About Information Governance (Data Security & Protection)
The legal framework governing the use of personal confidential data in health care is complex. It includes the NHS Act 2006, the Health and Social Care Act 2012, current Data Protection Legislation, the Human Rights Act, the Health & Social Care (Safety & Quality) Act 2015, and from the 25th May 2018 – The EU’s General Data Protection Regulation (GDPR). The updated Data Protection Act 2018 includes much of the GDPR.
Data Protection, the DPA and the EU GDPR
From April 2018 the new Data Security and Protection Toolkit (DSP Toolkit) replaces the Information Governance Toolkit (IG Toolkit). It will form part of a new framework for assuring that organisations are implementing the ten data security standards and meeting their statutory obligations on data protection and data security.
The ten data security standards detailed in the National Data Guardians 2017/18 report apply to all health and care organisations. All staff are required to complete Data Security & Protection Training on arrival at the trust and then annually thereafter through an annual rolling programme.
When considering data security as part of the well-led element of their inspections, the Care Quality Commission (CQC) will look at how organisations are assuring themselves that the steps set out in this document are being taken. More information on the CQC inspection frameworks can be found here: http://www.cqc.org.uk/guidance-providers
Organisations contracted to provide services under the NHS Standard Contract (NHS providers) must comply with the requirements set out in this document, as part of the data security and protection requirements set out in that contract. At the end of the 2017/18 financial year NHS Improvement will ask NHS providers to confirm that they have implemented the requirements set out in this document. In the longer term NHS Improvement will ensure that data security is included in their oversight arrangements.
It is the Trusts intention to provide understandable Privacy Notices (PNs) on its website, and in all of our main Patient Waiting Areas.
- The DBTH Privacy Notices
- The Integrated Doncaster Care Record (iDCR)
Generally speaking, people within the healthcare system using data for secondary purposes must only use data that do not identify individual patients unless they have the consent of the patient themselves.
GDPR Article 9 2(h) affords for a legal basis to enable appropriate sharing of information in health and social care settings:
processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in Article 9 paragraph 3
The safe and effective management of the Trust’s Information Systems falls on three Senior roles who act as:
- Caldicott Guardian
- Senior Information Risk Owner (SIRO), and
- Data Protection Officer (DPO) (Our DPO is: Roy Underwood email – firstname.lastname@example.org)
The Caldicott Guardian for our Trust is The Trust Medical Director
The Caldicott Guardian’s position:
- Is advisory
- Is the conscience of the organisation
- Provides a focal point for patient confidentiality & information sharing issues
- Is concerned with the management of patient information.
Guardians have a strategic role, developing security and confidentiality policies, representing confidentiality requirements and issues at Board level, advising on annual improvement plans, and agreeing and presenting annual outcome reports.
Local issues regarding the release of Information will inevitably arise. They should always be referred to the Caldicott Guardian, or his deputy the Head of Information Governance, for resolution.
The Senior Information Risk Owner (SIRO) for our Trust is The Chief Information Officer
The SIRO’s position:
- Is accountable
- Fosters a culture for protecting and using data
- Provides a focal point for managing information risks and incidents
- Is concerned with the management of all information assets.
The Head of Information Governance acts as:
- the Data Protection Officer
- the Deputy SIRO, and
- the Assistant to the Caldicott Guardian and Clinical Safety Officer.
These roles are supported by the Trust Information Governance Group.
Subject Access Request
Under GDPR and DPA 2018 or ‘current data protection legislation’ as it is more commonly known, you can ask us questions about the data we hold which is personal to you; we will always check your identity first and before we acknowledge that we hold any information, or indeed release any information to you.
For personal data, this is known in Law as a subject access request or SAR, with the subject being you.
You can also ask us about deceased persons records under the Access to Health Records Act 1990, and again we will always check that you have a right to access the information before we acknowledge that we hold any information, or indeed release any information to you. We have an enduring duty of confidence to deceased persons.
To complete a Subject Access Request please complete this form, a guidance document is available to aid the completion of the application form. When complete, please send to the Case Note Release Department via email or post.
eMail: email@example.comCase Note Release Department
Doncaster Royal Infirmary
Doncaster DN2 5LT
If you require any assistance please contact the Case Note Release Department on the phone number provided.
Phone: 01302 642235
Content out of date? Information wrong or not clear enough? Report this page.