Information governance

Good information sharing is essential for providing safe and effective care. There are also important uses of information for purposes other than individual care, which contribute to the overall delivery of health and social care or serve wider public interests.

These principles apply to the use of the confidential information within health and social care organisations and when such information is shared with other organisations and between individuals, both for individual care and for other purposes.

The principles are intended to apply to all data collected for the provision of health and social care services where patients and service users can be identified and would expect that it will be kept private. This may include for instance, details about symptoms, diagnosis, treatment, names and addresses. In some instances, the principles should also be applied to the processing of staff information.

They are primarily intended to guide organisations and their staff, but it should be remembered that patients, service users and/or their representatives should be included as active partners in the use of confidential information.

Where a novel and/or difficult judgment or decision is required, it is advisable to involve a Caldicott Guardian.

1: Purpose for using confidential information

Principle 1: Justify the purpose(s) for using confidential information.

Every proposed use or transfer of confidential information should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed by an appropriate guardian.

2. Use information only when necessary

Principle 2:&Use confidential information only when it is necessary

Confidential information should not be included unless it is necessary for the specified purpose(s) for which the information is used or accessed. The need to identify individuals should be considered at each stage of satisfying the purpose(s) and alternatives used where possible.

3: Use the minimum necessary

Principle 3:& Use the minimum necessary confidential information

Where use of confidential information is considered to be necessary, each item of information must be justified so that only the minimum amount of confidential information is included as necessary for a given function.

4: Access on a need-to-know basis

Principle 4: Access to confidential information should be on a strict need-to-know basis

Only those who need access to confidential information should have access to it, and then only to the items that they need to see. This may mean introducing access controls or splitting information flows where one flow is used for several purposes.

5: Everyone with access should be aware of their responsibilities

Principle 5: Everyone with access to confidential information should be aware of their responsibilities

Action should be taken to ensure that all those handling confidential information understand their responsibilities and obligations to respect the confidentiality of patient and service users.

6: Comply with the law

Every use of confidential information must be lawful. All those handling confidential information are responsible for ensuring that their use of and access to that information complies with legal requirements set out in statute and under the common law.

7: Duty to share information for individual care

Principle 7: Duty to share information for individual care is as important as the duty to protect patient confidentiality

Health and social care professionals should have the confidence to share confidential information in the best interests of patients and service users within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

8: Inform how confidential information is used

Principle 8: Inform patients and service users about how their confidential information is used

A range of steps should be taken to ensure no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this. These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information - in some cases, great engagement will be required.

A data protection impact assessment is a mechanism for identifying, quantifying and mitigating data privacy risks, a privacy risk assessment.

It is undertaken to ensure appropriate controls are put in place when any new process, system or ways of working involving the use of high risk processing, such as health data, is introduced.

The completion of an assessment is a legal requirement under the General Data Protection Regulations, in addition organisations are required to publish their assessments to support transparency.

• Data protection impact assessments approved (PDF, 183 KB)

The data security protection toolkit is a Department of Health policy delivery vehicle that draws together the legal rules and central guidance set out by Department of Health policy and presents them in a single standard as a set of information governance requirements.

NHS health and social care organisations are required to measure their compliance against the law and central guidance and to see whether information is handled correctly and protected from un​authorised access, loss, damage and destruction. The minimum requirement is level 2 compliance.

The purpose of this notice is to inform you of the type of information that the Trust collects, how that information is used, who the information may be shared with, how it is kept secure and what your rights are in relation to this. You can access our privacy notice at the bottom of our website.

The Trust is required to complete a data protection register with the Information Commissioner’s Office (ICO) which details the types of data and processing that the Trust collects and conduct.

What is GDPR?

The EU General Data Protection Regulation (GDPR) is a piece of legislation that harmonises and modernises the way that data protection laws are applied across member states of the European Union, as well as provide greater protection and rights to individuals. The Data Protection Act 2018 is the UK's implementation of the EU General Data Protection Regulation (GDPR).

Your rights explained

The Data Protection Act 2018 and the EU GDPR provide 8 rights to you as a data subject. The availability of some of these rights depends on the legal basis that applies in relation to the processing of your personal data, and there are some other circumstances in which we may not uphold a request to exercise a right. Your rights and how they apply are described below.

We must generally respond to requests in relation to your rights within 1 month, although there are some exceptions to this.

1. Right to be informed

Individuals have a right to know how their personal data is going to be used by the Trust. In most cases this information should be included in a privacy notice that is made available at the point personal data is captured. Our privacy notice can be accessed at the bottom of our website.

2. Right of access

Individuals have a right to be informed if their personal data is being processed and if so, to request a copy. Individuals or their representatives making an application for access to the records held by the Trust may use the subject access request form to make their request, which will guide the requester through the process including what additional data is required with the application.

Alternatively, you can call us on 01209 204 013 to make a request or you can email the subject access request team.

3. Right to rectification

You have the right to ask us to rectify any inaccurate data that we hold about you. Email your request to the Records Management team.

4. Right to erasure

You have the right to request that we erase personal data about you that we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding legitimate grounds to continue to process the data.

5. Right to restrict processing

You have the right to request that we restrict processing of personal data about you that we hold. You can ask us to do this for example where you contest the accuracy of the data.

6. Right to data portability

This right is only available where the legal basis for processing under the GDPR is consent, or for the purposes of a contract between you and the Trust. For this to apply the data must be held in electronic form. The right is to be provided with the data in a commonly used electronic format.

7. Right to object

You have the right to object to processing of personal data about you on grounds relating to your particular situation. The right is not absolute, and we may continue to use the data if we can demonstrate compelling legitimate grounds.

8. Rights in relation to decision-making including profiling

You have the right to object to being subject to a decision based solely on automated processing, including profiling. Should we perform any automated decision-making, we will record this in our privacy notice, and ensure that you have an opportunity to request that the decision involves personal consideration.

The Information Commissioner

If you are not happy with any aspect of the Trust’s processing of personal data or believe that we are not meeting our responsibilities as a data controller you can raise your concern with the Information Commissioners Office:

• Write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
• Visit the Information Commissioners Office website

Further legislation

Access to Health Records Act 1990

This legislation applies to data held by the Trust for deceased patients and allows the patient’s personal representative and any person who may have a claim arising out of the patient’s death to apply. In all cases you will be required to provide copies of relevant authority such as a copy of the Will or letters of administration.

Access to Medical Reports Act 1988

This legislation allows individuals to see medical reports written about them, for employment or insurance purposes, by a doctor or clinician who they usually see in a normal doctor or patient capacity. This right can be exercised either before, or after, the report is sent.

How we manage your personal information and your information rights leaflet (PDF, 93 KB)

The National Data Guardian, Dame Fiona Caldicott, recommended a new opt-out model for data sharing in her review of data security, consent and opt-outs in 2016. The aim is to allow patients to make an informed decision about how their personal data will be used. It is part of a vision to improve patients’ trust and confidence in how data is looked after by the health and social care system.

The national opt-out ties in with other work on data security and making sure data is only used for the benefit of people’s health and care.

NHS Digital are introducing a new tool that people can use to opt out of their confidential patient information being used for reasons other than their individual care and treatment. It will be secure and accessible, and will be available from 25 May 2018.

Patients and the public who decide they do not want their personally identifiable data used for planning and research purposes will be able to:

• set their national data opt-out choice online
• there will be a non-digital alternative for patients and the public who cannot or do not want to use an online system
• individuals can change their mind anytime
• where patients have already registered with their GP, to prevent their identifiable data leaving NHS Digital, this will be converted to the new national data opt-out

The NHS offers patients and the public the opportunity to make an informed choice about whether they wish their personally identifiable data to be used just for their individual care and treatment or also used for research and planning purposes. Find out more about the national data opt out.