2

DATA PROTECTION POLICY AUGUST 2014

This Policy supersedes all previous policies for Data Protection

Version 3.0

3

Policy title Data Protection Policy

Policy reference

COR 18

Policy category Corporate Policies

Relevant to All Staff

Date published June 2011

Implementation date

June 2011

Date last reviewed

August 2014

Next review date

August 2015

Policy lead Information Governance Manager

Contact details Email: Information.Governance@Candi.nhs.uk

Telephone: 020 3317 3115

Accountable Director

Claire Johnston, Director of Nursing & People

Approved by (Group):

Information Governance Steering Group

Approved by (Committee):

Information Governance Steering Group

Document history

Date Version Amendments

Jan 08 1.0

Jun 09 1.1

Jun 11 2.0

September 14 3.0

Updated management details, amended section regards SU access to health records. Amendment to section regards digital dictation and recording. Reference to Caldicott and updated principles.

Membership of the Policy development/ review team

Information Governance Steering Group

Consultation

Information Governance Steering Group

DO NOT AMEND THIS DOCUMENT

Further copies of this document can be found on the Foundation Trust Intranet.

4

Contents Page

1 Introduction 6

2 Aims and Objectives 6

3 Scope of the Policy 7

4 Personal Data and Sensitive Personal Data 7

5 Notification to the Information Commissioner 8

6 Data Protection Responsibilities 8

7 Data Protection Principles 8

8 Processing 8

9 Responsibilities of Individual Data Users 9

10 Accuracy of Detail 9

11 Data Security and Disclosure 9

12 Data Subjects’ Consent 10

13 The NHS Care Record Guarantee 10

14 Rights to Access Personal and/or Sensitive Personal Data 10

15 Service User’s Right of Access to their Clinical Records 11

16 Staff Right of Access to Personal Records 11

17 Digital Imaging, Videoing and Audio Recordings 11

18 Email 11

19 Disclosure outside the European Economic Area (EEA) 12

20 Retention of Data 12

21 Complaints Procedure 12

22 Dissemination and Implementation Arrangements 13

23 Training Requirements 13

24 Monitoring and Audit Arrangements 14 2

25 Review of the Policy 14 2

26 References 14 12

27 Associated Documents 14 12

5

Appendix 1: Equality Impact Assessment Tool 15

Appendix 2: Glossary 16

Appendix 3: Caldicott Principles 18

Appendix 4: Contacts 19

Appendix 5: Data Protection Registration Form 20

Appendix 6: Guidance Note concerning Data Protection Complaints 22

6

1. Introduction

This Policy sets out the standards all staff must adopt in the handling and management of information about people, to ensure compliance with the Data Protection Act (DPA) 1998 as amended by the Freedom of Information Act 2000 (section 68). This Policy forms part of the Trust's Information Governance Strategy and application of it will ensure consistent standards are adopted in the processing of all personal and/or sensitive personal data held by the Trust, and compliance with the DPA.

The DPA provides living individuals the right to privacy in respect of their personal information and how it is processed. Information can be processed automatically, be part of a relevant filing system (manual data) or, form part of an accessible record, including microfilm, CCTV and other media.

This Policy:

Defines all information covered by the DPA.

Lists the DPA principles.

Outlines the Trust procedures for holding, obtaining, recording, using and storing information in the Trust.

Provides guidance on acceptable use(s) of information.

This Policy applies to all those working in the Trust, in whatever capacity. A failure to follow the requirements of the Policy may result in investigation and management action being taken as considered appropriate. This may include formal action in line with the Trust's disciplinary or capability procedures for Trust employees; and other action in relation to other workers, which may result in the termination of an assignment, placement, secondment or honorary arrangement.

A glossary of terms used but not defined in this Policy is available in Appendix 2 at the end of this Policy.

2. Aim and Objectives

The lawful and correct treatment of personal information is vital to the successful operation of the Trust and maintaining confidence within the Trust and the individuals with whom its deals. Therefore the Trust will, through appropriate management and strict application of criteria and controls:

Observe fully conditions regarding the fair collection and use of information.

Meet its legal obligations to specify the purposes for which information is used.

Collect and process appropriate information, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements.

Ensure the quality of information used.

7

Apply strict checks to determine the length of time that information is held. Ensure that the rights of people about whom information is held can be fully exercised under the Act (These include the right of access to one’s personal information; the right to prevent processing in certain circumstances; the right to correct, rectify, block or erase details which are regarded as wrong information).

Take appropriate technical and organisational security measures to safeguard personal information, ensuring it is only disclosed to individuals with legal rights to access the information.

Ensure personal information is not transferred abroad without suitable safeguards.

3. Scope of the Policy

This Policy covers records held and processed by Camden & Islington Foundation NHS Trust. The Trust is responsible for its own records under the terms of the Data Protection Act 1998, and it has submitted a notification as the Data Controller to the Information Commissioner.

4. Personal Data and Sensitive Personal Data

The Trust processes “personal data” and “sensitive personal data” relating to staff, service users and other individuals.

Personal data is information which relates to a living individual (the data subject) who can be identified:

from those data, or

from those data and other information which is in the possession of, or

likely to come into the possession of the data controller.

It includes any expression of opinion about the individual and any indication of the intentions of the Data Controller or any other person in respect of the individual.

Sensitive personal data is information about an individual’s:

racial or ethnic origin,

political opinions,

religious beliefs or beliefs of a similar nature,

trade union membership,

physical or mental health condition,

sexual life,

offences or alleged offences and

information relating to any proceedings for offences committed or allegedly committed by the data subject, including the outcome of those proceedings.

8

In exceptional circumstances, the Trust may need to process information regarding criminal convictions or alleged offences in connection, for example with any disciplinary proceedings or other legal obligations.

In circumstances where sensitive personal data is to be held or processed, the Trust normally seeks the explicit consent of the individual in question unless one of the limited exemptions provided in the Data Protection Act 1998 applies.

5. Notification to the Information Commissioner

The Trust has an obligation as the Data Controller to notify the Information Commissioner of the purposes for which it processes personal and/or sensitive personal data. Notification monitoring within the Trust is carried out by the Information Governance Manager. Individual data subjects can obtain full details of the Trust’s data protection notification from the Information Governance Manager.

6. Data Protection Responsibilities

All queries about the Trust Policy should be directed to the Information Governance Manager.

All requests for access to personal and/or sensitive personal data, including service user’s records should be addressed to the Data Protection Officer (See Appendix 2 – Glossary).

7. Data Protection Principles

The Trust, as the Data Controller, must comply with the eight Data Protection principles set out in the Data Protection Act 1998. In summary these state that personal and/or sensitive personal data shall:

Be processed fairly and lawfully and shall not be processed unless certain conditions are met.

Be obtained for specified and lawful purposes and shall not be processed in any manner incompatible with those purposes.

Be adequate, relevant and not excessive for those purposes.

Be accurate and kept up to date.

Not to be kept longer than is necessary for those purposes.

Be processed in accordance with the data subject’s rights under the Data Protection Act. Be the subject of appropriate technical and organisational measures against unauthorised or unlawful processing, accidental loss or destruction. Not be transferred to a country outside the European Economic Area (EEA), unless that country or territory has equivalent levels of protection for personal and/or sensitive personal data.

8. Processing

“Processing”, in relation to the information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data including:

9

Organisation, adaptation or alteration of the information or data.

Retrieval, consultation or use of the information or data

Disclosure of the information or data by transmission, dissemination or otherwise making available or alignment, combination, blocking, erasure or destruction of the information or data.

9. Responsibilities of Individual Data Users

All employees of the Trust who record and/or process personal and/or sensitive personal data in any form must ensure that they comply with:

The requirements of the Data Protection Act 1998 (including the Data

Protection principles).

This Policy and all related policies procedures and guidelines issued by the Trust, listed at the beginning of this Policy and available via the Trust intranet.

Staff must contact the Information Governance Manager for data protection advice and to complete Data Protection Registration (See Appendix 3 - Contacts and Appendix 4 – Data Protection Registration Form) concerning the following:

When developing a new computer system for processing personal and/or sensitive personal data.

When using an existing computer system to process personal and/or sensitive personal data for a new purpose.

When creating a new manual filing system containing personal details.

When using an existing manual filing system containing personal and/or sensitive personal data for a new purpose.

10. Accuracy of Detail

All staff are responsible for:

checking that any service user, staff or other individual’s information they handle is as accurate and up to date as possible.

checking that any personal information they provide to the Trust in connection with their employment is accurate and up to date e.g. change of address. The Trust is not responsible for any errors in personal information unless the Trust has been informed about them.

11. Data Security and Disclosure

All staff within the Trust are responsible for ensuring that:

Any personal and/or sensitive personal data which they hold is kept securely.

Personal and/or sensitive personal data is not disclosed either orally, in writing or otherwise to any unauthorised third party, and that reasonable effort (as defined by Trust Policies, Procedures and Job Descriptions) will

10

be made to ensure data is not disclosed accidentally.

Unauthorised disclosure is a disciplinary matter and may be considered gross misconduct. If in any doubt, please consult the Information Governance Manager or Human Resources.

Personal and/or sensitive personal data must be kept securely and examples of how this may be done will include:

keeping data locked in a filing cabinet, drawer or room; or

If the data is computerised, ensuring that the data is password protected.

12. Data Subjects’ Consent

It is the Trust’s Policy to seek and obtain explicit consent whenever practicable from the individual data subjects for the main ways in which the Trust may hold and process personal and/or sensitive personal data concerning them.

This is to allow individuals an opportunity to raise any objections to any intended processing of their personal and/or sensitive personal data. The Trust is obliged to consider any such objections, explain the consequences of not processing the data requested, but reserves the right to process personal and/or sensitive personal data in order to carry out its functions as permitted by law. The legal permissions for certain types of personal and/or sensitive personal data allow processing for particular purposes without the consent of the individual data subject. Where this takes place the Trust will ensure that individuals that process the data are required to justify their reasons for doing so in line with the Data Protection Act 1998, other related legislation (e.g. the Mental Health Act 1983, the Mental Capacity Act 2005) and guidelines issued by the Information Commissioner and the Department of Health.

13. The NHS Care Record Guarantee

The NHS Care Record Guarantee is National Policy and sets out the rules that will govern information held in the NHS Care Records Service (known as RiO for this Trust). This will form an important part of the public information campaign about NHS Care Records. The Guarantee covers people’s access to their own records, controls on others' access, how access will be monitored and policed, options people have to further limit access, access in an emergency, and what happens when someone cannot make their own decisions.

14 Rights to Access Personal and/or Sensitive Personal Data

Staff, service users (or their legal representative) and other individuals have the right under the Data Protection Act 1998 to access (subject access request) any personal and/or sensitive personal data that is being held about them either in an electronic or manual form. They also have the right to request the correction of such data where they are incorrect.

11

15 Service User’s Right of Access to their Clinical Records

An individual who wishes to exercise his/her right of access is asked to formally request this information in writing to the Data Protection Officer.

Any inaccuracies in data disclosed in this way should be communicated immediately to the Data Protection Officer who shall take the appropriate steps to make the necessary amendments.

The Trust will respond to the request for access to personal and/or sensitive personal data within 40 days (including bank holidays and weekends) of the request, following the receipt of the appropriate fee (if charged). The 40 day period begins on the first whole day following receipt of the fee.

16. Staff Right of Access to Personal Records

Any member of staff who wishes to exercise his/her right of access to their staff record or similar personal information is asked to request this information in writing to the Human Resources Department. Photocopies of the information will be provided if requested, or the member of staff will be able to read the information at source accompanied by a member of the Human Resources Team. Such access to information will not normally be subject to the payment of a fee.

Any perceived inaccuracies in data disclosed in this way should be communicated immediately to the Human Resources Department who will take the necessary steps to make any agreed and/or necessary amendments.

17. Digital Imaging, Videoing and Audio Recordings

Consent should always be sought from the service user (or parent/guardian in the case of children under 16). If the service user lacks capacity to provide informed consent it is good practice to inform or discuss with the carer or next of kin. More information around digital imaging and videoing can be found in the Staff code of Confidentiality, Information disclosure guidelines available via the Trust Intranet.

Where used, service user’s images (still or moving e.g. x-rays, video recordings, photographs), staff should be aware that these images are subject to the Data Protection Act and may be requested as part of a subject access request. If digital/video images are part of the care record, then they are subject to the Caldicott Principles and have to be retained and stored securely.

Audio recordings should be treated in a similar manner to digital images.

18. Email

It is permissible and appropriate for the Trust to keep records of internal communications, provided such records comply with the Data Protection principles.

It is appropriate to use email in the proper functioning of the Trust; however there are limitations these can be found in the Trust’s Email Policy available via the Trust Intranet.

All Trust staff need to be aware that:

12

The Data Protection Act 1998 applies to emails which contain personal and/or sensitive personal data about individuals which are sent or received by Trust staff.

Subject to certain exemptions, individual data subjects will be entitled to make a subject access request and have access to emails which contain personal and/or sensitive personal data concerning them, provided that the individual data subject can provide sufficient information for the Trust to locate the personal and/or sensitive personal data in the emails.

The legislation applies to all emails to and from members of the Trust which are sent and received for Trust purposes.

For further information please see the Trust’s Email Policy.

19. Disclosure Outside the EEA

The Trust may, from time to time, transfer personal and/or sensitive personal data to countries or territories outside of the European Economic Area in accordance with purposes made known to the individual data subjects and the Information Commissioner. If an individual wishes to raise an objection to this disclosure, then written notice should be given to the Information Governance Manager.

Other personal and/or sensitive personal data , even if it would otherwise constitute fair processing, must not, unless certain exemptions apply or protective measures taken, be disclosed or transferred outside the EEA to a county or territory which does not ensure an adequate level of protection for the rights and freedoms of data subjects.

20. Retention of Data

The Trust retains and stores different types of information for differing lengths of time, depending on legal and operational requirements, following which they will either be archived or destroyed. This will be done in accordance with the Trust’s retention periods.

21. Complaints Procedure If a service user/requestor has any issues with regard to Access to Health

Records or of any other issues regarding Data Protection, then they are liberty to make a formal complaint. The investigation should be taken by the Information Governance Manager who will see whether or not any issues regarding Access to Health Records or other issues regarding Data Protection have been breached. If he/she feels that this is the case then he/she would make recommendations to the department and formally write to the service user and/or requestor.

If the service user/requestor is unhappy with regard to the recommendations by

the Information Governance Manager, then they can proceed to the Information Commissioner’s Office who will then make the final decision (See Appendix 5 – Guidance Note Concerning Data Protection Complaints).

13

22. Dissemination and Implementation Arrangements

This document will be circulated to all managers who will be required to cascade the information to members of their teams and to confirm receipt of the procedure and destruction of previous procedures/policies which this supersedes. It will be available to all staff via the Trust Intranet. Managers will ensure that all staff are briefed on its contents and on what it means for them.

23. Training Requirements

For any particular Training requirements please refer to the Trust’s Mandatory Training Policy and Learning and Development Guide.

14

24. Monitoring and Audit Arrangements

25. Review of the Policy

This Policy should be reviewed every year from implementation date as a minimum. This Policy may also be reviewed and amended at any time if it is considered that amendments are required to ensure the Policy is up to date and accurate for the Trust.

26. References

NHSLA Risk Management Standards 2010 Freedom of Information Act 2000 Access to Health Records Policy

27. Associated Documents

See Appendices below.

Element to be monitored See list of NHSLA minimum requirements if relevant

Lead How Trust will monitor compliance

Frequency Reporting arrangements Which committee or group will the monitoring report go to?

Acting on recommendations and Lead(s) Which committee or group will act on recommendations?

Change in practice and lessons to be shared How will changes be implemented and lessons learnt/ shared?

US

For auditing information

Annually/or as required

Information Governance Steering Group

Required actions will be identified in a specified timeframe.

Required changes to practice will be identified and actioned within a specific timeframe. A lead member of the team will be identified to take each change forward where appropriate. Lessons will be shared with all the relevant stakeholders

15

Appendix 1

Equality Impact Assessment Tool

To be completed and attached to any procedural document when submitted to the

appropriate committee for consideration and approval.

Yes/No Comments

1. Does the policy/guidance affect one group less or more favourably than another on the basis of:

No

Race No

Ethnic origins (including gypsies and travellers) No

Nationality No

Gender No

Culture No

Religion or belief No

Sexual orientation including lesbian, gay and bisexual people

No

Age No

Disability - learning disabilities, physical disability, sensory impairment and mental health problems

No

2. Is there any evidence that some groups are affected differently?

No

3. If you have identified potential discrimination, are any exceptions valid, legal and/or justifiable?

N/A

4. Is the impact of the policy/guidance likely to be negative?

No

5. If so can the impact be avoided? N/A

6. What alternatives are there to achieving the policy/guidance without the impact?

N/A

7. Can we reduce the impact by taking different action?

N/A

If you have identified a potential discriminatory impact of this procedural document,

please refer it to the author together with any suggestions as to the action required to

avoid/reduce this impact.

16

Appendix 2 – Glossary

CCTV CCTV (closed circuit television) is a video camera connected to a monitor. The camera usually has a zoom feature, which allows the user to magnify anything placed in the camera’s view and usually used for security purposes Consent Any freely given specific and informed indication of wishes by which the data subject signifies agreement to personal and/or sensitive personal data relating to them being processed. Data Controller A person who determines the purposes for and the manner in which personal and/or sensitive personal data are, or are to be, processed. This may be an individual or an organisation and the processing may be carried out jointly or in common with other persons. In this context the Foundation Trust itself is the Data Controller. Data Protection Act 1998 The Data Protection Act aims to give protection to all information relating to a living individual. It also sets out the conditions of the use of the information both processed by computers and held, stored manually in hard copy. Data Subject This is the data subject (individual) who is the subject of the personal information (data). EEA European Economic Area – the 27 member states of the European Union and Norway, Iceland and Liechtenstein. Freedom of Information Act 2000 The Freedom of Information Act is law giving people the general right to see recorded information held by public authorities. Information Commissioner The Information Commissioner is an independent official appointed by the Crown to oversee the Data Protection Act 1998, the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 Notification Notification is the process by which a data controller's processing details are added to a register. Under the Data Protection Act every data controller who is processing personal and/or sensitive personal data needs to notify unless they are exempt. Failure to notify is a criminal offence. Even if a data controller is exempt from notification, they must still comply with the principles. Processing Processing means obtaining, recording or holding the data or carrying out any operation or set of operations on data.

17

Subject Access Request Under the Data Protection Act, individuals can see the information about themselves that is held on computer and in some paper records. If an individual wants more information on the personal and/or sensitive personal data held about them, they can write to the person or organisation that they believe is processing the data.

18

Appendix 3 – Caldicott Principles

Caldicott Guidelines - The Caldicott Principles as laid down by the NHS Executive.

Principle 1 - Justify the purpose(s) Every proposed use or transfer of patient-identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed by an appropriate Guardian.

Principle 2 - Don't use patient-identifiable information unless it is absolutely necessary Patient-identifiable information items should not be used unless there is no alternative.

Principle 3 - Use the minimum necessary patient-identifiable information Where use of patient-identifiable information is considered to be essential, each individual item of information should be justified with the aim of reducing identifiably.

Principle 4 - Access to patient-identifiable information should be on a strict need to know basis Only those individuals who need access to patient-identifiable information should have access to it, and they should only have access to the information items that they need to see.

Principle 5 - Everyone should be aware of their responsibilities Action should be taken to ensure that those handling patient-identifiable information - both clinical and non-clinical - are aware of their responsibilities and obligations to respect patient confidentiality.

Principle 6 - Understand and comply with the law Every use of patient-identifiable information must be lawful. Someone in each organisation should be responsible for ensuring that the organisation complies with legal requirements. Failure to maintain patient information in a confidential manner can result in disciplinary proceedings being taken against a member of staff. Principle 7 - The duty to share information can be as important as the duty to protect patient confidentiality Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

19

Appendix 3 – Data Protection registration form

Appendix 4 – Contacts

Freedom of Information Requests Data Protection’s Subject Access Request, Queries and Investigations Information Governance Manager Camden & Islington NHS Foundation Trust East Wing 1st Floor St Pancras Hospital 4 St Pancras Way London NW1 0PE Tel: 020 3317 3115 Fax: 020 3317 2730 Email: information.governance@candi.nhs.uk Medical Director and Caldicott Guardian Medical Director Camden & Islington NHS Foundation Trust 4th Floor East Wing St Pancras Hospital 4 St Pancras Way London NW1 0PE Tel: 020 7530 3076 Email: sylvia.tang@candi.nhs.uk

20

Appendix 5 – Data Protection Registration Form

DPA FORM - Registration of computer & paper record systems holding personal information

Directorate

Department/section

1. Name of application/System

2. Type Electronic Manual If electronic - software used

3. Location of application/System

4. Date of first record

6. Retention period

Actual Estimated

7. SOURCE OF DATA

Service user health records / PAS Staff record / MAPS

Directly from service users Directly from staff

Other – please state: ________________________________________________________________

8. TYPE OF DATA

GENERAL PERSONAL DATA:

Personal details

Family, lifestyle and social circumstances

Education and training details

Employment details

Financial details

Goods or services provided

Other – please state: __________________

______________________________________

SENSITIVE PERSONAL DATA:

Racial or ethnic origin

Political opinions

Religious or other beliefs of a similar nature

Trade Union membership

Physical or mental health or condition

Sexual life

Offences (inc. alleged offences)

Criminal proceedings, outcomes and sentences

9. PURPOSE OF DATA COLLECTION

Staff administration

Public relations

Financial accounts & records

Audit purposes

Grant and loan administration

Crime prevention/prosecution of offenders

Education

Other – please state:___________________

_______________________________________

Fundraising

Health administration/service user treatment

Information and databank administration

Pastoral care

Pensions administration

Property management

Public Health

Research – please use form DPA(R) instead

10. Where/with whom is the data disclosed? 11. How is the data shared?

12. Frequency of disclosure

To staff/Departments within BLT (Please provide details) E-mail

Fax

Post

21

To other individuals/ organisations

(Please provide details, full names and addresses required)

E-mail

Fax

Post

Name of responsible person

Job title Date

Email address Tel. Number

22

Appendix 6 –– Guidance Note concerning Data Protection

Complaints

All complaints must be referred immediately to the Information Governance Manager (IG Manager). Complaints will be logged on the Module and an acknowledgement will be sent to the requestor within five working days. The IG Manager will then decide whether or not the complaint should be investigated. Data Protection Complaints should be done as soon as possible but no later than 40 days. Based on the evidence given and the IG Manager believes the investigation should be dealt with, he/she will then look into the complaint and then meet with the relevant member(s) of staff(s). Once the IG Manager has taken the statement, he will then write a report, based on the evidence given and will make a report to the complainant. The complainant will be informed of their rights to complaint directly to the Information Commissioner’s Office (ICO) if the complainant is not satisfied with the response given. The IG Manager must give the complainant the full contacts of the ICO. For further details concerning Data Protection Complaints you can contact the Information Governance Manager on 020 3317 3115. information.governance@candi.nhs.uk If you wish to do this in writing you should contact at the following address: The Information Governance Manager Camden & Islington NHS Foundation Trust 1st Floor, East Wing St Pancras Hospital North Wing St Pancras Way London NW1 0PE 29th July 2014.