Page 1 of 11

The Newcastle Upon Tyne Hospitals NHS Foundation Trust

Safe Haven and Information Sharing Policy

Version No.: 1.0

Effective From: 29 January 2015

Expiry Date: 30 December 2017

Date Ratified: 23 October 2014

Ratified By: Information Governance Committee

1 Introduction

All NHS organisations require safe haven procedures to maintain the privacy and confidentiality of the personal information held. The implementation of these procedures facilitates compliance with the legal requirements placed upon the organisation.

Where departments within the Trust, other NHS Trusts or other agencies want to send personal information to a Trust department, they should be confident that they are being sent to a location which ensures the security of the data.

2 Scope

This policy provides:

The legislation and guidance which dictates the need for a safe haven

A definition of the term safe haven

When a safe haven is required

The necessary procedures and requirements that are needed toimplement a safe haven

Rules for different kinds of safe haven

The processes described in this policy must be followed by all Trust staff, unless exceptional circumstances arise, which may have an impact on direct patient care.

This policy applies to all those working in the Trust, in whatever capacity. A failure to follow the requirements of the policy may result in investigation and management action being taken as considered appropriate.

This may include formal action in line with the Trust's Disciplinary Policy for Trust employees; and other action in relation to other workers, which may result in the termination of an assignment, placement, secondment or honorary arrangement. Non-compliance may also lead to criminal action being taken.

3 Aims

The purpose of this policy is to reinforce the Trusts commitment to data protection. It will provide staff with clear guidance as to their roles and responsibilities in respect of protecting personal and sensitive information during transfer and on receipt as mandated in the 2013 Caldicott review.

Page 2 of 11

4 Duties (Roles and responsibilities) 4.1 Chief Executive

The Chief Executive has ultimate responsibility for security and patient confidentiality at Organisation level.

4.2 Caldicott Guardian

The Caldicott Guardian is the Trust’s Medical Director and has responsibility for safeguarding the confidentiality of patient information.

4.3 Information Governance Sub Committee (IGSC)

The IGSC are responsible for coordinating improvements in data protection, confidentiality and information security.

4.4 Managers

Managers within the Trust are responsible for ensuring that the policy, and other associated policies and supporting standards and guidelines are built into local processes and that there is on-going compliance

Managers are accountable for the communication about and compliance with Trust policies, and must ensure that staff are adequately trained and apply the appropriate guidelines.

4.5 All Staff

All staff, whether permanent, temporary or contracted are responsible for ensuring that they are aware of the requirements incumbent upon them and for ensuring that they comply with these on a day to day basis.

All staff are responsible for any records or data they create and what they do with information they use.

Staff should ensure they attend information governance training and awareness sessions to maintain their knowledge and skills.

All staff have a responsibility to adhere to information governance standards which are written into the terms and conditions of their contracts of employment.

5 Definitions 5.1 Safe Haven

The term safe haven is a location situated on Trust premises where arrangements and procedures are in place to ensure person-identifiable information can be held, received and communicated securely. In a Trust they are the point from where person identifiable data is controlled.

However, any department sending, receiving, holding or communicating person identifiable data, concerning either patients or staff, should provide safe haven conditions by following the guidelines set out within this policy.

Page 3 of 11

5.2 Person Identifiable Information: This is also referred to as, “personal / confidential information” and relates to information about a person which would enable that person’s identity to be established by one means or another. This might be fairly explicit such as an unusual surname or isolated postcode or bits of different information which if taken together could allow the person to be identified.

All information that relates to an attribute of an individual should be considered as potentially capable of identifying them to a greater or lesser extent. This includes the nationally recognised NHS number.

5.3 Sensitive Information:

Data defined as sensitive under the Data Protection Act 1998. Includes personal, clinical information and financial information.

Examples of sensitive information include information in relation to a person’s: Health or physical condition Sexual life

Ethnic origin or religious beliefs

Political views Criminal Convictions

Or Trade Union Membership For this type of information even more stringent measures should be employed to ensure that the data remains secure.

5.4 Portable Electronic or Removable Media

This includes tapes, floppy discs, Laptops & handheld computers, Optical discs - DVD & CD-ROM, solid state memory cards, cameras, Dictaphones, USB memory sticks and portable hard drives.

5.5 Information / Data Flow / Information Flow Mapping

This is the process of documenting the flow of information from one physical location to another and the method by which it “flows”. Data flows may be by: E mail, fax, post/courier, text or portable electronic or removable media.

5.6 Anonymised Information

This is information which does not identify an individual directly, and which cannot reasonably be used to determine identity. Anonymisation requires the removal of name, address, full postcode and any other detail or combination of details that might support identification.

5.7 Information Sharing Protocol

The protocol is the high level document setting out the general reasons and principles for sharing data. The protocol will show that all signatory agencies are committed to maintaining agreed standards on handling information and will publish a list of senior signatories. It should be underpinned by

Page 4 of 11

information sharing agreements between the organisations who are actually sharing the information.

6 Specific policy 6.1 Safe Havens - Location/Security Arrangements

Any area sending/receiving person identifiable information should consider the physical security arrangements i.e. a room that is locked or preferably accessible via a coded key pad known only to authorised staff, or swipe card controlled. This should be the first step in the aim to create safe haven conditions.

The office or workspace should be sited in such a way that only authorised staff can enter that location i.e. it is not an area which is readily accessible to any member of staff who work in the same building or office, or any visitors

If sited on the ground floor, any windows should have locks on them

Manual paper records containing person-identifiable information should be stored in locked cabinets /rooms, where possible

Computers should not be left on view or accessible to unauthorised staff and the screen ‘locked’ (using Ctrl, Alt, and Delete keys simultaneously / windows and ‘L’ key) or be logged/switched off when not in use

Equipment such as fax machines in the safe haven should have a coded password

Confidential information should not be removed from a safe haven office unless absolutely necessary

All sensitive records must be placed face down in public areas and not left unsupervised at any time

In-coming mail should be opened away from public areas.

Outgoing mail (both internal and external) should be sealed securely in robust envelopes and marked private and confidential - to be opened by addressee only. If the information is particularly sensitive or intended for a particular individual. Where possible use tamper-evident envelopes or tape/seals.

Use recorded/registered delivery or secure courier services for sending personal and sensitive information externally.

Confirm the name, department and full address of the recipient before sending any information out, and ask the recipient to confirm receipt.

6.2 E-mail

When sending e-mail containing identifiable information to colleagues within the Trust, from an NUTH account to an NUTH account is secure. NHSmail is the national e-mail and directory service developed specifically to meet British Medical Association requirements for clinical electronic messaging between NHS organisations and is the only NHS approved e-mail system for transmitting P.I.D.

All staff should set up an NHSmail account to communicate confidential information electronically.

Page 5 of 11

To be set up with an NHSmail account staff must first contact the IT Service Desk or their Local Organisation Administrator (LOA) so they can pre register you for this service. Log a call by e-mailing IT via the Intranet or Telephone 21000 All “NHSmail” e-mail addresses end in @nhs.net. If the contents are to remain secure in transit both the sender and recipient must use NHSmail (or an e-mail with a suffix shown in the list below). Information sent by NHSmail is only secure when in transit. NHSmail cannot protect information before it has been sent or after it has been received especially if this has subsequently been saved on to a computer hard disk drive. There is no ‘message recall’ functionality within NHSmail and staff are advised to check the National NHSmail Directory to ensure they have the correct recipient before sending an email. Sending (or receiving) from NHSmail to e-mail addresses with the following suffixes are deemed secure. *.gsi.gov.uk *.gsx.gov.uk *.gcsx.gov.uk *.gse.gov.uk *.pnn.police.uk *.scn.gov.uk *.cjsm.net *.mod.uk *.hmps.gsi.gov.uk

The above are all domains within the government secure network and have a secure link between that network and NHSmail. All the domains listed have been accredited to ‘restricted’ level and taken from the NHSmail website.

6.3 Fax Machines

Fax machines must only be used to transfer personal information where it is absolutely necessary to do so. The use of NHSmail to communicate confidential information outside of the Trust is recommended. The following rules must apply if using a fax:

When faxing within the Trust, use the last 5 digits of the fax number only

Fax is sent to a safe location where only staff that have a legitimate right to view the information can access it

You notify the recipient when you are sending the fax and ask them to acknowledge receipt

The sender is certain that the correct person will receive it and that the fax number is correct, if unsure, send a blank ‘test’ fax sheet to confirm details

Care is taken in dialling the correct number, and pre-programmed numbers are used, where possible. Most faxes machines hold up to 100 numbers

Confidential faxes are not left lying around for unauthorised staff to see

Page 6 of 11

Only the minimum amount of personal information should be sent,where possible the data should be made anonymous or a uniqueidentifier used

Faxes sent should include a front sheet (Appendix 1), which contains a suitable confidentiality clause/disclaimer, and states who the information is intended for

A report sheet is printed to confirm that the transmission wassuccessful (this does not however confirm receipt). The details of thisreport should be double checked to ensure that they are accurate.

6.4 Communication by Post

This section applies equally to internal post within the organisation, external post such as the Royal Mail and any other postal or courier / delivery service.

Records relating to vulnerable children, children subject to a child protection plan and looked after children transferring outside of the area must be sent via the Child Health Department. The records must have been seen by the Designated or Named Nurse for Child Protection before leaving the organisation. They must contain a transfer out summary, and be sent by special delivery to the Child Health Department of a receiving NHS organisation.

If clinical records are to be sent by post, they must be in a secure, robust sealed envelope to withstand transit through the postal system,, clearly marked “Confidential” and sent securely by the most appropriate method pertaining to the content.

The addressee must be a named individual, not a department or organisation name. There must be a return address clearly given on the outside of the envelope.

Infernal mail transit envelopes should not be used for identifiable information as they are not sealed and it may not be clear who the intended recipient is. Internal post can be sent safely on the Internal Courier as the vehicle is emptied each day therefore mitigating the loss of any post.

6.5 Computers

Access to any PC must be password protected; passwords must not beshared, written down or disclosed in any way

Computer screens must not be left on view so members of the generalpublic or staff, who do not have a justified need to view the information, can see personal data

PCs or laptops not in use should be logged/switched off or the screen‘locked’ (using Ctrl, Alt, and Delete keys / windows and ‘L’ key) whennot in use Information should be held on the Trust’s network sharede.g. X Drive or home drives ‘H’ Drive and not stored on local computerhard drives i.e. ‘C’ drive (usually ‘my documents’) unless encrypted.

Page 7 of 11

Confidential Information stored on network shared drives should be restricted as appropriate. IT services can assist in establishing folder access rights

• Ensure regular house-keeping of your files, ensuring only the minimum amount of data is retained, in accordance with the NHS Records Management Code of Practice, Part 2, 2nd Edition

Any new database/system applications created/introduced that contain person identifiable information should be registered as an Information Asset

Any database, containing personal information should comply with the Data Protection Act and Caldicott Principles.

6.6 Phone

Information should not usually be provided over the telephone as the identity of the caller cannot always be verified

Always confirm the name, job title, department, and organisation of the person requesting the information

Confirm the reason for the information request

Take a contact number i.e. main switchboard (never a direct line or mobile telephone number)

Call them back (always call the switchboard) to confirm the details, if necessary

Check whether the information can be provided; if in doubt tell the enquirer that you will call them back

Provide the information only to the person, who requested it, do not leave messages

Ensure that you record details of the information disclosed, your name, date and time of disclosure, the reason for the disclosure, and who authorised the disclosure. Also record the recipient’s name, job title, organisation and telephone number

6.7 Other Transportation Arrangements

Person identifiable information should only be taken off site when absolutely necessary

Information must be transported in a sealed container

Never leave person identifiable information unattended

Ensure that all information is returned back to the site as soon as possible, and that any records are updated

Personal data should not be sent outside of the UK without seeking advice from Information Governance.

6.8 Whiteboards/Noticeboards

Boards containing patient information / person identifiable information should ideally be sited in areas that are not generally accessible by the public, e.g. staff offices. These rooms should be clearly marked 'staff only' and windows obscured appropriately.

Page 8 of 11

The use of personal information in patient areas should be carefully considered and a risk assessment undertaken by an appropriate manager. The boards should contain only sufficient detail to locate the patient and they must not contain sensitive confidential information. In patient areas only state the patient’s first initial and surname (both initials preferably). If it is absolutely necessary to put clinical information onto a whiteboard, the information should be abbreviated or symbolised so as only health professionals can understand the information and no other members of staff that may come into the department. Where sensitive information is required to be held temporarily, such as messages to patients or employees, shift change information, managers should ensure procedures are in place to prevent disclosure to unauthorised persons.

6.9 Sharing Information with other Organisations

Information should only be shared if:

You have patient consent or

If a law says you have to or

It’s in the public interest

7 Information Sharing Protocol There are a number of circumstances where personal identifiable information may be shared with a third party. The reason for sharing the information should fall roughly into one of three categories.

Clinical care of the patient.

Research and development (including clinical audit).

Bulk sharing of data for a single purpose (data correction, system testing etc.).

Information used for the direct care of patients, shared with other health or social care professionals falls under the guidance in the Government paper To Share or Not To Share published September 2013 (also known as Caldicott 2 review). Information shared in those circumstances is covered by a series of high level protocols between all the organisations. Locally individuals sharing data must ensure that the information is shared in line with the safe haven guidance in this policy. Regular outgoing flows of data should also be logged with the Trust Caldicott guardian through the on-line form available on the trust Intranet.

Information used for research must have both ethics and Caldicott approval. Data used for research would normally have the consent of the data subjects and no specific sharing agreement would be required.

Bulk sharing of data must have a specific sharing agreement outlining details of the type of data being shared, information about the sharing partners, valid reason for

Page 9 of 11

sharing, how the data is to be shared and used and the length of time the data will be retained by the sharing partner. Where Trust data is being shared with an external third party the owner of the data (IAO) must inform the Information Governance Team who will draft a sharing agreement using the locally agreed Sharing template. The agreement once reviewed by all parties must be signed by the Trust Caldicott guardian (or in some circumstances the Head of Service) and an authorised signatory of the sharing parties. Each party will keep a copy of the signed agreement and the Information Governance Team will add the details to the local Sharing Agreement Register. The data being shared should be logged by the IAO in their data flows and all flows must be reviewed annually. Any changes to sharing agreements must be relayed to the Information Governance Team to be reviewed. 8 Training It is essential that all staff are trained sufficiently to ensure that they have the knowledge and understanding to undertake their roles and responsibilities regarding protecting personal information. To this end all new staff will undertake the eLearning package on Information Governance as part of their Induction Programme. This will be repeated annually as part of mandatory training.

Responsibility for the regular day-to-day compliance with all policies and procedures rests with the line manager who must ensure that staff are adequately trained in data protection requirements and that any training needs are identified and addressed.

9 Equality and Diversity The Trust is committed to ensuring that it treats its employees fairly equitably and reasonably and that it does not discriminate against individuals or groups on the basis of their ethnic origin, physical or mental abilities, gender, age, religious beliefs or sexual orientation. 10 Monitoring Compliance

Standard / Process / Issue

Monitoring and Audit

Method By Committee Frequency

The Trust will regularly monitor and audit its Safe Haven & Information Sharing practices for compliance with this policy through the national IG

IG Toolkit Audit and external Audit

IG Committee

Committee reports quarterly.

Page 10 of 11

Toolkit audit. To maintain minimum level 2 compliance with IG toolkit requirement 308.

The audit will: Identify areas of operation that are covered by the Trust’s policies and identify which procedures and/or guidance should comply to the policy; Follow a mechanism for adapting the policy to cover missing areas if these are critical to processes, and use a subsidiary development plan if there are major changes to be made;

Set and maintain standards by implementing new procedures, including obtaining feedback where the procedures do not match the desired levels of performance; and Highlight where non-conformance to the policy is occurring and suggest a tightening of controls and adjustment to related procedures.

External Audit

Incidents and results of audits will be reported to the IGSC, Clinical Governance and Risk Committee and other Committees, as appropriate

Annual

11 Consultation and Review This policy has been reviewed in consultation with staff that send and receive sensitive personal information and use safe haven processes as part of their current procedures. The policy has been ratified by the Information Governance Committee.

This policy will be reviewed every three years (or sooner if new legislation, codes of practice or national standards are introduced). 12 References A number of Acts and guidance dictates the need for safe haven arrangements to be set in place, they include:

Data Protection Act 1998 (Principle 7): “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Page 11 of 11

Confidentiality: NHS Code of Practice: Annex A1 Protect Patient Information “Care must be taken, particularly with confidential clinical information, to ensure that the means of transferring from one location to another are secure as they can be” Health and Social Care Information Centre (HSCIC)

Safe Haven Briefing: Secure transfer of personal identifiable information by fax https://www.igt.hscic.gov.uk/WhatsNewDocuments/Safe%20Haven%20Briefing_June2013.pdf

To Share or Not To Share (the government response to Caldicott review). 13 Associated Documents

Appendix 1

Safe Haven Fax Cover Sheet

Confidential

To Fax no

Tel no

Organisation/Dept

From Tel no

Organisation/Dept

Subject

Total number of pages (including this one) ____________

Message

The information in this fax document is confidential and may be legally privileged. It is intended solely

for the addressee. Access to this document by anyone else is unauthorised. If you are not the

intended recipient any disclosure, copying, distribution or any action taken or omitted to be taken

based on the contents of the fax, is prohibited and may be unlawful. If this document is received by

anyone other than the addressee please contact the sender.

The Newcastle upon Tyne Hospitals NHS Foundation Trust

Equality Analysis Form A

This form must be completed and attached to any procedural document when submitted to the appropriate committee for consideration and approval.

PART 1 1. Assessment Date: 2. Name of policy / strategy / service:

Safe Haven & Information Sharing Policy 3. Name and designation of Author:

Richard Oliver Head of Information Governance & Security

4. Names & designations of those involved in the impact analysis screening process:

Information Governance committee

5. Is this a: Policy x Strategy Service

Is this: New Revised

Who is affected Employees Service Users Wider Community

6. What are the main aims, objectives of the policy, strategy, or service and the intended outcomes? (These can be cut and pasted from your policy)

To secure and protect patient data in transit between organisations. In line with IGT

7. Does this policy, strategy, or service have any equality implications? Yes No X

If No, state reasons and the information used to make this decision, please refer to paragraph 2.3 of the Equality Analysis Guidance before providing reasons:

This is a Trust wide policy based on national legal requirements for the protection of sensitive personal data.

14/10/2014

8. Summary of evidence related to protected characteristics Protected Characteristic Evidence, i.e. What evidence

do you have that the Trust is meeting the needs of people in various protected Groups

Does evidence/engagement highlight areas of direct or indirect discrimination? If yes describe steps to be taken to address (by whom, completion date and review date)

Does the evidence highlight any areas to advance opportunities or foster good relations. If yes what steps will be taken? (by whom, completion date and review date)

Race / Ethnic origin (including gypsies and travellers)

N/A No No

Sex (male/ female) N/A No No

Religion and Belief N/A No No

Sexual orientation including lesbian, gay and bisexual people

N/A No No

Age N/A No No

Disability – learning difficulties, physical disability, sensory impairment and mental health. Consider the needs of carers in this section

N/A No No

Gender Re-assignment N/A No No

Marriage and Civil Partnership N/A No No

Maternity / Pregnancy N/A No No

9. Are there any gaps in the evidence outlined above? If ‘yes’ how will these be rectified?

No

10. Engagement has taken place with people who have protected characteristics and will continue through the Equality Delivery

System and the Equality Diversity and Human Rights Group. Please note you may require further engagement in respect of any significant changes to policies, new developments and or changes to service delivery. In such circumstances please contact the Equality and Diversity Lead or the Involvement and Equalities Officer.

Do you require further engagement? Yes No x

11. Could the policy, strategy or service have a negative impact on human rights? (E.g. the right to respect for private and family

life, the right to a fair hearing and the right to education?

No

PART 2 Name:

Richard Oliver

Date of completion:

15/12/14

(If any reader of this procedural document identifies a potential discriminatory impact that has not been identified, please refer to the Policy Author identified above, together with any suggestions for action required to avoid/reduce the impact.)