Confidentiality Policy - Data Protection Act 1998 Governance...Confidentiality Policy - Data Protection Act 1998 Version 3.0 Compliance with all CCG policies, procedures, protocols,

Confidentiality Policy - Data Protection Act 1998

Version 3.0

Compliance with all CCG policies, procedures, protocols, guidelines, guidance, standards and strategies is a condition of employment. Breach of policy may result in disciplinary action.

2 NHS Fareham & Gosport & South Eastern Hampshire Clinical Commissioning Groups Confidentiality Policy in accordance with the Data Protection Act 1998 V3.0 December 2016 - Final

Subject and version number of document:

Confidentiality Policy - Data Protection Act 1998 Version 3

Serial Number: IG 002 v3.0

Operative date: November 2016

Author: Information Governance Team, NHS South Commissioning Support Unit

Review date: November 2018

For action by: All NHS Fareham & Gosport & South Eastern Hampshire Clinical Commissioning Groups (CCGs) staff, Data Custodians, Information Governance team

Policy statement: This policy describes the CCGs’ responsibilities under the Data Protection Act 1998 and ensures all employees abide by the legal duty of confidence to protect personal confidential data.

Responsibility for dissemination to new staff:

NHS Fareham & Gosport & South Eastern Hampshire Clinical Commissioning Groups (CCGs) Managers

Training Implications: All CCG staff will complete IG training annually

Further details and additional copies available from:

SCWCSU IG Team

Equality Impact Assessment Completed?

Yes

Consultation Process Information Governance Group

Endorsed by: Information Governance Group

Approved by: Corporate Governance Committee

Date approved: Approved IGG 19/12/16 Ratified CGC 17/1/17


Intranet and Website Upload:

Intranet Electronic Document Library Location:

CCGs - G Drive: All staff folder

Website Location in FOI Publication Scheme:

Keywords: Data Protection, Information Governance, NHS Confidentiality Code of Practice, Caldicott Report 1997 and 2013

Amendments Summary:

Amend No

Issued Page(s) Subject Action Date

1 Oct 14 7 Added 6.5 – Information and cyber security 2 Oct 16 22 Added Email Guidance as Appendix 4 31/10/16 3 Nov 16 9 Use of Cloud Technology 16/11/16

Review Log:

Include details of when the document was last reviewed:

Version

Number

Review

Date

Name of Reviewer

Ratification Process Notes

1.0 December 2013 IG Group Endorsed Draft agreed prior to ratification by the governance committee

2.0 October 2014 IG Group Endorsed by CGC Any changes accepted.

3.0 December 2016 IG Group Ratified by CGC0 All changes accepted


1.0

Contents

Introduction……………………………………………………………………

6

2.0

Aim……………………………………………………………………………..

6

3.0

Legislation……………………………………………………………………..

6

4.0

NHS & Related Guidance……………………………………………………

6

5.0

Responsibilities……………………………………………………………….

7

6.0

Security & Confidentiality……………………………………………………

7

7.0

Database Management……………………………………………………..

8

8.0 9.0

Back-ups……………………………………………………………………… Use of Cloud Technology……………………………………………………

8 9

10.0

Disclosure of Information & Information in Transit………………………..

9

11.0

Disclosure of information outside the (EEA)………………………………

10

12.0

Training for Data Custodians……………………………………………….

10

13.0

Training……………………………………………………………………….

11

14.0

Contracts of Employment…………………………………………………..

11

15.0

Disciplinary…………………………………………………………………..

11

16.0

Monitoring & Audit…………………………………………………………..

11

17.0

Disclosure of Personal and Confidential Information ……………………

12

18.0

Working away from the office environment……………………………….

13

19.0

Staff Responsibilities………………………………………………………..

14

20.0

Abuse of Privilege…………………………………………………………… 14

21.0

Confidentiality Audit………………………………………………………….

15

Appendix 1 Summary of Legal and NHS mandated frameworks…………..............16

Appendix 2 Confidentiality Agreement for third parties…………………………… 19

Appendix 3 Confidentiality Agreement for Governing Body members and third party

employees…………………………………………………………………………….. 20


Appendix 4 Email guidance…………………………………………………………. 21

Appendix 5 Equality Impact Assessment…………………………………………... 2 6

6 NHS Fareham & Gosport & South Eastern Hampshire Clinical Commissioning Groups Confidentiality Policy in accordance with the Data Protection Act 1998 V3.0 December 2016 - Draft

Confidentiality Policy - Data Protection Act 1998

1.0 Introduction

1.1 The NHS Fareham & Gosport & South Eastern Hampshire Clinical

Commissioning Groups (CCGs) have a legal obligation to comply with all appropriate legislation in respect of, confidentiality, data, information and IT security. They also have a duty to comply with guidance issued by NHS England, the Information Commissioner, other advisory groups to the NHS and guidance issued by professional bodies.

1.2 Monetary penalties of up to £500k could be imposed upon the CCGs, and/or

employees for non-compliance with relevant legislation and NHS guidance.

2.0 Aim

2.1 This confidentiality policy details how the CCGs will meet their legal

obligations and NHS requirements concerning confidentiality and information security standards. The requirements within the policy are primarily based upon the Data Protection Act 1998 as that is the key piece of legislation covering security and confidentiality of personal information.

3.0 Legislation

3.1 For the purpose of this policy other relevant legislation and appropriate

guidance may be referenced. The legislation listed below also refers to issues of security of personal confidential data:

• Data Protection Act 1998 • Access to Health Records 1990 • Access to Medical Reports Act 1988 Human Rights Act 1998 • Freedom of Information Act 2000 • Regulation of Investigatory Powers Act 2000 • Crime and Disorder Act 1998 • Computer Misuse Act 1990 • Criminal Justice and Immigration Act 2008 • Health and Social Care Act 2012

4.0 NHS & Related Guidance

4.1 The following are the main publications referring to security and or

confidentiality of personal confidential data:

• Confidentiality: NHS Code of Practice • Records Management: NHS Code of Practice • Information Security: NHS Code of Practice • Employee Code of Practice (Information Commissioner) • Caldicott Reports 1997 and 2013 • NHS Constitution for England


• A Guide to Confidentiality in Health and Social Care: Treating Confidential Information with Respect. September 2013

• Professional Codes of confidentiality, including: o General Medical council (GMC) – confidentiality 2009 o Nursing and Midwifery Council (NMC) – the code : Standards of

conduct, performance and ethics for nurses and midwives 2008 o Health and Care Professions Council (HCPC) – Confidentiality –

Guidance for registrants 2012 o UK council for Health and Informatics Professional (UKCHIP) – Code of

Conduct

5.0 Responsibilities

5.1 The Accountable Officer has overall responsibility for the confidentiality policy

within the CCGs. The implementation of, and compliance with this policy is delegated to the Information Governance Group who will have responsibility for bringing Information Governance issues to the attention of the CCGs’ respective Governing Body.

5.2 The SCWCSU IG Service Lead role includes:

• Maintaining registrations • Facilitating training sessions • Advising on subject access requests • Acting as initial point of contact for any Information Governance issues

which may arise within the CCGs • Being an active member of the Operational Management Team • Providing reports to the CCGs’ Corporate Governance Committee as

required • Auditing data protection compliance • Facilitating action in areas identified as being non-compliant • Assisting with complaints concerning data protection breaches

5.3 This Policy will be reviewed bi-annually or more frequently if appropriate, to

take into account changes to legislation that may occur, and/or guidance from NHS England, NHS Digital and the Information Commissioner or any relevant case law.

5.4 The day to day responsibilities for enforcing this policy will be devolved to

Data Custodians. In order to fulfil their roles, the SCWCSU Information Governance Team will ensure that regular training is provided to remind these personnel of these responsibilities and the most effective way of ensuring adequate information security and confidentiality.

6.0 Security & Confidentiality

6.1 All information relating to identifiable individuals and any information that may

be deemed sensitive, must be kept secure at all times. The CCGs will ensure there are adequate policies and procedures in place to protect against unauthorised processing of information and against accidental loss,


destruction and damage to this information.

6.2 Under current legislation commissioners can only process or have access to

personal confidential data if:

• Consent has been obtained from the individual

• The data has been anonymised

• The data is in respect of safety, safeguarding or in the public interest. Any decision taken to share personal confidential data as a result of the above should be documented and agreed by the SIRO and Caldicott Guardian

Staff should check with the SCWCSU IG Lead, Caldicott Guardian or Senior Information Risk Owner if they have any queries on whether to access or process personal confidential data.

6.3 Accredited Safe Havens (ASH) are an accredited organisation with a secure electronic environment in which personal confidential data and/or weakly pseudonymised data can be obtained and made available to users, generally in de-identified form. An accredited safe haven will need a secure legal basis to hold and process personal confidential data. Weakly pseudonymised data can be held under contract with obligations to safeguard the data. The Fareham & Gosport and South Eastern Hampshire CCGs are not ASH accredited.

6.4 Personal confidential data that may be received by mail/email into the CCGs.

The proper handling of this information should be referred to the CCGs’ Caldicott Guardian for advice on the most appropriate way to handle this information, if consent to share this data has not been gained.

6.5 Information and cyber security concerns the comprehensive risk

management, protection and resilience of data processing and the digital networks that connect them. All references to information security are inclusive of cyber security measures.

7.0 Database Management

7.1 The CCGs will ensure that all databases that require registration are

registered in accordance with the Act’s requirements and these registrations are reviewed on a regular basis. Each computer system/database will have a designated contact/administrator. A list of these nominated personnel will be maintained by the CCGs

7.2 For the purposes of this policy the term “Database” refers to a structured

collection of records or data held electronically which contains personal confidential data. In the event that further guidance is needed in respect to what constitutes a database please contact the SCWCSU Information Governance Team.


8.0 Back-ups 8.1 The SCWCSU ICT Team are responsible for ensuring that appropriate

back up procedures are available and implemented under the Service Level Agreements in place for the systems they manage and service.

9.0 Use of Cloud Technology 9.1 Before considering whether a cloud service or cloud provider is right for

the CCG, consideration should be given to how it is intended to process data in the cloud.

9.2 Once the CCG is clear which personal data it holds and how it intends to

process it in the cloud, the associated risk should be assessed and appropriate steps taken to mitigate them. A clear record about the categories of data the CCG intends to move to the cloud should be kept.

9.3 If services within the CCG are looking to process personal data in a cloud

service, a Privacy Impact Assessment (PIA) should be carried out in order to assess and identify any privacy concerns and address them at an early stage. Both the CCG Senior Information Risk Owner (SIRO) and Caldicott Guardian should be involved in this process and the decision to proceed should be approved by the appropriate Senior Management or Committee.

9.4 The Data Protection Act requires the CCG, as data controller, to have a

written contract with the data processor (cloud provider) which clearly requires the data processor to act only on instructions from the data controller and also requires the data processor to comply with security obligations equivalent to those imposed on the CCG itself.

9.5 The existence of a written contract should mean that the cloud provider

will not be able to change the terms of data processing operations during the lifetime of the contract without the CCGs knowledge and agreement.

9.6 As a data controller, the CCG should ensure appropriate steps are taken

to inform the public of the use of the cloud service if any personal identifiable data is to be stored by this method. This should be done via the CCG Fair Processing Notification which should be available on the CCG public website.

9.7 Further information regarding the use of the cloud can be found on the

Information Commissioners Office Website at ICO – Cloud Information.

10.0 Disclosure of Information & Information in Transit

10.1 It is important that information about identifiable individuals (such as the

general public and/or staff) should only be disclosed on a strict need to know basis. Strict controls governing the disclosure of identifiable information is also a requirement of the Caldicott recommendations.


10.2 All disclosures of computer held identifiable information should be included in the relevant Information Asset Register.

10.3 Some disclosures of information may occur because there is a statutory

requirement upon the CCGs to disclose e.g. with a Court Order or because other legislation requires disclosure (for staff to the tax office, pension agency)

10.4 If personal confidential information needs to be transported in any media such as: disc, memory stick or manual paper records, this should be carried out to maintain strict security and confidentiality of this information. For further information regarding transporting, sending and receiving person identifiable information please contact the SCWCSU Information Governance Team.

10.5 Contracts between the CCGs and third parties must include an appropriate

confidentiality clause that must be disseminated to the third parties employees.

11.0 Disclosure of information outside the European Economic Area (EEA)

11.1 No personal data should be disclosed or transferred outside of the EEA to a

country or territory which does not ensure an adequate level of protection unless certain exemptions apply or adequate protective measures are taken.

11.2 In the event that there is a need to process personal information outside of

The United Kingdom, the SCWCSU Information Governance Team must be consulted prior to any agreement to transfer or process the information.

12.0 Training for Data Custodians

12.1 The SCWCSU Information Governance Team has overall responsibility for

maintaining awareness of confidentiality and security issues for all staff including adherence to the Caldicott Principles. Detailed training given to the Data Custodians will cover:

• How to provide awareness to teams regarding their personal

responsibilities, such as locking doors and avoiding gossip in open areas

• Confidentiality of personal information • Relevant NHS Policies and Procedures e.g. Record Management

Lifecycle Protocol • Compliance with the Data Protection Principles • Registration of automated databases • Individuals rights (access to information and compliance with the

principles) • General good practice guidelines covering security and confidentiality • Contact details for the SCWCSU IG Team • A general overview of all Information Governance requirements


• How to inform staff about the relevant policies and procedures and also how to provide good practice guidance.

• A brief overview of the Data Protection and Freedom of Information Acts.

13.0 Training

13.1 All new starters to the CCGs must undertake Information Governance training

via the online IG Training tool, to include compliance with the Data Protection Act and general IT security training, as part of the induction process. Extra training in these areas will be given to those who need it such as Data Custodians and those dealing with requests for information. A register will be maintained of all staff who have completed the online training and those who have attended face to face sessions.

13.2 Annual IG refresher training should be undertaken by all the CCGs’ staff via the Information Governance Training Tool

13.3 All staff will be made aware of what could be classed as an information

security incident or breach of confidentiality. They will be made aware of the process to follow and the forms to complete, so that incidents can be identified, reported, monitored and investigated. Please see the CCGs’ Information Governance SIRI Reporting Procedure for further guidance on this area.

14.0 Contracts of Employment

14.1 Staff contracts of employment are produced and monitored by the CSU

Human Resources department. All contracts of employment include a clause on data protection and general confidentiality. Agency and non-contract staff working on behalf of NHS must be subject to the same rules via a confidentiality agreement.

14.2 All the CCGs’ employees will be made aware of their responsibilities in

connection with the Acts mentioned in this policy through their Statement of Terms and Conditions.

15.0 Disciplinary

15.1 A breach of the data protection requirements could result in a member of staff

facing disciplinary action. A copy of the CCGs’ Disciplinary Procedure is available from the SCWCSU Human Resources Department.

16.0 Monitoring & Audit

16.1 This policy will be monitored by the CCGs’ Information Governance Group to

ensure any legislative changes that occur before the review date are incorporated. This policy will also be reviewed biennially.

16.2 Please refer to the CCGs’ Data Subject Access Request Policy for guidance


on how to handle a Subject Access Request.

17.0 Disclosure of Personal and Confidential Information

17.1 To ensure that information is shared appropriately, care must be taken to

check that there is a firm legal basis in place. 17.2 It is important to consider how much confidential information is required and

ensure that the minimal amount necessary is disclosed. 17.3 Information can be disclosed:

• When effectively anonymised.

• When the information is required by law or under a court order, which

may include the detection and prevention of serious crime, In this situation staff must discuss with their Line Manager or the Information Governance Team before disclosing, they will then inform and obtain approval of the Caldicott Guardian.

• In identifiable form, with the individual’s written consent or with support from NHS England who will apply for the necessary approval from the appropriate authority for example, the Confidentiality Advisory Group (CAG) within the Health Research Authority.

• In potential safeguarding situations or when it is deemed in the public

interest and before disclosure takes place, staff should contact their line manager and the Information Governance Team, who will then inform

and obtain approval from the CCGs’ Caldicott Guardian. 17.4 When necessary a Data Sharing, Data Re-Use or Data Transfer Agreement

should have been completed before any information is transferred. The Agreement will set out any conditions for use and identify the mode of transfer. For further information on Data Sharing Agreements contact the SCWCSU Information Governance Team.

17.5 Care must be taken when transferring information to ensure that the method

used is secure. Staff must ensure that appropriate standards and safeguards are in place in respect of telephone enquiries, e-mails, faxes and post. See the Safe Haven Procedure for guidance on the safe transfer of person confidential data.

17.6 The CCGs’ Staff may only transfer personal sensitive information by using

either an NHS.net account or Secure File Transfer. Staff should also be aware that this security is only assured if the email is transferred by nhs.net to one of the following other secure email addresses:

another NHS.net account x.gsi.gov.uk gsi.gov.uk gse.gov.uk gsx.gov.uk pnn.police.uk cjsm.net scn.gov.uk gcsx.gov.uk


mod.uk

If information is required to be sent to a member of the public, using their non- secure email address, it is the responsibility of the member of staff to ensure that the member of public is provided with a clear explanation of the risks of using unsecure email addresses and consent should be obtained.

17.7 There are Acts of Parliament that govern the disclosure of personal

information. Some of these acts make it a legal requirement to disclose and there are others that state that information cannot be disclosed. These acts are detailed below:

• Public Health (Control of Diseases) Act 1984 & Public Health

(Infectious Diseases) Regulations 1985 • Education Act 1944 (for immunisations and vaccinations to NHS

Public Health England from schools) • Births and Deaths Act 1984 • Police and Criminal Evidence Act 1984 • Human Fertilisation and Embryology (Disclosure of Information) Act

1992 • Venereal Diseases Act 1917 and Venereal Diseases Regulations of

1974 and 1992 • Abortion Act 1967

• The Adoption Act 1976 • Children Act 2004

In the event that a request for disclosure is made referencing any of these acts the SCWCSU Information Governance team must be notified prior to any information being released.

18.0 Working away from the office environment

18.1 There will be times when staff may need to work from another location or

whilst travelling. This means that staff may need to carry CCG information with them which could be confidential in nature e.g. on a laptop, USB stick or as paper documents.

18.2 Taking home/removing paper documents that contain personal confidential

data from CCGs’ premises should be discussed with your line manager to identify potential risks.

18.3 When working away from CCGs’ locations, staff must ensure that their

working practice complies with the CCGs’ policies and procedures. Any removable media must be encrypted as per the current NHS Encryption Guidance.

18.4 Staff must not leave confidential information unattended whilst travelling and

ensure that it is kept in a secure place if they take it home or to another location.


18.5 Staff must minimise the amount of person confidential data that is taken away from CCGs’ premises.

18.6 If staff need to carry personal confidential data they must ensure that any

personal information is transported in an appropriate and secure manner and is kept out of sight whilst being transported.

18.7 Staff are responsible for ensuring that any information taken home is kept

secure and confidential. This means that other members of their family and/or their friends/colleagues must not be able to see the content or have any access to the information.

18.8 Staff must not forward any personal confidential data via email to their home

email account. Staff must not use or store personal identifiable or confidential information on a privately owned computer or device. See Appendix 3 – email guidance.

19.0 Staff Responsibilities

19.1 All staff have a legal duty of confidence to keep personal confidential data

private and not to divulge information accidentally. Staff may be held personally liable for a breach of confidence and must not:

• Talk about personal confidential data in public places or where they can

be overheard.

• Leave any personal confidential data lying around unattended, this includes telephone messages, computer printouts, faxes and other documents, or

• Leave a computer logged on to a system where personal confidential data

can be accessed 19.2 Steps must be taken to ensure physical safety and security of personal

identifiable or business confidential information held in paper format and on computers.

19.3 Passwords must be kept secure and must not be disclosed. Staff must not use

someone else’s password to gain access to information. Action of this kind will be viewed as a serious breach of confidentiality under the Computer Misuse Act 1990. This is a disciplinary offence and constitutes gross misconduct which may result in summary dismissal.

20.0 Abuse of Privilege

20.1 It is strictly forbidden for employees to knowingly browse, search for or look at

any information relating to themselves, their own family, friends or other persons, without a legitimate purpose. Action of this kind will be viewed as a breach of confidentiality and the Data Protection Act.

20.2 Members of staff who would like access to their personal confidential


information must submit a subject access request under the Data Protection Act 1998 to the SCWCSU Information Governance team.

21.0 Confidentiality Audits

21.1 Good practice requires that all organisations that handle personal confidential

data put in place processes to highlight actual or potential confidentiality breaches in their systems, and also procedures to evaluate the effectiveness of controls within these systems. This function will be co-ordinated by the CCGs’ Data Custodian through a programme of audits.


Appendix 1: Summary of Legal and NHS Mandated Frameworks The CCGs are obliged to abide by all relevant UK and European Union legislation. The requirement to comply with this legislation shall be devolved to employees and agents of the CCGs, who may be held personally accountable for any breaches of information security for which they may be held responsible. The CCGs’ shall comply with the following legislation and guidance as appropriate:

The Data Protection Act (1998) regulates the use of “personal data” and sets out eight principles to ensure that personal data is:

1. Processed fairly and lawfully. 2. Processed for specified and lawful purposes. 3. Adequate, relevant and not excessive. 4. Accurate and where necessary kept up to date. 5. Not kept longer than necessary, for the purpose(s) it is used. 6. Processed in accordance with the rights of the data subject under the Act. 7. Appropriate technical and organisational measures are be taken to guard against

unauthorised or unlawful processing, accidental loss or destruction of, or damage to, personal data

8. Not transferred to countries outside the European Economic Area (EEA) without an adequate level protection in place.

The Caldicott principles should be applied when considering personal confidential data:

• Justify the purpose for using patient confidential information.

• Don’t use patient confidential information unless it is absolutely necessary.

• Use the minimum necessary patient confidential information.

• Access to patient confidential information should be on a strict need to know basis.

• Everyone should be aware of their responsibilities.

• Understand and comply with the law.

• The duty to share information can be as important as the duty to protect patient confidentiality

Article 8 of the Human Rights Act (1998) refers to an individual’s “right to respect for their private and family life, for their home and for their correspondence”. This means that public authorities should take care that their actions do not interfere with these aspects of an individuals life

The Computer Misuse Act (1990) makes it illegal to access data or computer

programs without authorisation and establishes three offences: 1. Unauthorised access data or programs held on computer e.g. to view test results

on a patient whose care you are not directly involved in or to obtain or view information about friends and relatives.

2. Unauthorised access with the intent to commit or facilitate further offences e.g.


to commit fraud or blackmail. 3. Unauthorised acts the intent to impair, or with recklessness so as to impair, the

operation of a computer e.g. to modify data or programs held on computer without authorisation.

4. Making, supplying or obtaining articles for use in offences 1-3. The NHS Confidentiality Code of Practice (2003) outlines four main requirements that must be met in order to provide patients with a confidential service:

• Protect patient information. • Inform patients of how their information is used. • Allow patients to decide whether their information can be shared. • Look for improved ways to protect, inform and provide choice to patients.

Common Law Duty of Confidentiality

Information given in confidence must not be disclosed without consent unless there is a justifiable reason e.g. a requirement of law or there is an overriding public interest to do so.

Administrative Law

Administrative law governs the actions of public authorities. According to well established rules a public authority must possess the power to carry out what it intends to do. If not, its action is “ultra vires”, i.e. beyond its lawful powers.

The NHS Care Record Guarantee

The Care Record Guarantee sets out twelve high-level commitments for protecting and safeguarding patient information, particularly in regard to:

• patients’ rights to access their information;

• how information will be shared both within and outside of the NHS; and

• how decisions on sharing information will be made. The most relevant are: Commitment 3 - we will not share information (particularly with other government agencies) that identifies you for any reason, unless:

• You ask us to do so.

• We ask and you give us specific permission.

• We have to do this by law.

• We have special permission for health or research purposes; or

• We have special permission because the public good is thought to be of greater importance than your confidentiality, and

• If we share information without your permission, we will make sure that we keep to the Data Protection Act, the NHS Confidentiality Code of Practice and other national guidelines on best practice.

Commitment 9 - we will make sure, through contract terms and staff training, that everyone who works in or on behalf of the NHS understands their duty of confidentiality, what it means in practice and how it applies to all parts of their work.


Organisations under contract to the NHS must follow the same policies and controls as the NHS does. We will enforce this duty at all times.

NHS Fareham & Gosport & South Eastern Hampshire Clinical Commissioning Groups

Confidentiality Policy in accordance with the Data Protection Act 1998 V3.0 December 2016

17

Appendix 2 Confidentiality Agreement

Confidentiality agreement – NHS Fareham & Gosport & South Eastern Hampshire Clinical Commissioning Groups

Document name NHS Fareham & Gosport & South Eastern Hampshire

Clinical Commissioning Groups’ Confidentiality Agreement

Date:

Author NHS Fareham & Gosport & South Eastern Hampshire Clinical Commissioning Groups

Version 1

Confidentiality agreement for third party suppliers

Who are third parties covered by this agreement?

Third party suppliers granted access to NHS Fareham & Gosport & South Eastern Hampshire Clinical Commissioning Groups (CCGs’) data and information in order to perform tasks as required by NHS Fareham & Gosport & South Eastern Hampshire Clinical Commissioning Group. They could include the following:

• Hardware and software maintenance and support staff (for all of

the document)

• Cleaning, catering, security guards and other outsourced support services (for general contractor clause and form on back page)

General contractor clause

(Based on clause from Introduction to Data Protection in the

NHS) The Contractor undertakes:

• To treat as confidential all information which may be derived from or be obtained in the course of the contract or which may come into the possession of the contractor or an employee, servant or agent or sub-contractor of the contractor as a result or in connection with the contract; and

• To provide all necessary precautions to ensure that all such information is

treated as confidential by the contractor, his employees, servants, agents or sub-contractors; and

• To ensure that they, their employees, servants, agents and sub-contractors

are aware of the provisions of the Data Protection Act 1998 and ISO/IEC 27002 and that any personal information obtained from the CCGs shall not be disclosed or used in any unlawful manner; and

• To indemnify the CCGs against any loss arising under the Data Protection

Act 1998 caused by any action, authorised or unauthorised, taken by himself, his employees, servants, agents or sub-contractors.



18

All employees, servants, agents and/or sub-contractors of the Contractor will be required to agree to and sign a confidentiality statement when they come to any of the CCGs’ sites where they may see or have access to confidential personal and/or business information (see last page).

Supplier Code of Practice

The following code of practice applies where access is obtained to CCGs’ information for the fulfilment of a required service.

The access referred to in paragraph 1 above may include:-

• Access to data/information on the CCGs’ premises

• Access to data/information from a remote site

• Examination, testing and repair of media (e.g. fixed disc assemblies)

• Examination of software dumps

• Processing using CCGs’ data/information

The Supplier must certify that his organisation is registered if appropriate under the Data Protection Act 1998 and legally entitled to undertake the work proposed.

The Supplier must undertake not to transfer any personal data/information out of the European Economic Area (EEA) unless such a transfer has been registered, approved by the CCGs and complies with the Information Commissioners guidance on Safe Harbours.

The work shall be done only by authorised employees, servants, or agents of the contractor (except as provided in paragraph 12 below) who are aware of the requirements of the Data Protection Act 1998 of their personal responsibilities under the Act to maintain the security of the CCGs’ personal data/information.

While the data/information is in the custody of the contractor it shall be kept in appropriately secure means.

Any data/information sent from one place to another by or for the contractor shall be carried out by secure means. These places should be within the suppliers own organisation or an approved sub-contractor.

Data/Information which can identify any patient/employee of the CCGs must only be transferred electronically if previously agreed by the organisation. This is essential to ensure compliance with strict NHS controls surrounding the electronic transfer of identifiable personal data/information and hence compliance with the Data Protection Act 1998 and BS7799. This will also apply to any direct-dial access to a computer held database by the supplier or their agent.

The data/information must not be copied for any other purpose than that agreed by the supplier and the CCGs

Where personal data/information is recorded in any intelligible form, it shall either be returned to the CCGs on completion of the work or disposed of by secure means and a certificate of secure disposal shall be issued to the organisation.



19

Where the contractor sub-contracts any work for the purposes in paragraph 1 above, the contractor shall require the sub-contractor to observe the standards set out in this agreement.

The CCGs shall, wherever practical, arrange for the equipment or software to be maintained, repaired or tested using dummy data that does not include the disclosure of any personal data/information.

The CCGs reserves the right to audit the supplier’s contractual responsibilities or to have those audits carried out by a third party.

The CCGs will expect an escalation process for problem resolving relating to any breaches of security and/or confidentiality of personal information by the suppliers employee and/or any agents and/or sub-contractors.

Any security breaches made by the supplier’s employees, agents or sub-contractors will immediately be reported to the CCGs’ Caldicott Guardian.

Certification form: Name of supplier:

Address of supplier prime contractor:

Telephone number:

E-mail details:

On behalf of the above organisation I certify as follows:

The organisation is appropriately registered under the Data Protection Act 1998 and is legally entitled to undertake the work agreed in the contract agreed with the Organisation

The organisation will abide by the requirements set out above for handling any of the organisation personal data/information disclosed to my organisation during the performance of such contracts

Signed:

Name of Individual:

Position in organisation:

Date:



20

Appendix 3: Confidentiality Agreement (Governing Body members and third party employees)

Agreement outlining personal responsibility concerning security and confidentiality of information (relating to patients, staff and the business

of the organisation)

During the course of your time within the CCGs’ buildings, you may acquire or have access to confidential information which must not be disclosed to any other person unless in pursuit of your duties as detailed in the contract between the CCGs and your employer. This condition applies during your time within the CCGs and after that ceases.

Confidential information includes all information relating to the business of the CCG and its patients and employees.

The Data Protection Act 1998 regulates the use of all personal information and included electronic and paper records of identifiable individuals (patients and staff). The CCGs are registered in accordance with this legislation. If you are found to have used any information you have seen or heard whilst working within the CCGs for any other purpose than that which it was shared with you both you and your employer may face legal action.

I understand that I am bound by a duty of confidentiality and agree to adhere to the conditions within the Contract between the organisations and my personal responsibilities to comply with the requirements of the Data Protection Act 1998.

NAME OF ORGANISATION:

CONTRACT DETAILS:

PRINT NAME:

SIGNATURE:

DATE:



21

Appendix 4 Email Guidance Using e-mail is common practice within organisations and as the use of electronic communications increases, email continues to be an important business tool for staff to communicate. The use of email does not come without risk and in the NHS, the greatest risk probably comes from being able to potentially distribute information quickly to a wide range of recipients that could result in a breach of confidentiality depending on the information contained in that email. There were 92 incidents involving emails being sent to the wrong recipient during the last financial year (Apr15 to Mar16) as reported by Health organisations to The Information Commissioners Office (ICO). In total, the ICO recorded 248 similar incidents across all sectors. When compared with other breaches there is evidence that use of email is safer and fewer breaches occur. For the same period, 206 breaches involving information being posted or faxed to the incorrect recipient were reported by Health organisations with there being a total of 347 across all sectors https://ico.org.uk/action-weve-taken/data-security-incident-trends/. In order to try and reduce the risk of breaches further and also to support staff with managing their emails more effectively, the following guidance is issued and should be noted by all staff. INFORMATION and EMAIL SECURITY

Take the time to check the contents of your email and the validity of the recipients before sending.

It is essential that all personal confidential data (PCD) is kept secure and

confidential at all times. Therefore staff must take particular care when sending emails that may contain PCD; using NHS mail wherever possible.

NHS mail process

It is the CCGs’ policy that emails containing any PCD or commercially/business sensitive information should be sent using an NHS.net account. NHS mail is an encrypted email system and any PCD sent by this method is secure as long as it is sent to one of the following type of email accounts:

another NHS.net account x.gsi.gov.uk gsi.gov.uk gse.gov.uk gsx.gov.uk pnn.police.uk cjsm.net scn.gov.uk gcsx.gov.uk mod.uk

If you intend to send PCD to any other type of email account not listed above, the

information should be sent as an encrypted attachment or equivalent. Do not put PCD e.g. patient names in the subject header when sending an email. Where it is not possible to establish if the nhs.net account belongs to the intended recipient a ‘test’ email should be sent that does not contain any PCD or commercially/ business sensitive information.

You may occasionally receive PCD, for either a legitimate and legal purpose or

perhaps by error. If you have an email with PCD in it and you are permitted to have this it is essential that you only forward this information or reply copying additional recipients in if they also are permitted to see the PCD. If they are not

https://ico.org.uk/action-weve-taken/data-security-incident-trends/

https://ico.org.uk/action-weve-taken/data-security-incident-trends/



22

then you must remove any PCD before emails are forwarded on to any recipients.

If you do receive an email containing PCD or other information that you should

not be in receipt of then this could be an IG breach and should be discussed with your Data Custodian or the SCWCSU IG Manager as soon as possible. Do not forward the information on but immediately inform the sender that they have sent it to you in error and they should consider this under their own organisational reporting procedures for IG breaches. Follow up actions will be identified as part of the IG breach reporting process.

Similar principles apply if you send an email to an incorrect recipient or it contains

information that you should not have sent, talk to your Data Custodian as soon as possible after discovering the error or being informed of it. To further assist all staff, a range of Information Governance policies and procedures are available on the staff G: Drive to assist you but please seek advice from your Data Custodian or the SCWCSU IG Team if you are unsure.

Attachments

You may on occasion be required to send information contained within a word document, an Excel spreadsheet or other type of attachment which could be embedded or attached to an email. Before sending, please ensure you check the documents and especially all the tabs contained within the spreadsheet to confirm that it does not contain any personal confidential or commercially sensitive data that you do not wish to share. There may also be hidden tabs/columns, therefore take time to check all areas on the spreadsheet before information is attached and sent by e-mail.

Take care when forwarding emails which contain attachments, consider whether

the recipients have a legitimate right to view all the information contained within the e-mail and the attachments. Also ensure that any documents with ‘tracked changes’ on them do not contain information, within the changes or comments that you do not wish to share.

Selecting recipients from the address book

NHS.net emails may be secure but you must make sure you are sending them to the correct person. NHS mail and Outlook mail contain a large number of email addresses and many of them are for individuals with the same name. You must do all you can to check the recipient is who you intend it to be and to help you should consider the following.

If you use NHS.net on Outlook, select the required name from the

address book and once the email address is shown in the ‘To’ field in your email, hover over it and a box will pop up. Select the icon that looks like a bullet point shopping list and click on Outlook properties – this will show you more information about who your email is about to go to! If you are selecting a name from the list then check Outlook properties before selecting the name.

If you use the web based NHS.net facility then once you have selected the required email address, right click on the address and select properties, this will also show you more information about your intended recipient. It is good practice to do this even if the address is stored in your contacts.



23

If you are still in doubt then call the person and check their email address before you send your message and if it does contain PCD or commercially sensitive information, ask them to confirm their identity.

It is also good practice to ask the recipient to confirm receipt of any PCD (or set a read/delivery receipt).

THE DATA PROTECTION ACT 1998 and the FREEDOM OF INFORMATION ACT (FOI) 2000 and E-MAILS

Sections 7 to 9A of the Data Protection Act 1998 detail rights of personal access to both manual data (which is recorded in a relevant filing system) and computer data relating to a data subject. This is often referred to as ‘the right of subject access’. Requests made under Section 7 of the Act are known as a Subject Access Requests (SAR).

Any email that you send that contains information about an identifiable individual could be disclosed under the right of subject access.

The FOI Act covers all recorded information held by a public authority. It is not limited to official documents and it covers, for example, drafts, emails, notes, recordings of telephone conversations and CCTV recordings. Nor is it limited to information you create, so it also covers, for example, letters and emails you receive from members of the public, although there may be a good reason not to release them.

Any email that you send that contains information relating to the work of the CCGs could be disclosed under the FOI Act.

It is therefore vital that good management of email, email folders and archive and shared drive folders is practiced. Emails are an electronic record and should be:

a) Retained as they may be needed for business, regulatory, legal and

accountability purposes; b) stored in a way that means they can be retrieved as necessary, you

know what is held and that they remain useable; c) stored securely and that access to them is controlled; d) kept for as long as they should be and disposed of when no longer

needed;

Information that relates to the official business of the CCGs may on rare occasions be held in private email accounts and whilst this practice is not permitted and should be avoided it must be recognised that this information could fall under the remit of the FOI Act and therefore need to be disclosed as part of a request. Further guidance is available at https://ico.org.uk/media/for-organisations/documents/1147/official_information_held_in_private_email_accounts.pdf

This is particularly relevant for CCG staff or those working on behalf of the CCGs

who may use a personal email account as their preferred method of communication.

https://ico.org.uk/media/for-organisations/documents/1147/official_information_held_in_private_email_accounts.pdf





24

MAKING YOUR USE OF EMAIL MORE EFFECTIVE

Email overload is now considered a much bigger workplace problem than traditional email spam. Research suggests that managers spend up to 20 hours a week reading emails and that the average employee receives 100 emails a day, of which only ten per cent are important. Here are some hints and tips to consider for making your email more effective.

Overuse of the 'cc' option

Copying a colleague into your email response to someone else may be a useful way of avoiding the need to send a separate email BUT it can be - and frequently is - over-used. Please only send an email to those people who actually need to act upon it. If a name is in the ‘To’ box, it is for action and if in the ‘cc’ box, it is only for information. There is a facility within Outlook where all ‘cc’d emails can be diverted to a deleted or other folder and therefore cannot be relied upon as evidence that a recipient has read or otherwise taken note of the information in the email. It will however be considered under a FOI or SAR request.

Reply to all

You may receive an email with a large circulation list, but it is not always necessary to reply to all for any responses you have. Think about if everyone really does need to see your response, as it may be that it is only relevant for the sender. It will however be considered under a FOI or SAR request.

Overuse of the urgent or priority option

Think about how often you use the 'priority' or 'urgent' option when sending an email. If the matter you are writing an email about is a high priority then it is probably better to try and call the recipient and discuss the matter and follow up with an email. Sending an email as urgent is not a guarantee it will be read, especially if the recipient is out of the office

Use subject lines as headlines

An email subject line has two functions: it grabs your attention and it tells you what the email is about, so that you can decide if you want to read further. Use a few well-chosen words, so that the recipient knows at a glance what the email is about. You can also include what you want the recipient to do – for action, for information, for circulation etc. Never use fully identifiable details in the subject line, anonymise as much as possible and place the rest of the information in the body of the email.

If your message is one of a regular series of emails, such as a weekly project

report, include the date in the subject line. For a message that needs a response, you might want to include a reply date. Never leave the subject line blank.

Using EOM (End Of Message) headlines

When you have a very short message to convey, you can use the EOM, or end of message, technique. This is possible when you can put all the relevant information in the subject line, followed by the letters 'EOM'. This lets the recipient know that they don't even have to open the email; all the information is right there. The subject line is the message! Example: Subject: 10/5 Meeting, 10am, Conf. Rm. A, On PASS Procedure EOM

Out of office

Always set up an ‘out of office’ message when you are going to be out of the office for a day or longer. It must include your date of return and direct people to



25

an alternative person with their contact details rather than just saying you’re not available. Please check that the other person is actually in the office to deal with any queries which may arise. Do not state that you will delete all your emails when you return to the office.

Contact details

Always have your contact details on the email in a signature block which includes your telephone number and email address so people are able to contact you.

Important to note

Emails have been used successfully as evidence in libel cases and industrial tribunals. Sending defamatory mail, even internally, could make the CCGs liable to pay heavy damages to injured parties.



26

Appendix 5:

Analysing the Impact on Equality

1. Title of policy/ programme/ framework being analysed

Confidentiality Policy 2. Please state the aims and objectives of this work and the intended

equality outcomes. How is this proposal linked to the organisation’s business plan and strategic equality objectives?

To provide NHS Fareham & Gosport & South Eastern Hampshire Clinical Commissioning Groups (CCGs) staff with a clear confidentiality and information security framework which includes advice and guidance and to inform staff of their operational and legal responsibilities.

3. Who is likely to be affected? e.g. staff, patients, service users, carers Staff

4. What evidence do you have of the potential impact (positive and negative)? None expected.

4.1 Disability (Consider attitudinal, physical and social barriers)

No impact

4.2 Sex (Impact on men and women, potential link to carers below) No impact

4.3 Race (Consider different ethnic groups, nationalities, Roma Gypsies, Irish

Travellers, language barriers, cultural differences). No impact

4.4 Age (Consider across age ranges, on old and younger people. This can include safeguarding, consent and child welfare).

No impact

4.5 Gender reassignment (Consider impact on transgender and transsexual people. This can include issues such as privacy of data and harassment).

No impact

4.6 Sexual orientation (This will include lesbian, gay and bi-sexual people as well as heterosexual people).

No impact

4.7 Religion or belief (Consider impact on people with different religions, beliefs or

no belief) No impact

4.8 Marriage and Civil Partnership

No impact

4.9 Pregnancy and maternity (This can include impact on working arrangements, part-time working, infant caring responsibilities).

No impact



27

4.10 Carers (This can include impact on part-time working, shift-patterns, general

caring responsibilities, access to health services, ‘by association’ protection under equality legislation).

No impact

4.11 Additional significant evidence (See Guidance Note)

Give details of any evidence on other groups experiencing disadvantage and barriers to access due to:

• socio-economic status

• location (e.g. living in areas of multiple deprivation)

• resident status (migrants)

• multiple discrimination

• homelessness

No impact

5 Action planning for improvement (See Guidance Note) Please give an outline of the key action points based on any gaps, challenges and opportunities you have identified. An Action Plan template is appended for specific action planning.

None identified

Name of person who carried out this analysis Trudy Slade, Information Governance Manager, NHS South Commissioning Support Unit

Date analysis completed 16/11/16

Documents

Confidentiality Policy - Data Protection Act 1998 Governance...Confidentiality Policy - Data Protection Act 1998 Version 3.0 Compliance with all CCG policies, procedures, protocols,