A BRIEF OVERVIEW OF THE PRINCIPLES

Data Protection Act

Caldicott Report

The 8 principles of good information management we must follow when processing named/personal data

The 6 principles of good information management we must follow when processing patient identifiable data

1

Processing of named data must be necessary and must be carried out with consent where necessary

2

Don’t process named patient data unless you have to

2

Named data can only be processed for one or more specified and lawful purpose(s) (or almost identical uses and purposes)

1

1Justify each purpose for using named patient data

5

2Access to named patient data must be on a strict need-to-know basis

3

Named data held must be the minimum amount of relevant information to satisfy each specified use and purpose

3

When named patient data has to be used, make sure it is the minimum amount of named patient data needed for the task

4

Named data must be kept accurate and up to date

In the recommendations.

5

Named data must be kept for as short a time as possible

6

The rights of the individual who is named must be respected at all times and in all ways

4

Anonymise patient data whenever you can using the New NHS Number or other coded identifier.

7

Must have best organisational and technical measures in place to ensure named data is managed confidentially and securely

6

All staff must be aware of their responsibilities towards the confidentiality and security of patient data – and must understand and comply with the law

8

Named data can only be processed within the EEU and countries with DPAs as good or better than ours

Data

Data means all information and data that is processed

Processing

Everything you do with data or information.

Use and purpose

Named data can only be used for specific lawful uses and purposes that have to be agreed by the Practice

Necessary

Processing of all forms of name linked data and information must be necessary and unavoidable

Need

You must have a genuine and recorded need to know who the individual is – and cannot carryout a task without knowing who the person or patient is

Consent

For most uses and purposes, we must have named individuals consent to use their data.

Minimum

You must only collect and use (in all forms of use) the minimum amount of data linked to a name to allow you to do the task

Relevant

The named data must be relevant for the specified lawful uses and purposes – we must not collect more data than is necessary

Accurate

All data linked to the person or patient must be accurate – if you share information you have a duty to make sure it is accurate on the day you use or share it as you are the source of the data

Up to date

All data linked to the person or patient must also be up to date – if you share information you have a duty to make sure it is up to date on the day you use or share it as you are the source of the data

Rights of the individual

Everyone has a right to make sure data we hold on them is accurate and up to date. All individuals can see or have copies of their medical and personal records, almost at any time and can correct any inaccuracies

Organisational and technical measures

We must make sure staff know what they can and can’t do with named information through Policies and Procedures, and we must make sure access to named data is restricted to those who need it to do their jobs.

The Practice must also know what named data it has and who holds it.

The Basic FAQ for Information Governance

Dealing with Named Data and Information

Do I need to see named patient or personal data?

• Check your Job Description

• Check with the organisation’s purposes for using patient data

• Ask your Data Protection Lead

• Check with your Caldicott Guardian

I do need to use named patient or personal data to do my job.

• You must only use the named data for the specified purpose(s) and no other

• You must keep the information confidential to yourself and colleagues who work in the same department or area as you do

• You must not talk about the patient with other colleagues other than the Caldicott Guardian or appropriate Health Professional ‘in context’ – Health Professionals are qualified staff – doctors, nurses etc, not administrators.

• You must make sure the data is kept securely at all times.

• Manual records you create must be properly referenced and filed securely.

• Any computer records created outside of a system must be properly referenced, password protected and saved in the Practice’s restricted directory structure

• You must not share any personal or patient identifiable information with anyone or any organisation unless there are proper measures in place – Information Sharing Protocols, Contracts etc.

The named patient or personal data is in manual files – how should I look after them?

• Only use the files when you have to – leave them locked away in the filing cabinet or cupboard at all other times.

• Work to a Clear Desk Policy – do not leave any named patient paperwork on your desk when you are away from your desk – lock it away.

• If you haven’t got enough lockable areas, make sure your Security Manager and Caldicott Guardian know so that they can be provided.

• Don’t file unnecessary documents. If they are not required for the work you are doing – shred them

  • Don’t create more files than you have to – use existing ones if possible.

The named patient and personal data is in a computer system – how should I look after them?

• You must have a unique ID and Password to access the system.

• Your access must be restricted to the parts of the system you need to use, and only those parts.

• You must not use anybody else’s ID to gain more access.

• You must not give anyone access to the system using your ID and Password.

• If you can access more than you need to, you must tell your Security Manager and Caldicott Guardian who will arrange to restrict your access.

• You must work to a Clear Screen Policy – place the computer into standby or screensaver mode or logout if you have to leave your workstation.

• You must not copy or use any of the information for any reason other than to do your job.

• Check with your Security Manager if you think data is no longer needed – there will be a system retention and destruction of records policy to be taken into account.

I need copies of named patient and personal information sent to me – how should I ask for it to be sent?

• If its paper records, the sender should be told to send the records addressed to you, by name, marked Addressee Only and Private and Confidential and instructed to send the copies by Special Delivery or Trusted Courier so that they will be signed for on receipt.

• You must tell the sender that you have received the records safely.

• Once you have used the records, if they are not needed again, destroy them.

I need to send copies of named patient and personal information received by me – how should I do this?

• If it’s paper records, send to the named person who requires them, marking the envelope Addressee Only and Private and Confidential and send the copies by Special Delivery or Trusted Courier so that they will be signed for on receipt.

• You must ask the named person to confirm receipt and for the records to be destroyed once they have been used.

What about faxes?

• Use the Safe Haven fax machine for receiving and sending patient and personal information.

• If you have to use a fax for ‘speed’, send information in at least 2 parts – neither of which fully names the patient.

• Ask the person receiving it to confirm transmission of the first page before sending the rest using the ‘redial’ facility to ensure the same number is contacted.

• Ask the person receiving to confirm all pages have been received properly.

• If you ask for named information to be sent to you, tell the sender to use the same process and you confirm receipt.

• Beware faxback processes – always verify who the sender is and make sure they are entitled to the information.

• Don’t feel pressurised to reply. If you are in doubt, check with your Security Manager or Caldicott Guardian.

What about Emails?

• Never send named information in the body of an Email.

• If you must use Email, place the named information in a password protected document and attach it to the Email. If you are sending patient information where possible use the NHS Number instead of the patient identifiable information.

• Always communicate the password over the telephone. Do not enter the password within the content of an email.

• Ask the person receiving it to contact you for the password.

• If you are going to be sent named information by Email, ask the sender to use the same process.

• If contacts are regular set up a password to be agreed for a period of time – say 3 months.

• Always verify who the recipient is and make sure they are entitled to the information.

• Don’t feel pressurised to reply. If you are in doubt, check with your Security Manager or Caldicott Guardian.

What about giving information over the phone?

• The normal process is not to, but to ask them to put the request in writing, accompanied by a clear and appropriate signed consent form.

• If it is obviously an emergency and you know you can respond, verify who the caller is by:

• Asking the caller for their number;

• Checking it out ‘online’ or by official registers;

• Ringing back the number you have verified – even if it is different than the number given to you by the caller.

• If you have regular contacts like the police, social services, or a service provider, arrange a codeword to verify identity.

Are there differences if it is named personal information, not patient?

• For the areas above, not really.

• However, you must remember that personal information is no less confidential than patient information.

Things about named personal information to beware of …

• Lots of people and organisations try to find out where people live, where they work, and how much they earn. In most cases you will need consent before you release the information.

• Many of these requests are genuine, but these days, many aren’t.

What sort of companies and people can we give personal information to without getting their consent?

• There may be some legitimate occasions when we would not need consent. These include:

• The Inland Revenue

• The Courts

• The Police

• The Crown Prosecution Service

• The Benefits Agency

- All requests should be treated on a case by case basis. For further guidance, please contact your Caldicott Guardian.

When do we need to get consent?

• Typical examples are approaches from organisations who ask for ‘references’ from an employer:

• Banks, Building Societies etc...

• Insurance Companies

• Debt Collection Agencies

• Private Detectives.

• We need to take great care with such approaches. The professional way of getting this sort of information is by way of a written request accompanied by a detailed consent form signed by your colleague.

What if I get this type of approach on the phone or by fax and it seems genuine and urgent?

• Do not give out the information immediately. As above, get a contact number and verify it.

• If you can contact your Practice Manager, tell them that you have been approached. If they are happy for you to respond, ask them to send you this in writing, then release the information.

Should I put personal information on notice boards or whiteboards?

• Patient information – NO.

What if I get a letter, invoice or other document that contains named patient information and it is nothing to do with me?

• Refer it to the Caldicott Guardian as they should find out how it got to you and try to make sure it does not happen again.

What if I get a letter, invoice or other document that contains named personal information and it is nothing to do with me?

• Refer it to the Data Protection Lead as they should find out how it got to you and try to make sure it does not happen again.

Good Practice in the Office Environment

Mail opening processes

Do not open mail marked Addressee Only and/or Private and Confidential, if it is addressed to a named member of staff, the Data Protection Lead or the Caldicott Guardian

Notice and Whiteboards

Do not put names or personal information on any boards in areas with multiple access to staff or members of the public

Telephone Conversations

Do not speak loudly if you are making calls when names and personal information are mentioned.

If possible, transfer the call to a discreet ‘safe haven’ office.

Answering Machines

Never leave messages on answering machines. Only ever speak to the individual to whom the communication relates.

Safe Haven

Make a fax machine and possibly a phone available in a quiet room with access restricted to staff who need to use the facilities.

IT Security

Do not try to access information you do not need to use to do your job.

Never give anyone your ID or Password.

Do not login as anyone else.

Clear Desk

Never have or leave any records about named patients or people on your desk unless you are there and using them.

Clear Screen

If you are logged into the network or in a system, do not leave named information on your screen when you are not at your desk.

Activate the screensaver or logout.

Its good to talk …

Do not talk to colleagues about any named individual whose information you have encountered in your work unless they need to know.

It doesn’t end at the office door …

Never talk about information you have encountered in the workplace about any person by name anywhere at anytime.

Your duty of confidentiality extends to wherever you are, technically until the day you die.

In particular, never discuss any individual by name in any public place – pub, café, club whatever as you never know who is listening.