Information governance

Information governance incorporates the management of all information generated by the Trust, whether this relates to patient, staff or corporate information, and in any format

To provide assurance that the Trust complies with a wide range of legislation and national guidance, the Trust completes and annual submission of the information governance toolkit.

Contact us

  • Write to: Information governance team, Cornwall Partnership NHS Foundation Trust, Suite 6
  • Carew House, Beacon Technology Park, Dunmere Road, Bodmin PL31 2QN
  • Call 01208 834 495
  • Email the information governance team

Fair processing notice

The purpose of this notice is to inform you of the type of information that the Trust collects, how that information is used, who the information may be shared with, how it is kept secure and what your rights are in relation to this.

The Trust is required to complete a data protection register with the Information Commissioner’s Office (ICO) which details the types of data and processing that the Trust collects and conduct.

Data protection impact assessments

A data protection impact assessment is a mechanism for identifying, quantifying and mitigating data privacy risks, a privacy risk assessment.

It is undertaken to ensure appropriate controls are put in place when any new process, system or ways of working involving the use of high risk processing, such as health data, is introduced.

The completion of an assessment is a legal requirement under the General Data Protection Regulations, in addition organisations are required to publish their assessments to support transparency.

General Data Protection Regulations

An individual, or their representative, can request to receive copies of information that the Trust holds about them under the General Data Protection Regulations (GDPR).

Freedom of Information

Under the Freedom of Information Act 2000 any individual is able to request information in relation to the Trust, this would not include personal information.

Information governance toolkit

The information governance toolkit is a Department of Health policy delivery vehicle that draws together the legal rules and central guidance set out by Department of Health policy and presents them in a single standard as a set of information governance requirements.

NHS health and social care organisations are required to measure their compliance against the law and central guidance and to see whether information is handled correctly and protected from un​authorised access, loss, damage and destruction. The minimum requirement is level 2 compliance.

National data opt-out

The National Data Guardian, Dame Fiona Caldicott, recommended a new opt-out model for data sharing in her review of data security, consent and opt-outs in 2016. The aim is to allow patients to make an informed decision about how their personal data will be used. It is part of a vision to improve patients’ trust and confidence in how data is looked after by the health and social care system.

The national opt-out ties in with other work on data security and making sure data is only used for the benefit of people’s health and care.

NHS Digital are introducing a new tool that people can use to opt out of their confidential patient information being used for reasons other than their individual care and treatment. It will be secure and accessible, and will be available from 25 May 2018.

Patients and the public who decide they do not want their personally identifiable data used for planning and research purposes will be able to:

  • set their national data opt-out choice online
  • there will be a non-digital alternative for patients and the public who can’t or don’t want to use an online system
  • individuals can change their mind anytime
  • where patients have already registered with their GP, to prevent their identifiable data leaving NHS Digital, this will be converted to the new national data opt-out

The national data opt-out will be introduced alongside the new data protection legislation and all health and care organisations will be required to uphold patient and public choices by March 2020.

Caldicott principles

Good information sharing is essential for providing safe and effective care. There are also important uses of information for purposes other than individual care, which contribute to the overall delivery of health and social care or serve wider public interests.

These principles apply to the use of the confidential information within health and social care organisations and when such information is shared with other organisations and between individuals, both for individual care and for other purposes.

The principles are intended to apply to all data collected for the provision of health and social care services where patients and service users can be identified and would expect that it will be kept private. This may include for instance, details about symptoms, diagnosis, treatment, names and addresses. In some instances, the principles should also be applied to the processing of staff information.

They are primarily intended to guide organisations and their staff, but it should be remembered that patients, service users and/or their representatives should be included as active partners in the use of confidential information.

Where a novel and/or difficult judgment or decision is required, it is advisable to involve a Caldicott Guardian.

1: Justify the purpose(s) for using confidential information

Every proposed use or transfer of confidential information should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed by an appropriate guardian.

2: Use confidential information only when it is necessary

Confidential information should not be included unless it is necessary for the specified purpose(s) for which the information is used or accessed. The need to identify individuals should be considered at each stage of satisfying the purpose(s) and alternatives used where possible.

3: Use the minimum necessary confidential information

Where use of confidential information is considered to be necessary, each item of information must be justified so that only the minimum amount of confidential information is included as necessary for a given function.

4: Access to confidential information should be on a strict need-to-know basis

Only those who need access to confidential information should have access to it, and then only to the items that they need to see. This may mean introducing access controls or splitting information flows where one flow is used for several purposes.

5: Everyone with access to confidential information should be aware of their responsibilities

Action should be taken to ensure that all those handling confidential information understand their responsibilities and obligations to respect the confidentiality of patient and service users.

6: Comply with the law

Every use of confidential information must be lawful. All those handling confidential information are responsible for ensuring that their use of and access to that information complies with legal requirements set out in statute and under the common law.

7: The duty to share information for individual care is as important as the duty to protect patient confidentiality

Health and social care professionals should have the confidence to share confidential information in the best interests of patients and service users within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

8: Inform patients and service users about how their confidential information is used

A range of steps should be taken to ensure no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this. These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information - in some cases, great engagement will be required.

Useful links

Data sharing during COVID-19

If you have any concerns regarding how the Trust is managing your confidential information during COVID-19, call the Trust's Caldicott Guardian, Adrian Flynn our joint medical director on 01208 834 600 or our Information Governance and Records Management Lead, Piers Margetts, on 01208 834495.

Sharing of data and the integrated care system

The Trust is working in partnership with other health and social care providers to improve the services we provide you. Our aim is to provide the right care in the right place to better match your needs. To achieve this we need to join up our data with our partners in order to understand what opportunities we have to make best use of our resources (staff and service locations) to meet this goal.

We want to use your anonymised data (at no point will you be individually identified from the data used) to see what we have been doing over the last few years. Once the data has been anonymised we will share it with GE Finnamore and the South West Academic Health Science Network to provide the analysis we need to make these improvements.

If you wish us not to use your anonymised data for this purpose please let us know and we will ensure your data is excluded.

Contact us to tell us of your wish to withhold your information or to discuss your concerns.