Understanding Confidentiality Understanding Confidentiality and Securityand Security

ObjectivesObjectives

To foster an awareness of the importance of Confidentiality and Security

To understand the main threats and counter measures

To raise awareness of the relevant legislation in particular the Data Protection Act 1998

To be able to secure automated and manual data

ContentContent

Introduction

Some recent surveys

What can go wrong?

Legal frameworks

Practical guidance

Case Study

Summary and Conclusion

Recent surveys on attitudes to Recent surveys on attitudes to Confidentiality and SecurityConfidentiality and Security

Patient/Client Attitudes to Patient/Client Attitudes to ConfidentialityConfidentiality

Survey by NHS and Consumer Association in 2002 findings: General happiness to share info with doctors being

trusted most; 25% wished to exclude sensitive information from routine

sharing; Over 33% wanted to be consulted every time their details

were shared; Under 50% felt reassured that confidentiality would be

protected by NHS policies; Nearly 25% didn’t know what NHS did with patient

information. Non-English speakers were happiest to share total record.

Who cares about data Who cares about data protection?protection?

Information Commissioner survey 2003 identified 5 groups: The concerned (40%) very worried The proactive (13%:) not worried The self-reliant (10%) unconcerned The social observers (17%) Extremely worried The naïve (19%) unconcerned

BMA Survey: June 2005BMA Survey: June 2005

75% of patients would not mind their health information being held on a central database

75% had concerns about the security of information

81% were worried about accessibility by people other than the healthcare professionals providing their care

93% said the public should be fully consulted about the proposals before they are finalised

Information Commissioner Information Commissioner survey November 2005survey November 2005

4 out of 5 concerned about their Health and Safety if data falls into wrong hands 52% concerned personal details may be passed to

others. 80% expressed concerns about the use, transfer and

security of personal information. 50% thought that bodies collecting personal

information handled the data fairly or properly. IC stated that “No doubt they are increasingly aware

of the dangers of identity theft and the serious consequences if their health, financial and other personal records fall into the wrong hands or are otherwise misused.”

News items on Confidentiality News items on Confidentiality and Securityand Security

What do we mean by Data What do we mean by Data Protection?Protection?

Covers: Confidentiality Integrity Availability

Covers the use and management of data through organised systems of all forms, whether based on human endeavours, paper methods or information technology.

What do we hold?What do we hold?

Information about you

Information about patients/clients

Information about the Trust

Reflective Exercise 1 Reflective Exercise 1

What do we use personal information for?

What do use personal What do use personal information for?information for?

Personal care and treatmentAssuring and improving the quality of care and treatment (e.g., through clinical audit);Monitoring and protecting public health;Coordinating HPSS care with that of other agencies (e.g., voluntary and independent services);Effective health and social care administrationTeaching/researchStatistical analysis

What can go wrong?What can go wrong?

What can go wrong?What can go wrong?

Incorrect inputTheftWilful damageUnauthorised access External Internal

Software VirusCyber crime

Security Breaches: examplesSecurity Breaches: examples

A set of patients' medical records left in a skip by retiring doctor (real example!)

A security guard reading personal data left on an employee’s desk overnight.

A copy of a child at risk register found on a second hand computer (real example)

A employee using the PC of another employee (who logged in and left PC unattended) to process data without authorisation

A patient at a GP surgery viewing the personal data of a previous patient on a PC screen.

Security Breaches: examples Security Breaches: examples (2)(2)

A patient in a waiting room at a doctor’s surgery overhearing information about another patient’s ailments.An employee using data for which they have authorised access for unauthorised purposes – e.g a police officer using the police national computer to check out daughter’s boyfriend. (real example)A passenger on a train was sitting next to someone who was reading a solicitor’s brief about a person who had been charged with murder – he happened to be a relative of the passenger.

The Impact of the ThreatsThe Impact of the Threats

Personal privacy

Personal health and safety

Financial

Commercial confidentiality

Legal damages and penalties

Disruption

Political embarrassment

Ethical ConsiderationsEthical Considerations

Promote patient/client well-being

Avoid detrimental acts/omissions

Open and co-operative manner

Recognise patient/client dignity

No abuse of position

Protect confidential information

Legal FrameworksLegal Frameworks

The Computer Misuse Act The Computer Misuse Act 19901990

Introduced three offences

Unauthorised access to computers

Unauthorised access with intent

Unauthorised modification

Case Study: Computer Case Study: Computer Misuse Act. Misuse Act.

A man was convicted in London (6/10/05) of hacking into a charity website, set up after the Indian Ocean tsunami disaster, in breach of the Computer Misuse Act. A computer consultant, was given a £400 fine and ordered to pay £600 in costs. He fell foul of section one of the Computer Misuse Act, the UK’s main cybercrime legislation, on New Year’s Eve last year.

He clicked on a banner ad to donate £30 to the Disaster Emergency Committee (DEC) appeal. However, when he did not get a confirmation or thank you in response to his donation, he feared that he had fallen for a phishing site, and decided to test the site to make sure. Unfortunately, in doing so he set off the DEC protection systems, and the police were called in.

The Judge found the accused guilty with “some considerable regret”, but the wording of the Act made it clear that the security consultant was guilty. "Unauthorised access, however praiseworthy the motives, is an offence," said the judge.

Data Protection Act 1998: Data Protection Act 1998: Main Provisions Main Provisions

Covers all HPSS records including electronic records

Defines ‘processing’ as obtaining, holding and disclosing data

Permits subject access to all records

Imposes considerable penalties

Data Protection ’98 The Data Protection ’98 The PrinciplesPrinciples

1. Personal data shall be processed fairly and lawfully

2. Personal data shall be obtained only for one or more specified and lawful purpose

3. Personal data shall be adequate, necessary and not excessive in relation to the purpose for which it was provided

3. Personal data shall be accurate and up to

date

4. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for those purposes

5. Personal data shall be processed in accordance with the rights of the subject under the Act

Data Protection ’98 The Data Protection ’98 The Principles continued...Principles continued...

Data Protection ’98 The Data Protection ’98 The Principles continued...Principles continued...

7. Technical & organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or damage to personal data

8. Personal data shall not be transferred to a country outside the European Economic Area.

Case Study 1: Data ProtectionCase Study 1: Data Protection

An employee of the Child Support Agency, having read what he believed to be an inaccurate press article derogatory of the CSA and concerning a CSA client known to him, decided to set the record straight by faxing the true story to the newspaper concerned. Whilst the fax was sent anonymously, an investigation identified him as the author. He was dismissed from his employment and convicted of unlawful disclosure of personal data.

Case Study 2: Data ProtectionCase Study 2: Data Protection

The complainant who was employed by a hospital was summoned to the office of his Personnel Manager to discuss his sickness record. The Personnel Manager had accessed the hospital’s clinical computer information system in order to challenge certain aspects of the employee’s account of events. As a result of this complaint the hospital revised its security arrangements and the Personnel Manager incurred disciplinary action as a result of the inappropriate use of confidential clinical information for non-medical purposes.

Case Study 3: Data ProtectionCase Study 3: Data Protection

The complainant visited his local hospital for a course of physiotherapy. Some months after the therapy was complete the complainant received a letter from the physiotherapist who had since set up her own business. The physiotherapist had used the complainant’s information that had originally been given in confidence to the hospitals for the earlier treatment.

Personal DataPersonal Data

data which relates to a living individual who can be identified from those data and is: system processed or intended to be

processed automatically,or recorded as part of a relevant filing,or part

of an accessible record.

Scope of Data Protection Scope of Data Protection LegislationLegislation

Automated Data

Relevant filing systems (Manual data)

Accessible Records

Automated DataAutomated Data

On computer

Document image processing

Audio/Video

Digitized images

CCTV images

Relevant Filing SystemRelevant Filing System

Non-automated systems structured by reference to individuals Standard manual files Impact of Durant case

Organised to allow ready access to specific information about individuals

Accessible RecordsAccessible Records

Covers all Health and Social Care records

Structured to allow access to individuals

StorageStorage

Diaries

Computers

message books

appointments register

disks

address books

Complaints register

Legitimacy of Processing Legitimacy of Processing (1998)(1998)

Principle 1: Personal data shall be processed fairly and lawfully and,in particular,shall not be processed unless:

(a) at least one of the conditions in Schedule 2

is met, and

( b)in the case of sensitive personal data,at least one of the conditions in Schedule 3 is met”

Schedule 2 conditions Schedule 2 conditions (1998)(1998)

1. Data Subject has given consent

2. Performance of a contract.

3. Compliance with legal obligation.

4. Protection of subject’s vital interest.

5. Crown/public functions

6. Legitimate interests of controller or third party.

Sensitive DataSensitive Data

Racial or ethnic origin

political opinion

religious beliefs (or similar beliefs)

membership of trade union

physical or mental health or condition

sexual life

any offence or alleged offence

any proceedings or sentence

Sensitive Data - Schedule 3Sensitive Data - Schedule 3

1. Data subject has given explicit consent2. Performance of legal duty in relation to employment 3. Protection of subject’s or third party’s vital interests

4. Legitimate activities of some non-profit organisations 5. The information has been made public deliberately by the data

subject 6. In connection with legal proceedings 7. Administration of justice, statutory obligations or crown/public

functions 8. Medical purposes9. For equal opportunities monitoring10. By order Secretary of State

Subject Access RequestsSubject Access Requests

Right of access to personal data in computer or manual formEntitled to: Be informed whether personal data is processed A description of the data held, the purposes for

which it is processed and to whom the data may be disclosed;

A copy of the data; and Information as to the source of the data

There are limited exemptions

Subject Access Requests Subject Access Requests cont’dcont’d

Responding: request should be in writing to the Data

Protection Coordinator, Data should never be read over phone,

faxed or emailed to data subject, Must be given in 40 days.

Practical GuidancePractical Guidance

Securing automated dataSecuring automated data

Key areas:

Faxing Avoid the use of fax for sending personal

data - if there is no alternative use secure protocols;

Passwords Good password management will help

protect personal data and staff

Securing automated data Securing automated data (2)(2)

Email Personal data should not be transmitted by email

Data can be accessed by data subjectsEmail can be insecureSurvey of 800 UK companies revealed that 22% Directors had reprimanded staff for gossiping using email and 85% considered email to be facilitating scandalous material around office.

Portables/laptops Do not leave unattended; when leaving ensure that

it is locked away; be aware of others being able to see your computer screen,

PDA’s and Memory sticks must not contain personal information

Securing manual dataSecuring manual data

Do not allow sensitive conversations to be overheard

Guard against people seeking information by deception

Message books Accessible to staff only; sensitive data

should not be recorded in message books

Lock filing cabinets

Securing manual data (2)Securing manual data (2)

Diaries Patient/client data, which is held in diaries

should be given the same security as any other record

Telephone conversations Staff should be careful about those within

earshot when discussing sensitive information; check the authenticity of any caller before divulging any information

Securing manual data (3)Securing manual data (3)

Minutes of meetings Minutes which render the subject identifiable

should be marked confidential; stored in a secure area; available only to the personnel concerned.

Staff Supervision records/Staff Appraisal

Sick leave recordsSuch information is classified as sensitive data. Care should be taken when transferring information from medical certificates to notification form i.e abbreviations can lead to misinterpretation

Case StudyCase Study

Questions to consider: Type of data held on clients/patients Who holds it? Who shares it? Who else has access to data? What security surrounds it? Any data held on others in the case study? Is data accurate, up-to-date

Summary of key points.Summary of key points.

Duty to PROTECT informationDuty to OBTAIN information fairlyDuty to ensure information is SECUREDuty to JUSTIFY use and storage of personal dataDON’T PASS ON information unless you are sureRemember Subject Access

BE CAREFUL WHEN YOU’RE BE CAREFUL WHEN YOU’RE ASKED FOR PERSONAL DETAILS ASKED FOR PERSONAL DETAILS

YOU NEVER KNOW WHERE YOU NEVER KNOW WHERE THEY’LL END UP THEY’LL END UP

**************************************************************************

EVERY TIME YOU’RE ASKED FOR PERSONAL EVERY TIME YOU’RE ASKED FOR PERSONAL INFORMATION THINK BEFORE YOU GIVE IT AWAY INFORMATION THINK BEFORE YOU GIVE IT AWAY

**************************************************************************

Thank you for attendingThank you for attending