Data Security and Protection Policy

Introduction:

Space 2B You has established specific requirements for handling and protecting confidential information as well as information systems against unauthorised access and disclosure of all types of information. Space 2B You will effectively communicate the need for handling confidential information and information system access control.

This policy deals mainly with customer information (such as patient and carer/family members, NHS bodies) but its principles should be noted and applied to any system (whether computerised or not) that holds personal data, including but not restricted to, staff and contractor data.

Purpose of information collection:

  • The collection and use of customer data within Space 2B You is aimed at:

  • Delivering personalised care and treatment

  • Assuring and improving the quality of care and treatment (clinical audit)

  • Monitoring and protecting public health

  • Coordinating Space 2B You services with that of other agencies (NHS Trusts, other service providers or government bodies)

  • Providing effective health care administration

  • Teaching purposes

  • Supporting statistical analyses and medical or health services research

  • Responding to external influences and requirements

Customer-identifiable Information refers to all personal information about members of the public held in any format (visual / verbal / paper / computer / microfilm / etc.) by or for Space 2B You.

Scope:

This policy applies to all staff and contractors employed by Space 2B You, and applies to agency and locum staff; students; voluntary staff; and trainees on temporary placements.

This policy is based largely on the following:

  • Customers’ expectations that information about them will be treated as confidential.

  • Customers’ awareness that Space 2B You staff/contractors and sometimes the staff of other agencies have strictly controlled access to such information.

  • Customer rights of access to information held about them.

  • Supervisors’ expectation of authority to oversee and enforce the law.

  • General Data Protection Regulation 2018 (GDPR) (replacement of The Data Protection Act)

  • The Caldicott Principles

  • The Access to Medical Reports Act 1988

  • The Computer Misuse Act 1990

  • The Access to Health Records Act 1990 (for access to deceased records only)

  • The Human Rights Act 1998

  • The Mental Health Act 2007 (incorporating amendments to the Mental Health Act 1983; the Mental Capacity Act 2005 and the Domestic Violence, Crime and Victims Act 2004)

  • The Freedom of Information Act 2000

Basic Principles:

“Customer information” applies to all patients, carer/family members, NHS Trusts/CCGs and organisations personal information held in whatever form by Space 2B You or Space 2B You staff/Contractors. Space 2B You handles carer/family member information in the same way as ‘patient’ information.

Regarding patients, basic principles include:

  • All patient information is confidential.

  • Patient information can and will be used for the effective treatment of patients.

    Patient information may be passed on to someone else:

  • With the patient’s consent

  • On a strictly controlled ‘need to know’ basis

    Required by law:

  • Space 2B You will have in place an Information Governance Policy and Strategy and a suitably robust Information Security Policy

  • All Space 2B You staff/contractors will be made aware of the possibility of severe consequences of breaching patient confidence and will have in place an appropriate disciplinary procedure.

  • Space 2B You will ensure that a duty of confidence requirement will be included in employment contracts or other documents setting out terms and conditions.

  • This policy will be reviewed Annually and will contain any amendments required following the review of the Information Governance requirements.

  • Information may only be passed on for a justifiable purpose and where possible only minimum information about the patient should be used. Wherever possible patient information should be anonymised (i.e. the person's identity and other identifying details are removed) or aggregated (statistics compiled from personal information). The fact that information has been anonymised does not remove the duty of confidence, as it can still only be passed on for justifiable purposes.

  • In almost all data flows there are items of information present which would enable a person’s identity to be established by one means or another. Although items may not in themselves uniquely identify an individual patient, taken together they may permit identity to be inferred. Therefore, all items of information which relate to an attribute of an individual should be treated as potentially capable of identifying patients to a greater or lesser extent, and appropriately protected to safeguard confidentiality.

    The ‘Need to Know’ basis may occur:

  • For Space 2B You purposes (including where services are either provided under contract to the NHS/local authority or are being planned or provided with other agencies)

  • The recipient needs the information because he or she may be concerned with the patient’s care or treatment (e.g. carer).

    The use of the information can be justified for wider purposes:

  • For delivering personal care and treatment

  • Assuring and improving the quality of patient care and treatment (clinical audit)

  • Monitoring and protecting public health

  • Coordinating Space 2B You care with other agencies (NHS Trusts, CCGs, Local Authority, voluntary and independent services)

    Effective health care administration such as:

  • auditing Space 2B You accounts as part of contract requirements with NHS bodies for Space 2B You performance.

  • risk management (health and safety)

  • to investigate complaints

  • For teaching purposes

  • For statistical analysis, and for medical or health services research

  • The information is required by statute or Court Order

  • The passing on of information can be justified for other reasons, usually for the protection of the public or protection of at risk children.

    Space 2B You policy takes into account the following rights for individuals (aligned to the GDPR):

  • the right to be informed;

  • the right of access;

  • the right to rectification;

  • the right to restrict processing;

  • the right to data portability;

  • the right to object; and

  • the right not to be subject to automated decision

    Lawful basis for processing personal data:

    Where Space 2B You is contracted by the NHS as a subcontractor for the purpose to deliver clinical services as part of the NHS public task, the following lawful basis for processing will be relied upon for personal and special category data:

  • For the processing of personal data the ‘public task’ ground of Article 6(1)(e) of the GDPR

  • For the processing of special category data the ‘medical diagnosis and treatment’ ground in the provision of healthcare of Article 9(2)(h) of the GDPR.

  • The relevant condition which will apply under the Data Protection Act 2018 is Schedule 1 Part 1 paragraph 2 (condition (2) d), for the provision of healthcare.

Keeping patients informed:

Providing advice on how Patient Information is used:

It is neither practicable nor necessary to seek the consent of a patient or other informants each time information needs to be passed on. Therefore, patients need to be fully informed of how the information which they give may be used. This will be achieved in several ways:

  • Space 2B You will inform patients through the Space 2B You Privacy Policy and any additional documents as required (such as consent forms for research projects) of the purposes for which information about them is collected, and the organisations for which information may need to be passed on to. Space 2B You Privacy Policy and statement is available on our website; services users can also view our commissioners Privacy policy and statement on their websites. If required service users can contact Space 2B You via telephone for more details (contact details on page 12).

  • Where information is required to be shared, patients to be advised before they are asked to provide it and should have the opportunity to discuss any aspects that are special to their treatment or circumstances.

  • Advice must be presented in a convenient form and be available both for general purposes and before a particular treatment/intervention begins.

  • In cases of multi-agency working for example, NHS integrated health and social care teams, explicit consent will be required via the Space 2B You consent form that would be approved by the partner/contracting organisation.

Patients’ Right of Access to their own records:

Patients have the right of access to their own health records free of charge. These rights are embodied within:

  • General Data Protection Regulation (GDPR) 2018 – entitles individuals to a copy of personal information held about them (both manual and automated)

  • Access to Medical Reports Act 1988 – in respect of reports prepared for employment or insurance purposes.

  • The Human Rights Act 1998 – the means by which certain ‘rights and freedoms’ contained in the European Convention of Human Rights have become a direct part of UK law.

  • Access to Health Records Act 1990 – for applications relating to deceased persons only, right of access are to manual health records made after 1 November 1991 and earlier records if they are necessary to understand the later ones.

Patients do not have to give reasons for seeking access to health records.

Safeguarding information:

Who has a duty of confidence:

All Space 2B You employees and contractors have a duty of confidence deriving from the personal nature of the information recorded. Consequently, the following all have responsibilities for protecting information:

  • All Space 2B You staff/ contractors and those carrying out functions on behalf of Space 2B You have a Common Law duty of confidence to patients and a duty to support professional ethical standards of confidentiality.

  • Space 2B You staff and contractors who record, handle, store or otherwise come across information have a personal Common Law duty of confidence to patients and to their employer. This applies equally to those on temporary placements (such as students or trainees), volunteer, bank, and agency staff.

  • Health professionals have, by virtue of professional regulation, an ethical duty of confidence which, when considering whether information should be passed on, includes paying special regard to the health needs of the patient and their wishes.

  • Other individuals and agencies to whom information is passed legitimately may use it only as authorised for specific purposes and possibly subject to certain conditions.

General Data Protection Regulation 2018 (GDPR):

  • All personal data (including patient information) relating to living individuals that is held on a Space 2B You computer system or contained in any relevant filing system is subject to the GDPR. Visual and verbal personal data held is also subject to the GDPR.

  • In general, Space 2B You should treat in confidence information about deceased patients, however, any information shared may require particular attention and sensitivity. Death certificates are NOT confidential.

  • When an individual has died, it is unlikely that information relating to that individual remains legally confidential. However, an ethical obligation to the relatives of the deceased exists and the health records of the deceased are public records governed by the provisions of the Public Records Act 1958. This permits the use and disclosure of the information within them in limited circumstances. The Access to Records Act 1990 permits access to the records of the deceased by those with a claim arising out of the individual concerned’s death. The right of access is negated, however, if the individual concerned requested that a note denying access be included within the record prior to death (this might form part of a formal advance directive).

  • Space 2B You will ensure that it is correctly registered with the Information Commissioner and that such registration is kept up to date.

  • It is a criminal offence to hold or disclose information in breach of the registration requirements of the GDPR.

Responsibility for passing on information:

Identifiable data:

Space 2B You employees and contractors are accountable for their decisions to pass on information. Such decisions should usually be taken by the health professional responsible for the patient’s care and treatment or on the advice of a nominated senior professional. Only minimum identifiable information should be used.

If a patient requests information withheld from someone who might otherwise have received it in connection with his or her treatment, the patient should be informed of any health or social care implications or of any other relevant factors. However, the patient’s wishes should be respected unless there are overriding considerations to the contrary. The reason for not passing on information must be noted on the patient’s record.

Patient-Identifiable information includes:

  • Surname

  • Forename

  • Initials

  • Date of Birth

  • Address

  • Postcode

  • Other Dates (i.e. death, diagnosis)

  • Sex

  • Ethnic Group

  • Occupation

  • NHS Number

  • NI Number/Local Identifier (i.e. Hospital or GP Practice number)

Non-identifiable data:

  • Where anonymised information would be sufficient for a particular purpose, identifiable information should be removed wherever possible.

  • Where information can be anonymised/pseudonymised rendering it non personal/identifiable, it may be shared at the discretion of the clinician.

  • The unauthorised passing on of information by any Space 2B You member of staff or person in contract with Space 2B You will warrant consideration of in-house disciplinary action and will risk legal action. In addition, health professionals may be subject to action by their regulatory bodies.

  • The above point, however, should in no way detract from the general climate of openness within Space 2B You, and that, subject to health professionals’ duty of confidence, they have both rights and responsibilities to raise concerns about health care issues.

  • Patients who feel that confidence has been breached may use Space 2B You’ complaints procedure. Patients have a right to be told how to complain. Patients may also complain to the Information Commissioner.

Patients unable to give consent:

The Mental Capacity Act 2005 imposes a duty upon health and social care professionals to consult with those close to an incapacitated patient in deciding what course of action would be in the patient’s best interests. There is a need to balance this duty to consult with the patient’s right to confidentiality. Independent Mental Capacity Advocates and solicitors will in turn be bound by a duty of confidentiality to the patient.

Failure to support those with disabilities could be an offence under the Disability Discrimination Act 1995 and may prevent consent from being gained. Space 2B You will work with the Contracting agency to find support for communicating with patients who have specified disabilities.

Children and Young People:

  • Adolescents and Children under the age of 13 require the consent of a parent/guardian to process their personal data.

  • In other instances with regard to children, decisions to pass on personal information may be taken by a person with parental responsibility in consultation with the health professionals concerned.

  • In child protection cases, if the health professional (or other member of staff) has knowledge of abuse or neglect it may be necessary to share this with others on a strictly controlled basis so that decisions regarding the child’s welfare can be taken in the light of all relevant information.

  • When information regarding an individual indicates that a child may be at risk from that individual there is a duty to share that information with the appropriate agency.

  • Privacy notice for children and adolescents must be written in a language that children is clear, in plain English language that they will understand.

Complaints:

Complaints from patients regarding confidentiality of their information will be dealt with through Space 2B You’s complaint procedure. Space 2B You will support the statutory right of patients to complain to the Information Commissioner, as well as rights to take action for compensation if the individual has suffered damage (physical and/or mental) as a result of the breach of confidentiality. Also, to have any inaccurate personal information corrected or erased.

Security measures:

For further information on the security of both electronic and paper-based records, please see Space 2B You’ Information Security Policy. Please also see Space 2B You’ Data Retention and Destruction Policy for details on data lifecycle and destruction methods.

Arrangements will exist within Space 2B You for the storage and disposal of all patient information (both manual and computer based) that will protect confidentiality.

Space 2B You management will ensure that every possible care will be taken to avoid unintentional breaches of confidence.

Any agencies or individuals contracted to carry out Space 2B You functions will be informed in their contract of the obligations to confidentiality. Action as to breaches of confidence will also be specified (for example, termination of contract).

Space 2B You will abide by the guidelines for the retention of personal records before considering them for destruction. Again, the considerations of the Electronic Patient Record and the Electronic Health Record will be recognised as per Space 2B You contracts with the NHS.

Coordinating care with other agencies:

Sharing personal data:

Space 2B You should aim to deliver a “seamless” service when other agencies are involved in patient care. Essential information must be allowed to pass between Space 2B You, the NHS, the Health Authority, Local Authority, Social Services and other services (such as housing, education, voluntary or independent bodies), where those agencies are contributing to or planning a program of care. However, the information supplied will be only that which is necessary for the task.

The patient will be made aware of the necessity of information sharing between inter-agency stakeholders, and this will usually be discussed with them as part of the care planning process when gaining informed explicit consent to share data via Space 2B You’ consent form and/or Privacy Policy and /or Terms & Conditions.

If the patient objects to information sharing, the possible consequences engendered from an uncoordinated care programme should be explained. However, the patient’s ultimate decision must be respected unless there are overriding considerations.

Although a patient has the right to refuse consent to share information, it is essential that complete records are kept of all care provided and that any restrictions placed on disclosure of information by the patient are adequately recorded together with evidence that neither patient safety, nor clinical responsibility for healthcare provision, has been neglected by the restriction.

Training and Research:

Space 2B You will ensure patients’ specific consent is sought for any activity relating to teaching or research that would involve them personally, and that any published research findings will not identify patients without specific agreement.

Commercial Marketing:

Space 2B You will not allow personal details of patients to be passed on or sold for fund-raising or commercial marketing purposes.

Passing of information for other purposes or as a legal requirement:

Relatives, Friends, and Carers:

Space 2B You will support the patient’s wishes and consent for disclosure of information to relatives, friends and/or carers, and NHS treatment team members (or other healthcare teams) in line with this policy.

Explicit consent is required, and the individual’s wishes recorded in the Space 2B You case notes.

Statutory Requirements:

Space 2B You will ensure that it complies with statutory requirements to pass on certain patient information. In certain circumstances a Space 2B You member of staff or contractor may have a statutory responsibility to pass on patient information. If so, prior consultation is not required.

The majority of statutory requirements concern forms of notification: for example, obligations to pass on information under the Mental Health Act 1983.

Litigation:

Space 2B You will comply with High Court Orders appertaining to the disclosure of documents before and during proceedings for personal injury or death, and to an applicant and there legal, medical and professional advisers.

Protection of the Public:

Space 2B You will support disclosure of information for the ‘discovery of iniquity’. Most commonly, these involve the prevention of serious crime, but can extend to other dangers to the general public, such as public health risk or risk of violence.

Passing on information to help prevent, detect, or prosecute serious crime may sometimes be justified to protect the public. Although there is no absolute definition of serious crime, section 116 of the Police and Criminal Evidence Act 1984 identifies some serious arrestable offences, which include:

  • Treason

  • Murder

  • Manslaughter

  • Rape

  • Kidnapping

  • Offences under the prevention of terrorism legislation

(Serious crime, as defined by the GMC is “a crime that puts someone at the risk of death or serious harm and would usually be crimes against the person, such as abuse of children”).

Also, making a threat which if carried out would be likely to lead to:

  • Serious threat to the security of the state or to public order

  • Serious interference with the administration of justice or with the investigation of an offence

  • Death or serious injury

  • Substantial financial gain or serious financial loss to any person

Space 2B You may need to seek legal advice before making a decision to release information:

Press and Broadcasting:

Space 2B You will ensure that good relations with the press and broadcasting institutions are maintained. Only the Directors will correspond with the press and broadcasting.

In dealing with the media, the patient’s consent will be obtained if they are capable of making a decision. Where the patient is unable to make a decision, Space 2B You may decide whether the disclosure of information is in the patient’s best interests, though wherever possible, relatives should be consulted.

Space 2B You may comment in public (confining itself to factual information or the correction of any misleading assertions or published comment) if a patient, or former patient, or relative of the patient invites the media to report on their treatment.

Disciplinary Actions

Breach of this Code of Conduct may result in disciplinary action.  

Contact Details

If staff or contractors have any concerns, they must inform Space 2B You directors Marie-Anne McKee and Alison Joyce. 

Telephone:

020 3048 3331 (ext. 301) 

Email:

www.barbara.johnston@space2byou.co.uk 

alison.joyce@space2byou.co.uk 

marie-anne.mckee@space2byou.co.uk