
8.2 Copying of Software
All computer software used with the organisation is regulated by license agreements.
A breach of the agreement could lead to legal action against the organisation and/or
the offender (member of staff).
It is important that software on the PCs/systems used for work purposes must not be
copied and used for personal use. This would be a breach of the license agreement.
NHS East Riding of Yorkshire
Page 16 of 24
Information Governance Manager
Tony Hammond Revised July 2010
8.3 Informing Service Users
Service users must be made aware that the information they give may be recorded,
may be shared in order to provide them with care, and may be used to support
clinical audit and other work to monitor the quality of care provided. Staff should
consider whether service users would be surprised to learn that their information was
being used in a particular way – if so, then they are not being effectively informed. In
order to inform service users properly, staff must:
•
Check where practicable that “Your information – Our key to your best health
care” information leaflet has been read and understood.
• Make clear to service users when information is recorded or when health
records will be accessed;
• Make clear to service users when staff are or will be disclosing information to
others;
• Check that service users are aware of the choices available to them in
respect of how their information may be disclosed and used;
• Check that service users have no concerns or queries about how their
information is disclosed and used
• Answer any queries personally or direct the service user to the Caldicott and
Data Protection Officer ([email protected]) who can answer their
questions;
• Respect the right of service users and facilitate them in exercising their right
to have access to their health records.
Further details can be found in the Guidance for informing service users about the
uses of their information.
8.4 Providing choice to service users
Service users have different needs and values – this must be reflected in the way
they are treated, both in terms of their medical condition and the handling of their
personal information. What is very sensitive to one person may be casually
discussed in public by another – just because something does not appear to be
sensitive does not mean that it is not important to an individual service user in his or
her particular circumstances. Staff must:
•
Ask service users before using their personal information in ways that do not
directly contribute to, or support the delivery of, their care
• Respect service users’ decisions to restrict the disclosure or use of
information, except where exceptional circumstances apply, see Section 9.8
• Communicate effectively with service users to ensure they understand what
the implications may be if they choose to agree to or restrict the disclosure of
information
• Note any restrictions placed by the service user in their medical record and
on their computer record
Further details can be found in the Guidance for informing service users about the
uses of their information.
NHS East Riding of Yorkshire
Page 17 of 24
Information Governance Manager
Tony Hammond Revised July 2010
8.5 Improve wherever possible
It is not possible to achieve best practice overnight. Staff must:
•
Be aware of the issues surrounding confidentiality and seek training or
support where uncertain in order to deal with them appropriately
•
Report possible breaches or risk of breaches by using the Adverse Incident
Procedure
9 Use and disclosure of service user information
The following section deals with the uses and disclosures of service user information,
including the issue of consent. Further information can be found in; •
•
General Protocol for Sharing Information between Agencies in Kingston upon
Hull and the East Riding of Yorkshire
Caldicott and Data protection Policy
•
Clinical Audit and Effectiveness Strategy
9.1 The Caldicott Principles
The use and disclosure of service user information must comply with the following
principles: -
• Justify the purpose of using service user information.
• Only use the information when absolutely necessary.
• Use the minimum necessary information.
• Access to the information should be on a strict need to know basis.
• Everyone should be aware of their responsibilities in respect of
confidentiality.
• Understand and comply with the law for example the Data Protection Act
1998.
9.2 Obtaining Service User Consent
Information provided in confidence should not be used or disclosed in a form that
might identify a service user without his or her consent, subject to certain
exemptions, see 9.8.
Where patients have been informed of: -
• the use and disclosure of their information associated with their health care
and
NHS East Riding of Yorkshire
Page 18 of 24
Information Governance Manager
Tony Hammond Revised July 2010
• the choices that they have and the implications for choosing to limit how
information may used or shared,
then information may be disclosed to provide the service user with treatment and
care without explicit consent. Explicit consent is required for any purpose other
than the provision of healthcare, unless anonymised information is being used /
disclosed.
Explicit consent should be obtained at the earliest opportunity. In order to gain
consent, the service user must be informed of: •
what information is to be shared
•
who it is to be shared with
•
the purpose for sharing the information.
It should be made clear to the service user that they have the right to withhold their
consent (see Section 9.4)
Ideally, consent should be sought from the member of staff/team who collected the
confidential information.
In some circumstances, an organisation requiring information for a further purpose
may have already gained consent. A copy of the signed consent should be
obtained prior to the release of information.
9.3 Recording explicit consent
Explicit consent should be in writing with a copy given to the individual and a copy
placed in the individual’s file. If consent is obtained verbally, this should be
documented in the individual’s file. Wherever possible, a service area should use an
appropriate standard consent form to record consent.
Clinical audit and research projects requiring explicit consent will retain the explicit
consent form with the project documentation.
9.4 Refusal/limitations on consent
Service users do have the right to object to information they provide in confidence
being disclosed to a third party in a form that identifies them, even if this is someone
who might provide essential healthcare, subject to certain exemptions (see Section
9.8). They may also limit the consent given. Where service users are competent to
make such a choice and where the consequences of the choice have been fully
explained, the decision should be respected. This is no different from a service user
exercising his or her right to refuse treatment.
In such circumstances staff should: •
•
Clearly establish the concerns of the service user and look at whether there
is a technical or procedural way of satisfying the consent without unduly
compromising care.
Explore the options for providing an alternative form of care or to provide
care through alternative arrangements.
NHS East Riding of Yorkshire
Page 19 of 24
Information Governance Manager
Tony Hammond Revised July 2010
•
Assess the options that might be offered to the service user, balancing the
risks, staff time and other costs attached to each alternative that might be
offered against the risk to the service user of not providing healthcare.
Careful documentation of the decision making process and the choices made by the
service user must be included within the service user’s record or the explicit
consent form that will be included in the service user’s record.
Any restrictions placed by the service user must be noted in the medical record and
an alert placed on the inside cover of their medical record and on their computer
record.
If the service user chooses not to give consent, to revoke consent or to limit their
consent then they should be informed that this may limit the services that can be
provided to them. Service users should be informed that if consent is revoked, it
may not be possible to retrieve information already shared. In exceptional
circumstances, it will be possible to proceed with the information sharing without
explicit consent (see Section 9.2).
9.5 Service users who are unable to consent
Where a service user is incapacitated and unable to consent, information should only
be disclosed in the service user’s best interests, and then only as much information
as is needed to support their care. Any previously expressed wishes, informed by
the views of relatives or carers as to the likely wishes of the service user, should be
taken into account. If a service user has made his or her preferences about
information disclosures known in advance, this should be respected. Decisions to
disclose and the justification for disclosing should be noted in the service user’s
records.
9.6 Reviewing consent
In most cases consent will endure for as long as the processing to which it relates
continues. However, consent may need to be reviewed if, for example, the purpose
for which the information is to be shared has changed, or the information is to be
given to different agencies other than originally agreed with the service user.
9.7 Answering service user questions about consent
When seeking explicit consent, service users should be given the opportunity to talk
to someone they can trust and of whom they can ask questions.
The service user should be given support and explanations about any form that they
are required to sign.
If the member of staff is unable to answer the service user’s questions, the service
user should be directed to the Caldicott and Data Protection Officer.
([email protected])
NHS East Riding of Yorkshire
Page 20 of 24
Information Governance Manager
Tony Hammond Revised July 2010
9.8 Exemptions to the requirement for consent
There are certain circumstances when personal information given in confidence may
be used or disclosed without the service user’s consent, these are: -
9.8.1
Overriding public interest
Personal data may be disclosed to prevent and support detection,
investigation and punishment of serious crime and/or to prevent abuse or
serious harm to others. Decisions to disclose in these circumstances must
be made on a case by case basis, justifying that the public good that would
be achieved by the disclosure outweighs both the obligation of confidentiality
to the individual service user concerned and the broader public interest in the
provision of a confidential service.
A record must be made of any such circumstances, so that there is clear
evidence of the reasoning used and the circumstances prevailing.
Disclosures in the public interest should also be proportionate and be limited
to relevant details. It may be necessary to justify such disclosures to the
courts or to regulatory bodies and a clear record of the decision making
process and the advice sought is in the interest of both staff and the
organisation. A decision not to disclose information that could prevent the
risk of harm to the patient or others should also be documented and the
justification for not disclosing noted.
Wherever possible the issue of disclosure should be discussed with the
individual concerned and consent sought. Where this is not forthcoming, the
individual should be told of any decision to disclose against his/her wishes.
This will not be possible in certain circumstances, e.g. where the likelihood of
a violent response is significant or where informing a potential suspect in a
criminal investigation might allow them to evade custody, destroy evidence
or disrupt an investigation.
Consideration should also be given to the disclosure of anonymised
information – at least at the outset. For example, if a patient disclosed that Dr
X sexually assaulted a patient and the patient does not agree to be named,
the concern may be reported without revealing the identity of the patient. The
disclosure may reveal a cluster of complaints or a pattern of behaviour. It
should be made clear to the patient that there is a duty to protect the safety
of other NHS patients and their identity may need to be revealed in the
future. The disclosure of partial information will need to be reviewed by the
relevant healthcare professional to ensure that the information given has
allowed sufficient action to be taken that is in proportion to the risk.
An example of such a disclosure is where a patient continues to drive,
against medical advice, when unfit to do so. In such circumstances the
healthcare professional should disclose relevant information to the medical
adviser of the DVLA. (GMC Confidentiality: Protecting and Providing
Information – September 2000).
If further advice is required on disclosing information in such circumstances,
please seek advice from the Caldicott and Data Protection Officer.
([email protected]).
NHS East Riding of Yorkshire
Page 21 of 24
Information Governance Manager
Tony Hammond Revised July 2010
9.8.2
Legal requirement
Some statutes place a strict requirement on clinicians or other staff to
disclose information. Care should be taken however to only disclose the
information required to comply with and fulfil the purpose of the law. If staff
have reason to believe that complying with a statutory obligation to disclose
information would cause serious harm to the service user or another person,
they should seek legal advice. The main requirements to disclose are
detailed on the Department of Health web-site at
http://www.dh.gov.uk/PublicationsAndStatistics/Publications/PublicationsPoli
cyAndGuidance/PublicationsPolicyAndGuidanceArticle/fs/en?CONTENT_ID
=4069253&chk=jftKB%2B
The courts, including coroner’s courts, and some tribunals and persons
appointed to hold inquiries have legal powers to require that information that
may be relevant to matters within their jurisdiction be disclosed. This does
not require the consent of the service user whose records are to be disclosed
but he/she should be informed, preferably prior to disclosure. Disclosures
must be strictly in accordance with the terms of a court order and to the
bodies specified in the order. Where staff are concerned that a court order
requires disclosure of sensitive information that is not relevant to the case in
question, they may raise ethical concerns with the judge or presiding officer.
If however the order is not amended it must be complied with.
9.8.3
Section 60 of the Health and Social Care Act.
Section 60 of the Health and Social Care Act 2001 makes it lawful to disclose
and use confidential patient information in specified circumstances where it is
not currently practicable to satisfy the common law confidentiality obligations.
This does not create new statutory gateways, so the processing must still be
for a lawful function, but does mean that the confidentiality obligations do not
have to be met, e.g. consent does not have to be obtained. Even where
these powers apply however, the Data Protection Act 1998 also continues to
apply.
This is intended primarily as a temporary measure until anonymisation
measures or appropriate recording of consent can be put in place. The
Government has made it clear that it will only introduce such requirements
where necessary and upon the advice of the independent statutory Patient
Information Advisory Group (PIAG). See:
www.dh.gov.uk/PublicationsAndStatistics/Publications/PublicationsPolicyAnd
Guidance/PublicationsPolicyAndGuidanceArticle/fs/en?CONTENT_ID=4069
253&chk=jftKB%2B
for more details, including guidance on applications for support.
Where the powers provided by this legislation are used to support the
processing of confidential patient information there will be additional
safeguards and restrictions on the use and disclosure of the information.
These may differ from case to case and change over time where the process
of annual review required by the legislation results in more stringent
safeguards being applied.
NHS East Riding of Yorkshire
Page 22 of 24
Information Governance Manager
Tony Hammond Revised July 2010
10 Further information and contacts
Further guidance regarding confidentiality and patients' consent to use their health
records can be found in the Confidentiality: NHS Code of Practice. A copy of this
document can be obtained from the Caldicott and Data Protection Officer
([email protected]). Further information may also be found in the following
policies and procedures available on the Intranet.
•
•
•
Access to Medical Records Protocol
Caldicott and Data Protection Policy
General Protocol for Sharing Information between Agencies in Kingston upon
Hull and the East Riding of Yorkshire
• Records Management Policy
• Guidance for informing service users about the uses of their information
• Internet, Intranet and E-mail (N3) Policy
• Safe Haven Procedures
If you have any questions relating to this Code please speak to your line manager
or alternatively contact: Caldicott and Data Protection Officer – ([email protected]).
NHS East Riding of Yorkshire
Page 23 of 24
Information Governance Manager
Tony Hammond Revised July 2010
Appendix A
Your personal responsibility concerning security and confidentiality of information
(relating to patients, staff and the organisation)
During the course of your time with NHSERY, you may acquire or have access to
confidential information which must not be disclosed to any other person unless in pursuit
of your duties or with specific permission given by a person on behalf of the organisation.
This condition applies during your relationship with NHSERY and after the relationship
ceases.
Confidential information includes all information relating to the organisation and its patients
and employees. Such information may relate to patient records, telephone enquiries about
patients or staff, electronic databases or methods of communication, use of fax machines,
hand-written notes made containing patient information etc. If you are in doubt as to what
information may be disclosed, you should check with your line manager.
The Data Protection Act 1998 regulates the use of computerised information and paper
records of identifiable individuals (patients and staff). NHSERY is registered in accordance
with this legislation. If you are found to have made an unauthorised disclosure you may
face legal action.
I understand that I am bound by a duty of confidentiality and I have read and understood
this Policy and the requirements of the Data Protection Act 1998.
PRINT NAME:
SIGNATURE:
DATE:
Please retain a copy of this agreement. The original must be forward to the Personnel
Department for inclusion in your record.
NHS East Riding of Yorkshire
Page 24 of 24
Information Governance Manager
Tony Hammond Revised July 2010