Data Protection and Confidentiality

Policy

Working together
for outstanding care
 Guideline / Policy on a Page – Summary of Key Points

 This Policy provides guidance on how the Trust and its staff can meet the
legal obligations and best practice requirements concerning data protection
and confidentiality

 The General Data Protection Regulation (GDPR), the Data Protection Act
2018 (DPA18) and the Common Law Duty of Confidentiality set the legal
framework, by which the Trust can process personal information

 All staff must also comply with best practice for information handling within the
NHS as described in the Caldicott Principles, the NHS Code of Confidentiality,
the Health and Social Care Act 2012, the Data Security and Protection Toolkit
and any appropriate professional codes of conduct.

 It is strictly forbidden for employees to knowingly browse, search for or look at

any information relating to themselves, their own family, friends or other
persons, without a legitimate Trust business related purpose

 Action of this kind will be viewed as a serious breach of confidentiality and the
matter will be dealt with under the Trust’s Disciplinary Policy.

Data Protection and Confidentiality Policy v1.0 Page 2 of 23

Working together for outstanding care

Data Protection and Confidentiality Policy

Document Type Corporate Policy

Unique Identifier IG-002

Document Purpose To detail how the Trust will meet its legal obligations and best
practice requirements concerning data protection and
confidentiality
Document Author Rob Neill, Head of Information Governance

Target Audience All Worcestershire Health and Care NHS Trust staff

Responsible Group Worcestershire Health and Care NHS Trust Quality and Safety
Committee

Date Ratified 30 January 2019

Expiry Date 30 January 2022

The validity of this policy is only assured when viewed via the Worcestershire Health and
Care NHS Trust website (hacw.nhs.uk.). If this document is printed into hard copy or
saved to another location, its validity must be checked against the unique identifier number
on the internet version. The internet version is the definitive version.
If you would like this document in other languages or formats (i.e. large print), please
contact the Communications Team on 01905 681770 or by email to
WHCNHS.Communications@nhs.net

Data Protection and Confidentiality Policy v1.0 Page 3 of 23

Working together for outstanding care

Version History

Version Circulation Job Title of Person/Name of Brief Summary of Change

Date Group circulated to

1.0 30/11/2018 Information Governance Steering Merge existing Data

Group Protection and Confidentiality
Policies. Update for changes
in data protection legislation
and Caldicott Reviews

1.0 21/12/2018 Senior Management Team, No changes

JNCC and Counter Fraud

1.0 30/01/2019 Quality and Safety Committee

Data Protection and Confidentiality Policy v1.0 Page 4 of 23

Working together for outstanding care

Accessibility
Interpreting and Translation services are provided for Worcestershire Health and Care
NHS Trust including:
 Face to face interpreting;
 Instant telephone interpreting;
 Document translation; and
 British Sign Language interpreting.
Please refer to the intranet page: http://nww.hacw.nhs.uk/a-z/services/interpreting-and-
translation-services/ for full details of the service, how to book and associated costs.

Training and Development

Worcestershire Health and Care NHS Trust recognises the importance of ensuring that its
workforce has every opportunity to access relevant training. The Trust is committed to the
provision of training and development opportunities that are in support of service needs
and meet responsibilities for the provision of mandatory and statutory training.
All staff employed by the Trust are required to attend the mandatory and statutory
training that is relevant to their role and to ensure they meet their own continuous
professional development.

Co-production of Health and Care – Statement of Intent

The Trust expects that all healthcare professionals will provide clinical care in line with
best practice. In offering and delivering that care, healthcare professionals are expected
to respect the individual needs, views and wishes of the patients they care for, and
recognise and work with the essential knowledge that patients bring. It is expected that
they will work in partnership with patients, agreeing a plan of care that utilises the abilities
and resources of patients and that builds upon these strengths. It is important that patients
are offered information on the treatment options being proposed in a way that suits their
individual needs, and that the health care professional acts as a facilitator to empower
patients to make decisions and choices that are right for themselves. It is also important
that the healthcare professional recognises and utilises the resources available through
colleagues and other organisations that can support patient health.

Data Protection and Confidentiality Policy v1.0 Page 5 of 23

Working together for outstanding care

Contents:

1. Introduction .............................................................................................................................. 7
2. Purpose of document ............................................................................................................... 7
3. Definitions ................................................................................................................................ 7
4. Scope ...................................................................................................................................... 9
5. Training/Competencies ............................................................................................................ 9
6. Responsibilities and duties....................................................................................................... 9
7. Main Policy ............................................................................................................................ 10
7.1 The General Data Protection Regulation and Data Protection Act 2018 ......................... 11
7.2 Types of information ....................................................................................................... 11
7.3 GDPR Principle 1............................................................................................................ 12
7.4 GDPR Principle 2............................................................................................................ 14
7.5 GDPR Principle 3............................................................................................................ 14
7.6 GDPR Principle 4............................................................................................................ 15
7.7 GDPR Principle 5............................................................................................................ 15
7.8 GDPR Principle 6............................................................................................................ 15
7.9 The Rights of the Data Subject ....................................................................................... 16
7.10 Requests for information from the Police ........................................................................ 17
7.11 Data Protection by Design and Default ........................................................................... 18
7.12 Employment clauses ....................................................................................................... 18
7.13 Contracts ........................................................................................................................ 18
7.14 Personal Data Breaches ................................................................................................. 18
7.15 Complaints...................................................................................................................... 18
7.16 International transfers ..................................................................................................... 19
7.17 Caldicott.......................................................................................................................... 19
7.18 Sharing Personal Information for Direct Care .................................................................. 19
7.19 Disposal of Personal Information .................................................................................... 20
7.20 Abuse of Privilege ........................................................................................................... 20
8. Monitoring implementation ..................................................................................................... 20
9. Associated documentation ..................................................................................................... 20
10. Equality Analysis ................................................................................................................ 22

Data Protection and Confidentiality Policy v1.0 Page 6 of 23

Working together for outstanding care

1. Introduction
The Trust cannot operate effectively if the patients we need to treat do not trust us to provide
confidential and effective care. Part of this trust is being able to provide confidential information to
clinicians and other staff and be confident that if will remain confidential and only be shared when
necessary.
The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18) set
the legal framework, by which the Trust can process personal information. It applies to information
that might identify any living person and includes information relating to patients, staff and third
parties. The Common Law Duty of Confidentiality governs information given in confidence to
another person (about a person alive or deceased) with the expectation it will be kept confidential,
e.g. a patient to a healthcare professional. The Human Rights Act 1998 Article 8 provides a person
with the right to respect for private and family life. The key rights provided by this legal Framework
are also set out in the NHS Constitution.
That said, there are exceptions where it is sufficiently in the public interest to warrant a breach of
the general principles and make a disclosure of personal information, for example in relation to a
serious crime or in instances to prevent serious harm or abuse.
It should be noted that staff will also come into contact with non-person confidential information
which should be also be treated with the same degree of care, for example, business in confidence
information.
The mechanism by which the Trust demonstrates its compliance concerning data protection and
confidentiality requirements is by an annual mandatory submission of the NHS Digital Data
Security and Protection Toolkit.

2. Purpose of document
This Policy provides guidance on how the Trust and its staff can meet the legal obligations and
best practice requirements concerning data protection and confidentiality.

3. Definitions
Data Concerning Health - personal data related to the physical or mental health of a natural
person, including the provision of health care services, which reveal information about his or her
health status.
Data Controller - the natural or legal person, public authority, agency or other body which, alone or
jointly with others, determines the purposes and means of the processing of personal data. The
Trust is a Data Controller.
Data Flow - a continuing or repeated flow of information which takes place between individuals or
organisations and includes personal data.
Data Processing - any operation or set of operations which is performed on personal data or on
sets of personal data, whether or not by automated means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure
by transmission, dissemination or otherwise making available, alignment or combination,
restriction, erasure or destruction.
Data Processor - a natural or legal person, public authority, agency or other body which processes
personal data on behalf of the Data Controller. The Trust can act as a Data Processor.

Data Protection and Confidentiality Policy v1.0 Page 7 of 23

Working together for outstanding care

Data Protection Officer – a person who ensures, in an independent manner, that an organization
applies the laws protecting individuals’ personal data. The designation, position and tasks of a
Data Protection Officer within an organization are described in Articles 37[1], 38[2] and 39[3] of the
General Data Protection Regulation.
Data Security and Protection Toolkit - an online self-assessment tool provided by NHS Digital that
allows organisations to measure their performance against the National Data Guardian’s 10 data
security standards. All organisations that have access to NHS patient data and systems must use
this Toolkit to provide assurance that they are practising good data security and that personal
information is handled correctly.
Data Subject – an identifiable natural person, a person who can be identified, directly or indirectly,
in particular by reference to an identifier such as a name, an identification number, location data,
an online identifier or to one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person.
Direct Care - the provision of clinical services to a patient that require some degree of interaction
between the patient and the healthcare professional. Examples include assessment, performing
procedures and implementation of a care plan.
Duty of Confidence - a duty of confidence arises when one person discloses information to another
in circumstances where it is reasonable to expect that the information will be held in confidence. It
arises from common law.
Explicit consent - a form of consent normally given orally or in writing and is where a patient makes
a clear and positive indication that they understand the consequences of what they are agreeing to
and are content with these consequences. For data protection purposes, this must clearly set out
how the information is going to be used and how the person can withdraw that consent.
Implied consent - refers to circumstances in which it would be reasonable to infer that the patient
agrees to the use of the information, even though this has not been directly expressed.
Information Governance - a combination of legal requirements, policy and best practice designed
to ensure all aspects of information processing are conducted appropriately, confidentially,
securely and to the highest standards.
Legitimate Relationship - a relationship that exists between a patient and an individual or group of
record users involved in their treatment which provides the justification for those users to access a
patient record.
Non-Care or Secondary Purposes - purposes other than direct care such as healthcare planning,
commissioning, public health, clinical audit and governance, benchmarking, performance
improvement, research and policy development.
Notifiable Data Breach – a breach that would result in a risk to the rights and freedoms of natural
persons
Personal Data Breach - a breach of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are
the result of both accidental and deliberate causes.
Personal Information / Data - any information relating to an identified or identifiable Data Subject /
Natural Person.
Processing - the collection, recording or holding of information or data, or carrying out any
operation or set of operations on the information or data, including but not restricted to alteration,
retrieval, disclosure and destruction or disposal of the data.

Data Protection and Confidentiality Policy v1.0 Page 8 of 23

Working together for outstanding care

Special Categories of Personal Data - personal data revealing racial or ethnic origin, political
opinions, religious or philosophical beliefs, or trade union membership, and the processing of
genetic data, biometric data for the purpose of uniquely identifying a natural person, data
concerning health or data concerning a natural person’s sex life or sexual orientation.
Third Party(ies) or Contractor(s) - applies to any person(s) undertaking work for or on behalf of the
Trust such as bank or agency staff, staff from other NHS or Social care organisations, volunteers,
locums, student placements, maintenance craftsmen, IT engineers and ancillary staff.

4. Scope
This Policy provides guidance to ensure that information processed by staff is handled in a
confidential and secure manner which complies with current legislation and best practice guidance
relating to data protection and confidentiality.
This Policy applies to all areas of the Trust and all staff who handle information. It will be of
particular relevance to staff who handle personal and special categories of personal information
relating to both patients and staff. This Policy also applies to Third Parties and Contractors who
have access to Trust data.
This Policy covers all information processed within the Trust, including but not limited to:
 Patient information
 Staff information
 Organisational information
 Structured record systems – held on paper and electronically
 All methods of sharing of information including – face to face, fax, email, post, telephone,
conference calls, text, uploaded to websites etc.

5. Training/Competencies
All staff are responsible for ensuring they complete annual mandatory Data Security and Protection
Awareness training as this covers relevant data protection and confidentiality requirements. This
training is usually completed online via the Electronic Staff Record (ESR) or in exceptional
circumstances via a classroom based training session.
This requirement also applies to Third Parties and Contractors who may have access to personal
information. Most agencies working with the NHS provide their staff with this training. Where this
not the case local arrangements should be made to ensure the employee is adequately trained
before working at the Trust.
Staff in specific roles should undertake training relevant to their role e.g. subject access request
training, archiving training. The Data Security and Protection Awareness Training Programme has
been developed to provide any additional bespoke training that is required.

6. Responsibilities and duties

As Accountable Officer the Chief Executive has ultimate responsibility for ensuring Trust
compliance with the GDPR, the DPA18 and the Common Law Duty of Confidentiality. The Chief
Executive delegates responsibility to relevant executive directors according to their organisation
portfolios.

Data Protection and Confidentiality Policy v1.0 Page 9 of 23

Working together for outstanding care

The Chief Executive has delegated overall responsibility for data protection and confidentiality to
the Company Secretary. The Company Secretary chairs the Information Governance Steering
Group where data protection and confidentiality issues are addressed.
The Director of Finance is the Senior Information Risk Officer (SIRO) and has overall responsibility
for managing information risk within the Trust.
The Medical Director is the Caldicott Guardian and has overall responsibility for protecting the
confidentiality of patient information and enabling appropriate information sharing.
The Head of Information Governance is the Data Protection Officer and Confidentiality Lead. They
are responsible for ensuring that plans, systems, policies and procedures are in place to ensure
compliance with the GDPR, the DPA18 and the Common Law Duty of Confidentiality. They act as
the initial point of contact for any data protection and confidentiality issues which may arise in the
Trust. They are responsible for maintaining the Trust’s Data Protection registration with the
Information Commissioner Office (ICO). The Head of Information Governance is responsible for
the submission of the Trust’s annual mandatory Data Security and Protection Toolkit.
Managers will:
 ensure that staff are aware of this Policy and updates in regard to any changes in the Policy
 ensure that staff have access to all systems and procedures to support this Policy
Staff will:
 adhere to this Policy
 undertake mandatory annual Data Security and Protection Awareness training
 undertake specific training relevant to their role e.g. subject access request training,
archiving training
 ensure that all personal information is processed in accordance with GDPR principles
All staff working in the Trust, including Third Parties and Contractors, are bound by a legal duty of
confidence to protect personal information they may come into contact with during the course of
their work and after they have finished employment or placement with the Trust. This is not just a
requirement of the GDPR, the DPA18 and the Common Law Duty of Confidentiality but also part of
their contractual responsibilities. All staff must also comply with best practice for information
handling within the NHS as described in the Caldicott Principles, the NHS Code of Confidentiality,
the Health and Social Care Act 2012, the NHS Digital Data Security and Protection Toolkit and any
appropriate professional codes of conduct.

7. Main Policy
The principle behind this Policy is that no member of staff shall breach their legal duties or
requirements under best practice guidelines relating to data protection or confidentiality, allow
others to do so, or attempt to breach any of the Trust’s controls or security systems in order to do
so.
This Policy has been produced to protect staff by making them aware of the correct procedures so
that they do not inadvertently breach any of these lawful or best practice requirements.
Any actual or suspected breach of these lawful or best practice requirements must be reported as
an incident in line with the Incident Reporting Policy and investigated to an appropriate level.
All staff, Third Parties and Contractors are responsible for maintaining the confidentiality of
information gained during their employment or placement by the Trust. This duty continues after
conclusion of employment or placement.
Data Protection and Confidentiality Policy v1.0 Page 10 of 23

Working together for outstanding care

7.1 The General Data Protection Regulation and Data Protection Act 2018
From the 25 May 2018, the GDPR and the DPA18 set out the legal requirements and duties placed
on all Data Controllers (i.e. the Trust) and Data Processors when processing personal information.
As a Data Controller, and in accordance with the Data Protection (Charges and Information)
Regulations 2018, the Trust is required to register and pay an annual fee to the ICO. The Trust’s
registration number is Z2745227.
Article 5 of the GDPR sets out the 6 data protection principles which must be adhered to when
processing personal information. They are:
1. Processing shall be lawful, fair and transparent
2. The purpose of processing shall be specified, explicit and legitimate
3. Personal data processed shall be adequate, relevant and not excessive
4. Personal data shall be accurate and kept up to date
5. Personal data processed for any purpose or purposes shall not be kept for longer than is
necessary
6. Personal data shall be processed in a secure manner
The Trust shall be responsible for, and be able to demonstrate compliance with the 6 principles
above (‘accountability’).
Although the DPA18 and GDPR does not apply to deceased persons, the British Medical
Association has issued guidance which states that, where possible, the same level of
confidentiality should be provided to the records and information relating to a deceased person as
one who is alive. The issues arising from the processing and provision of access to deceased
person’s records can be complex and where these arise staff should consult the Subject Access
Request Standard Operating Procedure or seek advice from the Trust’s Data Protection Officer –
whcnhs.informationgovernance@nhs.net

7.2 Types of information

Personal Information / Data – this is any information relating to an identified or identifiable Data
Subject / Natural Person. This includes items such as:
 Surname, Forename, Initials, Address, Postcode, Date of Birth, Telephone Number, Other
dates (e.g. death, diagnosis), Occupation, Sex, NHS Number, Local Identifier (e.g. hospital,
GP practice number), National Insurance Number, Ethnic Group
Name and address are very strong identifiers, particularly when both are available, and the
presence of either should be thoroughly justified. The other items of information, in all but the most
exceptional circumstances, are individually not capable of identifying a specific person, but when
combined with other items of information the likelihood may increase significantly. A test of
reasonableness should be imposed when considering whether access to particular items of
information is likely to result in an individual's identity becoming apparent.
Special Categories of Personal Data – this is sensitive personal information and includes items
such as:
 Personal data revealing racial or ethnic origin, Political opinions, Religious or philosophical
beliefs, or Trade Union membership, and the processing of genetic data, biometric data for
the purpose of uniquely identifying a natural person, data concerning health or data
concerning a natural person’s sex life or sexual orientation.

Data Protection and Confidentiality Policy v1.0 Page 11 of 23

Working together for outstanding care

Data Concerning Health – this is special category personal data related to the physical or mental
health of a natural person, including the provision of health care services, which reveal information
about his or her health status.
Confidential information is any information in any form that is generally disclosed from one person
to another (e.g. patient to clinician) in circumstances where it is reasonable to expect that the
information will be held in confidence. It must be treated as such so long as it remains capable of
identifying the individual that it relates to.
Confidential/Sensitive Business Information is information that is not generally known to the public,
where the public would have difficulty in acquiring the information except by unlawful means.
Confidential information can relate to any subject matter where it's disclosure may harm the
organisation. Examples include:
 Details of commercial relationships with customers and suppliers
 Information conferring some sort of economic benefit to the organisation
 Certain reports and information concerning the business of the Trust
Information may be held on paper or electronically and includes information held on portable media
and devices such as: DVD, USB memory stick, removable hard drives, laptops, tablets,
smartphones and digital cameras.

7.3 GDPR Principle 1

Fairness and Transparency
The first principle of the GDPR requires that the processing of personal information by the Trust
must be fair, lawful and transparent.
In order to be fair and transparent the Trust must inform data subjects:
 Who we are and what we do
 The purposes for which we use their personal information
 The legal basis that we rely on for processing their personal information
 Who we may share their personal information with
 How long we keep their personal information for
 Their rights with regards to their personal information and how they can exercise those rights
 Who to contact for more information
To fulfil this duty, the Trust produces and distributes fair processing posters and leaflets and has
published a Privacy Notice on its public website.
Lawfulness
To process personal data, one of the lawful bases for processing data set out in Article 6 of the
GDPR must apply.
To process special categories of personal data (includes Data Concerning Health), one of the
bases for processing data set out in Article 9 of the GDPR must also apply.
Establishing a Lawful Basis - Article 6
Article 6 of the GDPR details the lawfulness of the processing of personal information and the
Trust must ensure that it has a lawful basis whenever it processes personal information. The lawful
reasons are as follows:

Data Protection and Confidentiality Policy v1.0 Page 12 of 23

Working together for outstanding care

 a) the data subject has given consent to the processing of his or her personal data for one or
more specific purposes
b) processing is necessary for the performance of a contract to which the data subject is party
or in order to take steps at the request of the data subject prior to entering into a contract
c) processing is necessary for compliance with a legal obligation to which the Data Controller is
subject
d) processing is necessary in order to protect the vital interests of the data subject or of
another natural person
e) processing is necessary for the performance of a task carried out in the public interest or in
the exercise of official authority vested in the Data Controller
f) processing is necessary for the purposes of the legitimate interests pursued by the Data
Controller or by a third party, except where such interests are overridden by the interests or
fundamental rights and freedoms of the data subject which require protection of personal
data, in particular where the data subject is a child. Note: - this shall not apply to processing
carried out by public authorities in the performance of their tasks
Special Categories of Personal Data – Article 9
Article 9 of the GDPR lists special categories of personal data and lists the conditions that are
available to enable the lawful processing of this data. Data Concerning Health is a special category
of personal data. The lawful reasons are as follows:
a) the data subject has given explicit consent to the processing of those personal data for one
or more specified purposes
b) processing is necessary for the purposes of carrying out the obligations and exercising
specific rights of the controller or of the data subject in the field of employment and social
security and social protection law
c) processing is necessary to protect the vital interests of the data subject where the data
subject is physically or legally incapable of giving consent
d) processing is carried out in the course of its legitimate activities with appropriate safeguards
by a foundation, association or any other not-for-profit body
e) processing relates to personal data which are manifestly made public by the data subject
f) processing is necessary for the establishment, exercise or defence of legal claims or
whenever courts are acting in their judicial capacity
g) processing is necessary for reasons of substantial public interest
h) processing is necessary for the purposes of preventive or occupational medicine, for the
assessment of the working capacity of the employee, medical diagnosis, the provision of
health or social care or treatment or the management of health or social care systems and
services
i) processing is necessary for reasons of public interest in the area of public health
j) processing is necessary for archiving purposes in the public interest, scientific or historical
research purposes

Lawful Basis for Direct Care and Administrative Purposes

All health and adult social care providers are subject to the statutory duty under section 251B of
the Health and Social Care Act 2012 to share information about a patient for their direct care. This
duty is subject to the GDPR, the DPA18 and the Common Law Duty of Confidentiality.
For common law purposes, sharing information for direct care is on the basis of implied consent,
which may also cover administrative purposes where the patient has been informed or it is
otherwise within their reasonable expectations that their personal information will be shared.

Data Protection and Confidentiality Policy v1.0 Page 13 of 23

Working together for outstanding care

Under the GDPR, for the processing of personal data in the delivery of direct care and for
administrative purposes, the Article 6 condition for lawful processing that is available to all
publically funded health and/or statutory health and social care organisations in the delivery of their
functions is:
6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official
authority…’
Personal Data Concerning Health is a special category of personal data; the most appropriate
Article 9 condition under the GDPR for direct care and for administrative purposes is:
9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management
of health or social care systems…’
These conditions will also be the most appropriate basis for local administrative purposes such as:
waiting list management, performance against national targets, activity monitoring, local clinical
audit and local clinical supervision. These conditions will also apply where the Trust participates in
activities with a statutory basis, such as responding to a public health emergency.

7.4 GDPR Principle 2

The second principle of the GDPR requires that the processing of personal information by the Trust
shall be specified, explicit and legitimate. This means that:
The Trust shall be clear from the outset about what the purposes for processing personal
information are and what it intends to do with that information.
The Trust shall record the purposes as part of its documentation obligations and specify them in
privacy information that is provided for individuals.
The Trust shall regularly review its processing activities and, where necessary, update its
documentation and privacy information that is provided for individuals.
Staff shall only use the personal data for a new purpose if either this is compatible with the original
purpose, it comes with specific consent, or there is a clear basis in law. As a general rule, if the
new purpose is either very different from the original purpose, would be unexpected, or would have
an unjustified impact on the individual, it is likely to be incompatible with the original purpose.

7.5 GDPR Principle 3

The third principle of the GDPR requires that the processing of personal information by the Trust
shall be adequate, relevant and not excessive. This means that:
Staff shall ensure that the personal information it is processing is adequate, i.e. the Staff should
identify the minimum amount of personal data needed to fulfil the stated purpose and ensure that it
is sufficient to properly fulfil the purpose.
Staff shall ensure that the personal information it is processing is relevant, i.e. that it only collects
the information that it actually needs and that there is a rational link to the stated purpose.
Staff shall ensure that the personal information it is processing is limited to what is necessary, i.e.
that it does not hold more than is required for the stated purpose and that this information is
periodically reviewed and anything that is not needed is deleted.

Data Protection and Confidentiality Policy v1.0 Page 14 of 23

Working together for outstanding care

7.6 GDPR Principle 4
The fourth principle of the GDPR requires that the processing of personal information by the Trust
shall be accurate and kept up to date. This means that:
The Trust shall ensure that it has appropriate processes in place to allow Staff to check the
accuracy of the personal information it collects, and that it records the source of that data.
Staff shall take all reasonable steps to ensure that the personal data it holds is not incorrect or
misleading as to any matter of fact.
If the Trust or a member of Staff discovers that the personal data is incorrect or misleading, it shall
take reasonable steps to correct or erase it as soon as possible.
Staff shall ensure that its records clearly identify any matters of opinion, and where appropriate
whose opinion it is and any relevant changes to the underlying facts.
The Trust shall ensure that it complies with the individual’s right to rectification and carefully
considers any challenges to the accuracy of personal data.
As a matter of good practice, Staff shall keep a record of any challenges to the accuracy of
personal information.

7.7 GDPR Principle 5

The fifth principle of the GDPR requires that personal data processed for any purpose or purposes
by the Trust shall not be kept for longer than is necessary. This means that:
The Trust shall ensure that it knows what personal data it holds and why it needs it (the purpose).
The Trust shall not keep personal data for longer than is needed. This will depend on the purposes
for holding the data.
The Trust shall develop a Records Management Policy setting standard retention periods wherever
possible, to comply with documentation requirements.
Staff shall ensure that all personal information, held either on paper or electronically, will be
retained and disposed of securely in accordance with the Records Management Policy and in line
with the Records Management Code of Practice for Health and Social Care 2016.
Staff should also periodically review the data it holds, and erase or anonymise it when it is no
longer needed.
The Trust shall have appropriate processes in place to comply with individuals’ requests for
erasure under ‘the right to be forgotten’.
The Trust shall clearly identify and personal data that it needs to keep for public interest archiving,
scientific or historical research, or statistical purposes.

7.8 GDPR Principle 6

The sixth principle of the GDPR requires that personal data processed by the Trust shall be
processed in a secure manner. This means that:
The Trust shall ensure that is processes personal data securely by means of appropriate ‘technical
and organisational’ measures.

Data Protection and Confidentiality Policy v1.0 Page 15 of 23

Working together for outstanding care

The Trust shall undertake an analysis of the risks presented by its processing, and use this to
assess the appropriate level of security it needs to put in place.
The Trust shall have an Information Security Policy (or equivalent) and take steps to make sure the
Policy is implemented. Where necessary, the Trust shall have additional Policies and ensure that
controls are in place to enforce them.
The Trust shall regularly review its Information Security Policies and measures and, where
necessary, improve them.
The Trust shall put in place basic technical controls such as those specified by established
frameworks like Cyber Essentials.
The Trust shall have appropriate measures in place to ensure the ‘confidentiality, integrity and
availability’ of its systems and services and the personal data it processes within them.
The Trust shall provide tools so that staff can use encryption and/or pseudonymisation where it is
appropriate to do so.
The Trust shall ensure that it can restore access and availability to personal data in a timely
manner in the event of a physical or technical incident, such as by establishing an appropriate
backup process.
The Trust shall ensure that it has appropriate physical security in place to protect the personal
information it processes. These may include but are not limited to:
 the quality of doors and locks, and the protection of its premises by such means as alarms,
security lighting or CCTV;
 how it controls access to its premises, and how visitors are supervised;
 how it disposes of any paper and electronic waste; and
 how it keeps IT equipment, particularly mobile devices, secure
The Trust shall ensure that it has appropriate technical controls in place to protect the personal
information it processes. These may include but are not limited to
 system security – the security of the network and information systems, including those which
process personal data;
 data security – the security of the data it holds within your systems, e.g. ensuring appropriate
access controls are in place and that data is held securely;
 online security – e.g. the security of the Trust website and any other online service or
application that it uses; and
 device security – including Policies on mobile working and Bring Your Own Device (BYOD)
The Trust shall conduct regular testing and reviews of its measures to ensure they remain
effective, and act on the results of those tests where they highlight areas for improvement.
The Trust shall ensure that any Data Processors it uses also implement appropriate technical and
organisational measures.

7.9 The Rights of the Data Subject

The Trust will ensure that systems and processes are in place to fulfil the rights of a data subject
under the GDPR. They are:
Right to be Informed - This Trust’s Privacy Notice is the main way of letting data subjects know
what personal information we hold about them and who we share it with etc.

Data Protection and Confidentiality Policy v1.0 Page 16 of 23

Working together for outstanding care

Right of Access – Data subjects have the right to request access to or have a copy of any personal
data the Trust holds about them. Requests for access to their information is commonly known as a
Subject Access Request. Please refer to the Trust’s Subject Access Request Standard Operational
Procedure for more details.
Right to rectification – Data Subjects have the right to request that the Trust corrects any personal
data if it is found to be factually inaccurate or out of date.
Right to Erasure – Data Subjects have the right to request that their personal data is erased. Note
– information contained in health records will not be erased as it forms part of a legal document
and it was collected for the purposes of direct care.
Right to restrict processing – Data Subjects have the right, where there is a dispute in relation to
the accuracy or processing of their personal data, to request a restriction is placed on any further
processing.
Deceased Patients
The ethical obligation to respect a patient’s confidentiality extends beyond death. However, this
duty of confidentiality needs to be balanced with other considerations, such as the interests of
justice and of people close to the deceased person. Statutory rights of access are set out in the
Access to Health Records Act 1990 and are out of scope of the GDPR and DPA18. Further
information about handling requests for the records of a deceased patient can be found in the
Trust’s Subject Access Request Standard Operational Procedure.

7.10 Requests for information from the Police

The Police can make requests for personal information held by the Trust in accordance with Part 3
of the DPA18.
Any disclosures made to the Police should be limited and proportionate to fulfil the purpose of the
request.
The Trust has a Legal duty when it MUST disclose personal information (even without consent):
 Terrorism
 Road traffic accidents - name and address of any driver allegedly guilty of an offence; you
should not disclose any clinical information
 Court Order including a coroner’s court, tribunals and enquiries
The Trust has a Legal power when it MAY disclose personal information (even without consent),
for example to:
 Prevent, detect or prosecute serious crime to protect the public:
o treason, murder, manslaughter, rape, kidnapping, serious abuse, child protection,
certain sexual offences, causing an explosion, certain firearm offences, taking of
hostages, hijacking, causing death by reckless driving
 MAPPA meetings - risks posed by violent and sexual offenders
 MARAC meetings - highest risk domestic abuse cases
 Safeguarding
The Trust is responsible for ensuring that disclosures are lawful and proportionate. Further
information on disclosing information to the Police can be found in the Trust Guidance on
Disclosing Personal Information to the Police

Data Protection and Confidentiality Policy v1.0 Page 17 of 23

Working together for outstanding care

7.11 Data Protection by Design and Default
The Trust shall consider data protection issues as part of the design and implementation of
systems, services, products and business practices.
The Trust shall implement procedures to ensure that a Data Protection Impact Assessment (DPIA)
where processing, in particular using new technologies, and taking into account the nature, scope,
context and purposes of the processing, may result in a high risk to the rights and freedoms of
individuals is conducted.
The Trust shall ensure that personal data is automatically protected in any IT system, service,
product, and/or business practice, so that individuals should not have to take any specific action to
protect their privacy.

7.12 Employment clauses

The Trust shall ensure that all staff employee contracts contain clauses that clearly identify
responsibilities for information governance including: data protection, confidentiality, freedom of
information, records management and information security.

7.13 Contracts
The Trust shall ensure that appropriate written contracts are in place with Data Processors that
process personal data on its behalf.
The Trust shall only appoint Data Processors who can provide sufficient guarantees that the
requirements of the GDPR will be met and the rights of data subjects protected.

7.14 Personal Data Breaches

The Trust shall ensure that is has robust breach detection, investigation, response and internal
reporting procedures in place.
The Trust shall ensure that all notifiable breaches are reported to the ICO within 72 hours of
becoming aware of the breach, where feasible.
Staff shall ensure that if the breach is likely to result in a high risk of adversely affecting individuals’
rights and freedoms, then it must also inform those individuals without undue delay. Staff should
take into account any responsibilities it has under the Duty of Candour when contacting those
individuals affected.
The Trust shall keep a record of any personal data breaches, regardless of whether they are
notifiable breaches.
The Trust shall ensure that its staff know how to escalate a breach to the appropriate person or
team to determine whether a breach has occurred.

7.15 Complaints
The Trust will investigate any complaints that are made in connection with a breach of data
protection or confidentiality. If the complainant is dissatisfied with the conduct of the Trust, then
they should be advised to request an internal review. If they are still dissatisfied, then they should
be advised to contact the ICO.

Data Protection and Confidentiality Policy v1.0 Page 18 of 23

Working together for outstanding care

7.16 International transfers
Any transfers of personal data to a third country or an international organisation may only take
place where there is an adequate level of protection or appropriate safeguards in place. In the
event that any member of staff has any concerns with a transfer of personal information outside of
the United Kingdom then they should contact the Head of Information Governance.

7.17 Caldicott
The first Caldicott Report was published in 1997 and there have been two further Reviews in 2013
and 2016. The Reports and Reviews have focused on ensuring that confidential patient information
is safeguarded securely and used properly.
The Reports and Reviews provide a series of Principals and Recommendations that all staff should
adhere to. The Caldicott Principles are:
1. Justify the purpose(s): Every proposed use or transfer of personal confidential data within or
from an organisation should be clearly defined, scrutinised and documented, with continuing
uses regularly reviewed, by an appropriate guardian.
2. Don’t use personal confidential data unless it is absolutely necessary: Personal confidential
data items should not be included unless it is essential for the specified purpose(s) of that flow.
The need for patients to be identified should be considered at each stage of satisfying the
purpose(s).
3. Use the minimum necessary personal confidential data: Where use of personal confidential
data is considered to be essential, the inclusion of each individual item of data should be
considered and justified so that the minimum amount of personal confidential data is
transferred or accessible as is necessary for a given function to be carried out.
4. Access to personal confidential data should be on a strict need-to-know basis: Only those
individuals who need access to personal confidential data should have access to it, and they
should only have access to the data items that they need to see. This may mean introducing
access controls or splitting data flows where one data flow is used for several purposes.
5. Everyone with access to personal confidential data should be aware of their responsibilities:
Action should be taken to ensure that those handling personal confidential data - both clinical
and non-clinical staff - are made fully aware of their responsibilities and obligations to respect
patient confidentiality.
6. Comply with the law: Every use of personal confidential data must be lawful. Someone in
each organisation handling personal confidential data should be responsible for ensuring that
the organisation complies with legal requirements.
7. The duty to share information can be as important as the duty to protect patient
confidentiality: Health and social care professionals should have the confidence to share
information in the best interests of their patients within the framework set out by these
principles. They should be supported by the policies of their employers, regulators and
professional bodies.

7.18 Sharing Personal Information for Direct Care

In line with the Health and Social Care Act 2012 and the 7th Caldicott Principle, in order to provide
safe and effective care, personal information about patients should be shared with all those with a
legitimate relationship that are providing direct care or support for an individual. This includes
Data Protection and Confidentiality Policy v1.0 Page 19 of 23

Working together for outstanding care

administrative staff and other NHS or social care organisations. Any sharing must be in lawful and
in accordance with the GDPR principles.
Therefore, sharing proportionate and relevant information with those legitimately involved in the
patient’s direct care and support can be done by implied consent, unless the patient has
specifically objected.

7.19 Disposal of Personal Information

In accordance with Principle 5 of the GDPR personal information should not be kept longer than
necessary. To assist staff in meeting this requirement the Records Management Policy and
archiving procedures provide detailed guidance about the minimum retention periods applicable to
each type of record and the processes to follow for the secure disposal and archiving of
information.
Any documents containing personal information should be disposed of securely and confidentially
and not discarded in domestic waste and recycling bins. The Trust employs a secure confidential
waste disposal service and provides regular collections of confidential waste from all Trust
premises.
The disposal of items of electronic equipment which may hold personal information (computers,
laptops, tablets and any other devices with information storage capabilities) should be carried out
in accordance with the IT Equipment Disposal Policy.

7.20 Abuse of Privilege

Staff should be aware that accesses to the Trust’s electronic patient record systems may be
subject to audit.
It is strictly forbidden for employees to knowingly browse, search for or look at any information
relating to themselves, their own family, friends or other persons, without a legitimate Trust
business related purpose.
Action of this kind will be viewed as a serious breach of confidentiality and the matter will be dealt
with under the Trust’s Disciplinary Policy.

8. Monitoring implementation
The Head of Information Governance will monitor this Policy through the Information Governance
Steering Group and continued compliance with the Data Security and Protection Toolkit.
This Policy will be reviewed every three years, or earlier if appropriate, to take into account any
changes to legislation that may occur, and/or guidance from the Department of Health and/or the
ICO.
Staff will be advised of this Policy through Team Brief. The Policy will be available to all staff via
the Intranet

9. Associated documentation
 Clinical Record Keeping Guidelines
 Data Protection by Design and Default Procedure

Data Protection and Confidentiality Policy v1.0 Page 20 of 23

Working together for outstanding care

  Data Quality Policy
 Data Security and Protection Awareness Training Programme
 Freedom of Information Policy
 Guidance on Disclosing Personal Information to the Police
 Information Governance Incident Reporting Procedure
 Information Governance Policy
 Information Security Policy
 IT Equipment Disposal Policy
 Off-site Archiving Procedure for Paper Records
 Privacy Notice
 Privacy Notice for Children
 Privacy Notice for Staff
 Records Management Policy
 Safe Haven Procedure
 Subject Access Request Standard Operating Procedure

Data Protection and Confidentiality Policy v1.0 Page 21 of 23

Working together for outstanding care

10. Equality Analysis
Equality Impact Analysis Screening Form

Title of Data Protection and Confidentiality Policy

Activity
Date form 17 Dec 2018 Name of lead for Rob Neill
completed this activity

Analysis undertaken by:

Name(s) Job role Department Contact email
Rob Neill Head of Information Company Secretary rob.neill1@nhs.net
Governance Office
Chris Broad Information Company Secretary cbroad@nhs.net
Governance Officer Office

What is the aim or objective of
this activity?
Who will this activity impact on?
E.g. staff, patients, carers,
visitors etc…
To provide guidance on how the Trust and its staff can
meet the legal obligations and best practice
requirements concerning data protection and
confidentiality
Staff, anybody working for or on behalf of the Trust,
patients and their personal representatives

Potential impacts on different equality groups:

Equality Group Potential Neutral Potential Please provide details of how you believe
for impact for there is a potential positive, negative or
positive negative neutral impact (and what evidence you
impact impact have gathered)
Age
   All individuals will be reassured that their
personal information will be processed
lawfully and confidentially
Disability
   All individuals will be reassured that their
personal information will be processed
lawfully and confidentially. Potential for
negative impact as this Policy is a visual
resource
Gender
Reassignment    All individuals will be reassured that their
personal information will be processed
lawfully and confidentially
Marriage & civil
partnerships    All individuals will be reassured that their
personal information will be processed
lawfully and confidentially
Pregnancy &
maternity    All individuals will be reassured that their
personal information will be processed
lawfully and confidentially

Data Protection and Confidentiality Policy v1.0 Page 22 of 23

Working together for outstanding care

Race
   All individuals will be reassured that their
personal information will be processed
lawfully and confidentially.
Potential for negative impact if English is
not first language
Religion &
belief    All individuals will be reassured that their
personal information will be processed
lawfully and confidentially
Sex
   All individuals will be reassured that their
personal information will be processed
lawfully and confidentially
Sexual
Orientation    All individuals will be reassured that their
personal information will be processed
lawfully and confidentially
Additional
Impacts    All individuals will be reassured that their
personal information will be processed
(What other lawfully and confidentially
groups might
this activity
impact on? e.g.
carers,
homeless,
travelling
communities
etc.)

Level of impact

If a potential negative or disproportionate impact has been identified from this activity:
Yes No
Could this impact be considered direct or indirect discrimination? 
If yes, how will you address this?

If the impact could be discriminatory, please contact the Inclusion Team to discuss actions
High Medium Low
What level do you consider the potential negative 
impact to be?
If the negative impact is high, a full equality impact analysis will be required

Action Plan

How could you minimise or remove any negative impact identified, even if this is rated low?
Make Policy available in alternative formats upon request
Additional support will be provided by IG Team by telephone and/or email
How will you monitor this impact or planned actions?
Monitoring any requests for assistance / support
Future Review Date: When Policy is reviewed in 3 years

Data Protection and Confidentiality Policy v1.0 Page 23 of 23

Working together for outstanding care