Denumirea institutiei si numele persoanei vizate au fost inlocuite cu unele fictive

Sending Patient Identifiable Type: Policy

Information out of the UK
Register No: 10055
Status: Public

Developed in response to: Information Toolkit 8-209

DPA Principle 8
Contributes to CQC Outcome 21

Consulted With Post/Committee/Group Date

Martin Callingham Chief Information Officer 17 Mar 2017
Kate Thompson Head of IT Projects 17 Mar 2017
Professionally Approved By Trust Secretary 17 Mar 2017
James Day

Version Number 2.0

Issuing Directorate Integrated System
Ratified by: Document Ratification Group
Ratified on: 26th March 2017
Trust Executive Sign Off Date April 2017
Implementation Date 30th April 2017
Next Review Date March 2018
Author/Contact for Information Smith SMITH, Information
Manager
Policy to be followed by (target staff) All Staff
Distribution Method Intranet and Website
Related Trust Policies (to be read in Confidentiality Policy
conjunction with) Access to Records Policy
Encryption Policy

Document Review History

Version No Authored/Reviewed by Active Date
1.0 1st October 2010
1.1 updated 4.4 Smith SMITH 25th February
2017 2.0 Smith SMITH, Information 30 March 2017
Manager

1
Contents

1. Purpose

2 Scope

3 Country Status

4. Sending Sensitive Information to non-approved Countries

5. Responsibilities of Staff and the Trust concerning Person Identifiable Data

leaving the UK

6 Consent

7. Substantial Public Interest

8. Vital Interests

9. Public Registers

10. Legal Claims

11. Staff Information on Trust Webiste

12. Cloud Storage Solutions

13 More Information & Advice

14. Communicating this policy

15. Equality & Diversity

16. Monitoring & Audit

17. References

Appendix 1 – Rules to Follow chart

2
1. Purpose

1.1 The 8th Principle of the Data Protection Act (DPA) states that:

“Personal data shall not be transferred to a country or territory outside the European
Economic Area unless that country or territory ensures an adequate level of protection
for the rights and freedoms of data subjects in relation to the processing of personal
data”

1.2 It is subject to at least one of these criteria:

• The individual giving consent (see section 5)

• Being necessary for the performance of a contract
• Being necessary for the conclusion of a contract
• Necessary for reasons of substantial public interest (see Section 6)
• Is necessary in order to protect the vital interests of the Data subject (see section 7)
• is part of the personal data on a public register (see Section 8)
• The transfer is made on terms which are approved by the Commissioner, or
• The transfer has been authorised by the Commissioner as being made in such a
manner as to ensure adequate safeguards for the rights and freedoms of the data
subject.

1.3 This policy sets out the rules to be followed by all trust staff when sending patient
identifiable information out of the UK.

1.4 A simple “Rules to Follow” chart is attached as Appendix 1.

2. Scope

2.1 This policy covers any and all requests for sensitive information to be sent overseas
and refers to both manual and electronic information. Whilst this particular DPA
principle is more usually associated with international business, it applies to the NHS
in the following potential situations but this list is not exhaustive:

• outsourcing work abroad e.g. medical secretarial work

• international clinical research
• transfer of medical records to ex-pats or to foreign nationals who have returned home
and need the details of their care whilst attending this Trust
• overseas data storage
• international emails concerning individual patients sent between clinicians
• patient identifiable information taken abroad to medical conferences that is not held
on an encrypted device

2.2 This policy covers sensitive data that is held on paper or on Trust laptops or other
removable media and is taken abroad for work purposes by a member of staff.

2.3 This policy excludes sensitive information being taken to another country by a
member of staff whilst on holiday as this is not permitted by the Trust even if the
information is recorded on an encrypted device. (See Encryption Policy)

2.4 This policy includes the use of cloud storage solutions hosted outside Europe.

3
2.4 This policy excludes information that is appropriately anonymised or pseudonymised.

3. Countries with Adequate Protection

3.1 The European Commission has decided on the adequacy of protection of personal
data The effect of such a decision is that personal data can flow from the 28 EU
countries and three EEA member countries (Norway, Liechtenstein and Iceland) to
that third country without any further safeguard being necessary.

3.2 The Commission has so far recognized Andorra, Argentina, Canada (commercial
organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand,
Switzerland, Uruguay and the US Department of Commerce's Safe Harbour Privacy
Principles as providing adequate protection.

3.3 United States of America

3.3.1 The European Commission considers that personal data sent to the US under the
“Safe Harbor” scheme is adequately protected. When a US company, University,
Hospital, signs up to the Safe Harbor arrangement, they agree to:

• follow seven principles of information handling; and

• be held responsible for keeping to those principles by the Federal Trade Commission
or other oversight schemes.

3.3.2 It is the responsibility of the staff member sending the data to identify that the recipient
is a member of the Safe Harbor scheme.

3.3.3 This does mean that the US is “Non-Approved” if the recipient of the communication is
not a member of the Safe Harbour scheme.

4. Sending Sensitive Information to Non-Approved Countries

4.1 Whilst it is still possible to send information to non-approved countries, the

responsibility for assessing the adequacy of the protection of the information lies with
the member of staff who makes the decision to send it who will be personally
responsible in the event of any data loss. This does not apply to the sending of
duplicate medical records following a request from the patient as long as informed
consent has been obtained or Vital Interests (see para 7) apply.

4.2 For UK personal data, the Act sets out the factors to be taken into account to make
this decision. These relate to

• the nature of the personal data being transferred

• how the data will be used and for how long; and
• the laws and practices of the country the data is being transferred to

Here is an example:

A consultant travels outside the EEA with a laptop containing personal identifiable data. The
Trust, their employer in the UK, is still the data controller. As long as the information stays
with the employee on the laptop, and the employer has an effective procedure to deal with
security (e.g. encryption) and the other risks of using laptops (including the extra risks of
international travel), it is reasonable to decide that adequate protection exists.
4
4.3 A risk assessment will be required to decide whether there is enough protection for
individuals, in all the circumstances of the transfer. This is known as an assessment
of adequacy. To assess adequacy the following should be considered:

• the extent to which the country has adopted data protection standards in its law;
• whether there is a way to make sure the standards are achieved in practice; and
• whether there is an effective procedure for individuals to enforce their rights or get
compensation if things go wrong.

There is no specific form to be completed, a statement by email by the individual

proposing to send the data will be adequate. The statement should indicate the
individual has “considered the requirements and implications of Section 4 of this
policy and considers that the proposed transfer is likely to be quite safe”

4.4 The level of protection is unlikely to be adequate if the transfer is to a processor in an

country classified as unstable. There are a number of authorities who have
listed unstable countries but they tend to identify similar countries in their top
listings. The Trust currently has a twinning relationship with a hospital in Zambia
which is currently recorded as no. 45 in the rankings according to The Failed States
Index 2010. Therefore staff will have to have either patient consent or be able to
demonstrate that “vital interests” apply. The most unstable countries are listed 1-20.
http://ffp.statesindex.org/rankings-2013-sortable

5. Responsibilities of Staff and the Trust concerning Person Identifiable Data

leaving the UK

5.1 In order to meet the requirements of the DPA and of the Information Governance
Toolkit Criteria 8-209, the following must take place:

Task Responsibility of
The Trust must assign responsibility for reviewing information flows to Assigned to Information
identify overseas transfers Governance Manager (IGM)

All identified transfers of personal data to a country outside the United Staff planning to send
Kingdom must be documented and reviewed for compliance with the Data personal data, electronic or
Protection Act and Department of Health guidelines. manual. must be put in
writing to the IGM prior to
transfer
Ensure that the Trust remains up to date and always checks for the Assigned to Information
current safety state of the proprosed country of receipt Governance Manager (IGM)
Where the review of overseas transfers reveals that appropriate contracts Sign off by Trust SIRO or
are not already in place for existing transfers, new contractual terms that Information Governance Group
appropriately cover data protection and place restrictions on further use
must be negotiated with recipient organisations
Transfers of personal data to non-UK countries are regularly reviewed to Assigned to Information
ensure continuing compliance. Governance Manager (IGM)

6. Consent

6.1 The consent issue applies to all personal data that goes abroad to any country
including the EEA. Consent is not required as long as the data is anonymised or
pseudonymised.

5
6.2 Extreme care must be exercised when collating articles for international publications.
If patients have rare conditions, the more detail about them that is published, the more
identifiable they become even without a name being published.

6.3 One of the conditions for processing is that the individual has consented to their
personal data being collected and used in the manner and for the purposes in
question. This is going to be extremely relevant in the case of research data that
includes person identifiable information, emails between clinicians, and the transfer of
medical records. When considering whether consent could be inferred, the question
must be asked is “could the patient/s reasonably expect that this transfer will be taking
place?” If not then formal consent will be required.

6.4 It will be necessary to examine the circumstances of each case to decide whether
consent has been given. In some cases this will be obvious, but in others the
particular circumstances will need to be examined closely to decide whether they
amount to an adequate consent. Consent is not defined in the Data Protection Act.
However, the European Data Protection Directive (to which the Act gives effect)
defines an individual’s consent as:

“…any freely given specific and informed indication of his wishes by which the data
subject signifies his agreement to personal data relating to him being processed”.

6.5 The fact that an individual must “signify” their agreement means that there must be
some active communication between the parties. An individual may “signify”
agreement other than in writing, but the Trust must not infer consent if an individual
does not respond to a communication – for example, from a patient’s failure to return
a form or respond to a leaflet.

Here is an example of inappropriate reliance on “consent”

A patient who is resident in the Caribbean requests a copy of their medical record and a
CDRom of their radiology images. It could be inferred that by making the request, they have
consented. However unless they are made aware that the trust is unable to guarantee the
security of either the manual or electronic information, the consent is not “informed”

6.6 Consent must also be appropriate to the age and capacity of the individual and to the
particular circumstances of the case. For example, if the Trust intends to continue to
hold or use personal data after the relationship with the patient ends, i.e. after
discharge of the patient, then the consent should cover this. Even when consent has
been given, it will not necessarily last forever. Although in most cases consent will last
for as long as the processing to which it relates continues, it must be recognised that
the individual may be able to withdraw consent, depending on the nature of the
consent given and the circumstances in which you are collecting or using the
information. Withdrawing consent does not affect the validity of anything already done
on the understanding that consent had been given.

6.7 The individual’s consent should be absolutely clear. It should cover the specific
processing details; the type of information (or even the specific information); the
purposes of the processing; and any special aspects that may affect the individual,
such as any disclosures that may be made.

6.8 A particular consent may not be adequate to satisfy the condition for processing
(especially if the individual might have had no real choice about giving it), and even a
6
 valid consent may be withdrawn in some circumstances. For these reasons the trust
should not rely exclusively on consent to legitimise its processing. It is better to
concentrate on making sure that individuals are fairly treated rather than on obtaining
consent in isolation.

7. Substantial Public Interest

7.1 Personal data can be transferred overseas where it is necessary for reasons of
substantial public interest. This is a high threshold to meet and it is most likely to be
relevant in areas such as preventing and detecting crime; national security; and
collecting tax. The public interest must be that of the UK and not the third country to
which the personal data is transferred.

8. Vital interests

8.1 Personal data can be transferred overseas without consent where it is necessary to
protect the vital interests of the individual. This relates to matters of life and
death. An example would be:

The Trust could transfer relevant medical records from the UK to another country where an individual
had had a heart attack and their medical history was necessary to decide appropriate treatment.

9. Public registers

9.1 Data can be transferred overseas as part of the personal data on a public register, as
long as the person you transfer to complies with any restrictions on access to or use
of the information in the register. An example would be:

The General Medical Council (GMC) can transfer extracts from its register of medical practitioners to
respond to enquiries from outside the UK, but it is not allowed to transfer the complete register under
this exemption. If the GMC puts conditions on inspecting the register in the UK, the person the extract
is transferred to, and anyone they then pass it on to, must comply with these restrictions.

10. Legal claims

10.1 Personal data can be transferred overseas where it is necessary:

• in connection with any legal proceedings (including future proceedings not yet
underway);
• to get legal advice; or
• to establish, exercise or defend legal rights.

11. Staff Information on Trust Website

11.1 Trust staff must be careful when putting extensive staff details on the website, such as
a biography. It is vital that any staff whose details are published have consented to
the publication because of the possibility of a data transfer taking place if the
information is downloaded in a Non-Approved country.

11.2 This would not apply to just name, job title and extension number – this much
information is routine business.

7
12. Cloud Storage

The Trust will not permit the storage of any person identifiable data in a cloud storage
solution hosted outside of the EU or a US destination that is a member of the Safe
Harbor Scheme. To do so would be a breach of Data Protection Principle 8

13. More Information and Advice

13.1 If after considering this policy, staff are still not sure about what to do, it is imperative that
they contact the Information AAAAA Manager prior to any data transfer or
data removal.

14. Communicating the Policy

14.1 This policy will be loaded on the intranet and on the trust website and listed in Focus
magazine.

15. Equality & Diversity

MMMMMMMMMM Hospital is committed to the provision of a

service that is fair, accessible and meets the need of all individuals.

16. Monitoring & Audit

16.1 Any breach of this policy will be reported on a risk event form and notified to the Trust
SIRO and Caldicott Guardian. Consideration will be given as to whether it
constitutes a Serious Incident. Any breach of this kind will be reported to the
Information Group.

16.2 The IGG will consider each such event on an individual basis to identify the root
cause and to take appropriate steps.

17. References
Data Protection Act 1998
Ministry of Justice Website

8
Appendix 1
Rules to Follow Chart
Proposed Transfers
Transfers that only include
anonymised or pseudonymised
personal information
Transfers of patient identifiable
information by email to countries
listed in 3.1 & 3.2
Transfers of patient identifiable
information by post to countries
listed in 3.1 & 3.2
Transfers of patient identifiable
information to the USA by email
Transfers of patient identifiable
information to the USA by
post/fax
Transfers of patient identifiable
information to Non Approved
Countries listed
Restriction
No restriction to any country
The transfer can take place subject to
the consent of the patients named –
Secondary Uses of Data also apply
The transfer can take place subject to
the consent of the patients named –
Secondary Uses of Data also apply
Not permitted unless:
• the purpose constitutes “life or
death” or
• the recipient is a member of
the Safe Harbor Scheme and it
is the senders responsibility to
identify this or
• The patient has given informed
consent to the transfer or
• The data is encrypted
Not permitted unless:
• the purpose is in the “vital
interests of the patient
concerned
• The patient has given informed
consent to the transfer
• one of the exclusions set out in
paras 6 – 9 apply
Not permitted at all except:
• with the patients informed
consent or
• one of the exclusions set out in
paras 6 – 9 apply
Further Rules
none
Information must be in an
attachment which is
encrypted. Contact the
Information Security Manager
for assistance
The package must be marked
for the attention of the
addressee only and be
marked “confidential” with the
name of the sender on the
back with a return address
Contact the Information
Security Manager for
assistance with encryption
“Vital Interests” must not be
loosely interpreted. Also it is
likely that the purposes of the
communication may not
require patient identifiable
information to be revealed and
could be anonymised
With the exception of Access
to Records requests,
permission must be sought
from the Trust SIRO for each
planned transfers in this
category, however in the event
that the information is
anonymised, this authorisation
will not be required.