Professional Documents
Culture Documents
Data Protection and Confidentiality Policy 1.0
Data Protection and Confidentiality Policy 1.0
Policy
Working together
for outstanding care
Guideline / Policy on a Page – Summary of Key Points
This Policy provides guidance on how the Trust and its staff can meet the
legal obligations and best practice requirements concerning data protection
and confidentiality
The General Data Protection Regulation (GDPR), the Data Protection Act
2018 (DPA18) and the Common Law Duty of Confidentiality set the legal
framework, by which the Trust can process personal information
All staff must also comply with best practice for information handling within the
NHS as described in the Caldicott Principles, the NHS Code of Confidentiality,
the Health and Social Care Act 2012, the Data Security and Protection Toolkit
and any appropriate professional codes of conduct.
Action of this kind will be viewed as a serious breach of confidentiality and the
matter will be dealt with under the Trust’s Disciplinary Policy.
Document Purpose To detail how the Trust will meet its legal obligations and best
practice requirements concerning data protection and
confidentiality
Document Author Rob Neill, Head of Information Governance
Target Audience All Worcestershire Health and Care NHS Trust staff
Responsible Group Worcestershire Health and Care NHS Trust Quality and Safety
Committee
The validity of this policy is only assured when viewed via the Worcestershire Health and
Care NHS Trust website (hacw.nhs.uk.). If this document is printed into hard copy or
saved to another location, its validity must be checked against the unique identifier number
on the internet version. The internet version is the definitive version.
If you would like this document in other languages or formats (i.e. large print), please
contact the Communications Team on 01905 681770 or by email to
WHCNHS.Communications@nhs.net
1. Introduction .............................................................................................................................. 7
2. Purpose of document ............................................................................................................... 7
3. Definitions ................................................................................................................................ 7
4. Scope ...................................................................................................................................... 9
5. Training/Competencies ............................................................................................................ 9
6. Responsibilities and duties....................................................................................................... 9
7. Main Policy ............................................................................................................................ 10
7.1 The General Data Protection Regulation and Data Protection Act 2018 ......................... 11
7.2 Types of information ....................................................................................................... 11
7.3 GDPR Principle 1............................................................................................................ 12
7.4 GDPR Principle 2............................................................................................................ 14
7.5 GDPR Principle 3............................................................................................................ 14
7.6 GDPR Principle 4............................................................................................................ 15
7.7 GDPR Principle 5............................................................................................................ 15
7.8 GDPR Principle 6............................................................................................................ 15
7.9 The Rights of the Data Subject ....................................................................................... 16
7.10 Requests for information from the Police ........................................................................ 17
7.11 Data Protection by Design and Default ........................................................................... 18
7.12 Employment clauses ....................................................................................................... 18
7.13 Contracts ........................................................................................................................ 18
7.14 Personal Data Breaches ................................................................................................. 18
7.15 Complaints...................................................................................................................... 18
7.16 International transfers ..................................................................................................... 19
7.17 Caldicott.......................................................................................................................... 19
7.18 Sharing Personal Information for Direct Care .................................................................. 19
7.19 Disposal of Personal Information .................................................................................... 20
7.20 Abuse of Privilege ........................................................................................................... 20
8. Monitoring implementation ..................................................................................................... 20
9. Associated documentation ..................................................................................................... 20
10. Equality Analysis ................................................................................................................ 22
2. Purpose of document
This Policy provides guidance on how the Trust and its staff can meet the legal obligations and
best practice requirements concerning data protection and confidentiality.
3. Definitions
Data Concerning Health - personal data related to the physical or mental health of a natural
person, including the provision of health care services, which reveal information about his or her
health status.
Data Controller - the natural or legal person, public authority, agency or other body which, alone or
jointly with others, determines the purposes and means of the processing of personal data. The
Trust is a Data Controller.
Data Flow - a continuing or repeated flow of information which takes place between individuals or
organisations and includes personal data.
Data Processing - any operation or set of operations which is performed on personal data or on
sets of personal data, whether or not by automated means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure
by transmission, dissemination or otherwise making available, alignment or combination,
restriction, erasure or destruction.
Data Processor - a natural or legal person, public authority, agency or other body which processes
personal data on behalf of the Data Controller. The Trust can act as a Data Processor.
4. Scope
This Policy provides guidance to ensure that information processed by staff is handled in a
confidential and secure manner which complies with current legislation and best practice guidance
relating to data protection and confidentiality.
This Policy applies to all areas of the Trust and all staff who handle information. It will be of
particular relevance to staff who handle personal and special categories of personal information
relating to both patients and staff. This Policy also applies to Third Parties and Contractors who
have access to Trust data.
This Policy covers all information processed within the Trust, including but not limited to:
Patient information
Staff information
Organisational information
Structured record systems – held on paper and electronically
All methods of sharing of information including – face to face, fax, email, post, telephone,
conference calls, text, uploaded to websites etc.
5. Training/Competencies
All staff are responsible for ensuring they complete annual mandatory Data Security and Protection
Awareness training as this covers relevant data protection and confidentiality requirements. This
training is usually completed online via the Electronic Staff Record (ESR) or in exceptional
circumstances via a classroom based training session.
This requirement also applies to Third Parties and Contractors who may have access to personal
information. Most agencies working with the NHS provide their staff with this training. Where this
not the case local arrangements should be made to ensure the employee is adequately trained
before working at the Trust.
Staff in specific roles should undertake training relevant to their role e.g. subject access request
training, archiving training. The Data Security and Protection Awareness Training Programme has
been developed to provide any additional bespoke training that is required.
7. Main Policy
The principle behind this Policy is that no member of staff shall breach their legal duties or
requirements under best practice guidelines relating to data protection or confidentiality, allow
others to do so, or attempt to breach any of the Trust’s controls or security systems in order to do
so.
This Policy has been produced to protect staff by making them aware of the correct procedures so
that they do not inadvertently breach any of these lawful or best practice requirements.
Any actual or suspected breach of these lawful or best practice requirements must be reported as
an incident in line with the Incident Reporting Policy and investigated to an appropriate level.
All staff, Third Parties and Contractors are responsible for maintaining the confidentiality of
information gained during their employment or placement by the Trust. This duty continues after
conclusion of employment or placement.
Data Protection and Confidentiality Policy v1.0 Page 10 of 23
7.13 Contracts
The Trust shall ensure that appropriate written contracts are in place with Data Processors that
process personal data on its behalf.
The Trust shall only appoint Data Processors who can provide sufficient guarantees that the
requirements of the GDPR will be met and the rights of data subjects protected.
7.15 Complaints
The Trust will investigate any complaints that are made in connection with a breach of data
protection or confidentiality. If the complainant is dissatisfied with the conduct of the Trust, then
they should be advised to request an internal review. If they are still dissatisfied, then they should
be advised to contact the ICO.
7.17 Caldicott
The first Caldicott Report was published in 1997 and there have been two further Reviews in 2013
and 2016. The Reports and Reviews have focused on ensuring that confidential patient information
is safeguarded securely and used properly.
The Reports and Reviews provide a series of Principals and Recommendations that all staff should
adhere to. The Caldicott Principles are:
1. Justify the purpose(s): Every proposed use or transfer of personal confidential data within or
from an organisation should be clearly defined, scrutinised and documented, with continuing
uses regularly reviewed, by an appropriate guardian.
2. Don’t use personal confidential data unless it is absolutely necessary: Personal confidential
data items should not be included unless it is essential for the specified purpose(s) of that flow.
The need for patients to be identified should be considered at each stage of satisfying the
purpose(s).
3. Use the minimum necessary personal confidential data: Where use of personal confidential
data is considered to be essential, the inclusion of each individual item of data should be
considered and justified so that the minimum amount of personal confidential data is
transferred or accessible as is necessary for a given function to be carried out.
4. Access to personal confidential data should be on a strict need-to-know basis: Only those
individuals who need access to personal confidential data should have access to it, and they
should only have access to the data items that they need to see. This may mean introducing
access controls or splitting data flows where one data flow is used for several purposes.
5. Everyone with access to personal confidential data should be aware of their responsibilities:
Action should be taken to ensure that those handling personal confidential data - both clinical
and non-clinical staff - are made fully aware of their responsibilities and obligations to respect
patient confidentiality.
6. Comply with the law: Every use of personal confidential data must be lawful. Someone in
each organisation handling personal confidential data should be responsible for ensuring that
the organisation complies with legal requirements.
7. The duty to share information can be as important as the duty to protect patient
confidentiality: Health and social care professionals should have the confidence to share
information in the best interests of their patients within the framework set out by these
principles. They should be supported by the policies of their employers, regulators and
professional bodies.
8. Monitoring implementation
The Head of Information Governance will monitor this Policy through the Information Governance
Steering Group and continued compliance with the Data Security and Protection Toolkit.
This Policy will be reviewed every three years, or earlier if appropriate, to take into account any
changes to legislation that may occur, and/or guidance from the Department of Health and/or the
ICO.
Staff will be advised of this Policy through Team Brief. The Policy will be available to all staff via
the Intranet
9. Associated documentation
Clinical Record Keeping Guidelines
Data Protection by Design and Default Procedure
What is the aim or objective of To provide guidance on how the Trust and its staff can
this activity? meet the legal obligations and best practice
requirements concerning data protection and
confidentiality
Who will this activity impact on? Staff, anybody working for or on behalf of the Trust,
E.g. staff, patients, carers, patients and their personal representatives
visitors etc…
Equality Group Potential Neutral Potential Please provide details of how you believe
for impact for there is a potential positive, negative or
positive negative neutral impact (and what evidence you
impact impact have gathered)
Age
All individuals will be reassured that their
personal information will be processed
lawfully and confidentially
Disability
All individuals will be reassured that their
personal information will be processed
lawfully and confidentially. Potential for
negative impact as this Policy is a visual
resource
Gender
Reassignment All individuals will be reassured that their
personal information will be processed
lawfully and confidentially
Marriage & civil
partnerships All individuals will be reassured that their
personal information will be processed
lawfully and confidentially
Pregnancy &
maternity All individuals will be reassured that their
personal information will be processed
lawfully and confidentially
Level of impact
If a potential negative or disproportionate impact has been identified from this activity:
Yes No
Could this impact be considered direct or indirect discrimination?
If yes, how will you address this?
If the impact could be discriminatory, please contact the Inclusion Team to discuss actions
High Medium Low
What level do you consider the potential negative
impact to be?
If the negative impact is high, a full equality impact analysis will be required
Action Plan
How could you minimise or remove any negative impact identified, even if this is rated low?
Make Policy available in alternative formats upon request
Additional support will be provided by IG Team by telephone and/or email
How will you monitor this impact or planned actions?
Monitoring any requests for assistance / support
Future Review Date: When Policy is reviewed in 3 years