data protection and information governance · 2019-07-18 · data protection and information...

DATA PROTECTION AND INFORMATION GOVERNANCE

Corporate Policy

Title of Policy Document Issue Date and Version

Data Protection and Information Governance September 2018 (Version 1.2)

Policy Reference Number 6

Has Equality Impact Assessment been completed? N/A

Categories ☒ Core

☐ Corporate

☐ Equal Opportunities

☐ Health and Safety

☐ Housing

☐ Human Resources

☒ Information Governance

☐ IT and Communications

☐ Learning and Development

☐ Professional Practice and Standards

☐ Recruitment

☐ Service Management

☐ Stakeholder Involvement

☐ Support Planning and Risk Assessment

☐ Service Provision – CQC services

☐ Service Provision

Signed off by

Chief Executive

Renewal date May 2021

First issue date May 2018

Update notes (version 1.2) Amendment made to section 5, “The Legal

Bases for Processing Data” to incorporate

GDPR Article 10, processing of personal

data relating to criminal convictions.

DATA PROTECTION AND INFORMATION

GOVERNANCE Corporate Policy

Data Protection and Information Governance

Version 1.2

Issued September 2018

Approved by:

1. Data Protection Legislation and Information Governance Standards

Data is a vital asset, both in terms of the effective provision of care and support to individual service users and the efficient management of services, resources and performance management. It is therefore of paramount importance that the appropriate policies, procedures and management accountabilities are in place to provide a robust governance framework for information management and data protection.

The European Union’s General Data Protection Regulation (GDPR) comes into force on 25th May 2018 and the UK’s Data Protection Act 2018 comes into force on the same date. The terms of the GDPR and the Data Protection Act 2018 will remain legally applicable to the UK, irrespective of the UK’s exit from the European Union.

Creative Support is registered with the Information Commissioner’s Office (ICO) under registration reference Z754770X. Service Director, Julie Cooke is the Senior Information Risk Owner (SIRO) and Caldicott Lead for Creative Support. Head of Engagement and Learning, Raymond Corry, is the Information Governance Lead for Creative Support. The scope of these roles is outlined in section 2 below.

Practice covering the processing of personal information in social care is governed by the following legislation and guidance:

● The Data Protection Acts 1998 and 2018 ● The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) ● Data Protection (Processing of Sensitive Personal Data) Order 2000 ● Freedom of Information Act 2000 ● Computer Misuse Act 1990 ● Privacy and Electronic Communications Regulations 2003 ● Caldicott Recommendations ● NHS Codes of Practice, including; Confidentiality: NHS Code of Practice (DOH 2003) ● Human Rights Act 1998 ● Public Records Act 1958 ● Records Management Code of Practice for Health and Social Care (DOH, 2016) ● A Guide to Confidentiality in Health and Social Care (HSCIC, 2013) ● The HSCIC Checklist Guidance for Reporting, Managing and Investigation Information

Governance and Cyber Security Serious Incidents Requiring Investigation (SIRI). Creative Support is obliged to comply with the NHS Information Governance standards for voluntary organisations as a social care provider that contracts with the NHS. Using the Data Security and Protection Toolkit (DSP) Creative Support will evidence its compliance with these standards, building on its self-assessment at Level 2 under the Information Governance Toolkit in December 2017, with a view to reaching all of the new DSP standards by the required deadline of March 2019. The DSP standards incorporate the requirements of the GDPR and new data protection legislation, with respect to the secure processing of personal data. Accordingly, this policy document combines previous corporate policies, Data Protection, the Information Governance Policy and Procedure and Confidentiality and Access to Records and sets out the legal and corporate framework for the protection of all personal

Data Protection and Information Governance Page 2 of 15


Version 1.2


Approved by:

data processed by Creative Support, relating both to service users and employees. It is to be read alongside the other policy documents; Information Governance Reporting, Procedure for the Management of Personal and Sensitive Information, and Electronic Information Security.

2. Corporate Responsibility for Data Protection and Information Governance

Senior Information Risk Owner

The SIRO for Creative Support is responsible for having overall accountability for Information Governance; this includes the Data Protection and Confidentiality functions. The role includes briefing the Board of Trustees and providing assurance through the Finance and Audit Committee that the IG approach is effective, that all IG-related incidents are reported and followed up appropriately and that where appropriate, SIRI’s are reported through the IG Toolkit.

Creative Support is not legally required to have a Data Protection Officer but the SIRO fulfils this function.

Caldicott Lead

The Caldicott Lead has responsibility for ensuring that there are adequate standards for protecting patient information and that all data transfers are undertaken in accordance with Safe Haven guidelines and the Caldicott principles

Information Governance Lead

The Information Governance Lead has day-to-day responsibility for implementing and monitoring procedures to ensure compliance with relevant information legislation.

The Information Governance Lead is responsible for coordinating and chairing the Information Governance Management Group and for the implementation of the IG Annual Improvement Plan.

3. Personally Identifiable Information

“Personal data”, or “personally identifiable information” (PII) is defined as any data that can be used to identify an individual person, either on its own or in conjunction with other accessible data on that individual. This definition includes digital information (such as an IP address) and can also extend to pseudonymised data, where this can still be linked to an individual.

As a social care provider and employer, Creative Support processes PII both on its employees and its service users. The control and processing of all such data is regulated by the Data Protection Act and GDPR. In 2018, Creative Support upgraded its payroll and HR computer systems using the iTrent cloud platform used for the processing of employee data, in addition to extending its use of services such as ECCO and Staff Plan, used in services for the processing of service user data and staff data in frontline support. This will ensure our legal compliance with new and existing data protection legislation and demonstrate our commitment to information security, transparency and quality assurance, in addition to protecting the rights of individuals with respect to their personal data.



Version 1.2


Approved by:

4. Individual Rights under Data Protection Legislation

Under the GDPR, all individuals (i.e. both employees and service users) have the following rights in relation to the processing of their personal information:

1. The right to be informed - Individuals have the right to be informed how and for what purposes their personal data will be processed. Full privacy notices will be issued to all staff and service users for this purpose.

2. The right of access - Individuals have the right to access their personal data and supplementary information, and to be made aware of and verify the lawfulness of the processing.

3. The right to rectification - Individuals have the right to have their personal data rectified if it is inaccurate or incomplete.

4. The right to erasure - Also known as ‘the right to be forgotten’. This is the right of individuals to request the deletion or removal of personal data where there are no compelling reasons for its continued processing.

5. The right to restrict processing - Individuals have the right to permit the storing of their personal data, but to restrict any further processing; for example when an individual contests its accuracy.

6. The right to data portability - Individuals have the right to obtain and reuse their personal data for their own purposes across different services.

7. The right to object - Individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interests/exercise of official authority (including profiling), direct marketing, and the processing of their personal data for purposes of scientific/historical research and statistics.

8. Rights in relation to automated decision making and profiling. - These rights protect individuals from any automated decision making (i.e. decisions made solely by automated means without any human involvement, and profiling (i.e. automated processing of personal data to evaluate certain things about an individual.

Further information on these rights is available via the Information Commissioner’s Office at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

Creative Support have issued comprehensive privacy statements to all employees and service users, which explain how their rights will be protected, and the procedures that will be followed to ensure that the privacy of their personal data is protected at all times. The privacy statements are appended to this policy (Appendix 2) and can also be downloaded from http://www.creativesupport.co.uk/privacy-policy/

Privacy statements for service users are to be issued through admission procedures, and to employees at the point of enrolment.

5. The Legal Bases for Processing Data

The GDPR (Article 6) requires data controllers to specify their lawful basis for processing of personal data. Under the Data Protection Act 1998, Creative Support was able to process data on the basis of consent, with service users and staff having given their express permission for us as a social care provider/employer to do so. Under the GDPR (Article 7 and Recital 43), however, it is no longer permissible to use consent as a legal basis when this is given as a condition for the provision of a service or employment. This is because the consent cannot be regarded as freely given, “where there is a clear imbalance between the data subject and the controller” as exists between Creative Support and its employees and service users.

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

http://www.creativesupport.co.uk/privacy-policy/



Version 1.2


Approved by:

From 25th May 2018 Creative Support will, therefore, use the following legal bases for the processing of personal data:

1. Pursuant to GDPR Article 6(1)(b) that the processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract

2. With respect to sensitive categories of personal data, as defined in Article 9(1) of the GDPR, pursuant to GDPR Article 9(2)(h) that the processing is necessary for the provision of health or social care

3. With respect to the processing of personal data relating to criminal convictions and offences, pursuant to GDPR Article 10, processing is authorised by State law; namely the UK Data Protection Act 2018, Schedule 1, that the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection.

4. For all other information held, eg. Ex-employee information we will rely upon legitimate interests of the organisation pursuant to GDPR Article 6(1)(f)

Article 9 of the GDPR places restrictions on the processing of personal data revealing any of the following:

1. Racial or ethnic origin 2. Political opinions 3. Religious or philosophical beliefs 4. Trade union membership 5. Genetic data 6. Biometric data for the purpose of uniquely identifying a natural person 7. Data concerning health 8. Data concerning a natural person’s sex life or sexual orientation

These categories are classed as “special categories of data” that can be processed only if one or more of the following applies:

A. The data subject has given explicit consent to the processing of those personal data for one or more specified purposes

B. Processing is necessary for the purposes of carrying out the obligations of and exercising specific rights of the controller or of the data subject in the field of employment

C. Processing is necessary to protect the vital interests of the data subject (i.e. it is necessary to project their life) or of another natural person where the data subject is physically or legally incapable of giving consent

D. Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects

E. Processing relates to personal data which are manifestly made public by the data subject

F. Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity

G. Processing is necessary for reasons of substantial public interest H. Processing is necessary for the purposes of preventive or occupational medicine, for

the assessment of the working capacity of the employee, medical diagnosis, the



Version 1.2


Approved by:

provision of health or social care or treatment or the management of health or social care systems and services

I. Processing is necessary for reasons of public interest in the area of public health J. Processing is necessary for archiving purposes in the public interest, scientific or

historical research purposes or statistical purposes. The legal basis for processing these special categories of employee and service user data is outlined below.

Processing Special Categories of Employee Data

The special categories of personal data processed by Creative Support on its employees are; racial and ethnic origin, trade union membership, gender, and sexual orientation. Wherever employees or service users are asked to disclose data about these special categories of their data, the right to withhold this from Creative Support will be made explicit to them at the point of collection, and the consent to process it will likewise be requested when it has voluntarily been disclosed.

It is a legal requirement for Creative Support to submit information on its employees to the Skills for Care National Minimum Data Set (NMDS). Mandatory categories of data on the NMDS include gender, ethnicity and nationality. For each of these categories of data an “unknown” option is available. Where individuals have chosen not to disclose this data, this option will be used.

Although data submitted to the NMDS is pseudonymised (individual employees’ names are not included in the submission) personally identifiable information will also be processed internally by Creative Support’s Human Resources, Recruitment and Payroll departments

As an employer committed to the promotion of equal opportunities, Creative Support will request the consent of employees to process information on their sexual orientation, gender identity or expression, should they choose to disclose it. The processing of this information will be for the purposes of promoting equal opportunities through our status as a Stonewall “Diversity Champion”. Employees are under no legal or professional obligation, however, to disclose their sexual orientation, gender identity or expression to Creative Support, and their right to privacy in these matters will be respected and upheld.

Information on employees’ trade union membership is accessed only by the Payroll department for the purposes of processing subscription fees, and may be disclosed to members of the Human Resources department in disciplinary or grievance cases where employees have been offered the opportunity for union representation.

Processing Special Categories of Service User Data

As a care provider, Creative Support processes a substantial amount of personal information on our service users, recognising that vulnerable adults divulge such information to professionals that is often sensitive and painful. Accordingly, Creative Support will ensure that such information is always treated with respect, upholding the service user’s right to privacy, their personal dignity and protecting their best interests at all times.

Creative Support is lawfully permitted to process service user data pursuant to GDPR Article 9(2)(h) in that it is necessary to do so for the purposes of providing the services for which we are contracted, in order to fulfil our duty of care and to act in the best interests of individuals who may not always have the mental capacity to consent.

As a necessary component of providing holistic, personalised care services, Creative Support may collect sensitive data on our service users: in particular, racial or ethnic origin, political



Version 1.2


Approved by:

opinions, religious beliefs, data concerning health, and data concerning sex life and/or sexual orientation. What information is processed will vary relative to the identified care needs of each individual service user. Information that is not relevant to a service user’s identified needs will not be recorded.

6. Additional Legal Bases for the Processing of Service User Information.

There may be exceptional circumstances in which information will need to be shared with other professionals, where the conditions of GDPR Article 9(2)(h) do not apply. For example, when:

● A service user’s life is considered to be at risk ● Other people’s lives are considered to be at risk ● It is a requirement of a court order ● It is a requirement of law, or; ● It is in the public interest.

These circumstances are covered by Article 6, paragraph 1d and 1e of the GDPR, viz. “vital interests” and “public interest” respectively.

The main public interest justifications for the disclosure of health information are as follows (based on National Health Service Code of Practice 2003 and Department of Health Code of Practice 2005):

● For public accountability and monitoring purposes. ● Serious risks to the health of other individuals. ● Serious risk to public health. ● The reporting of adverse drug reactions. ● The prevention, detection or prosecution of serious crime. ● Disclosure to professional regulatory bodies (e.g. professional misconduct). ● Bona fide and approved clinical/scientific research and surveys.

Any requests for information from an external agency on the grounds of public interest should be treated with care, discussed with senior managers and fully documented. Depending on the nature of the request and the information requested, it may be necessary to arrange a review meeting with the relevant agencies involved.

Where a request for disclosure is made in relation to a serious crime, the following conditions must be satisfied:

● The crime must be sufficiently serious for the public interest in disclosure to prevail over the individual’s right to confidentiality.

● It must be established that without the disclosure the task of preventing or detecting the crime would be seriously prejudiced or delayed.

There is no absolute definition of “serious crime”. This policy therefore uses the definition of “serious arrestable offences” given in the Police and Criminal Evidence Act (1984) (section 116). These are offences which have caused or may cause:

● Serious interference with the administration of justice with the regard to the investigation of an offence.

● Death. ● Serious injury. ● Substantial financial loss or gain.

The disclosure of information to the police in order to comply with Creative Support’s Alcohol and Misuse of Drugs corporate policy is permissible with or without the expressed permission



Version 1.2


Approved by:

of the service user. If such information is to be shared this should only be done in consultation with the Service Manager.

In the event of a worker being made aware of information relating to possible or actual physical, sexual, financial or emotional abuse of children or vulnerable adults, they must report their concerns immediately to their line manager, and the relevant Service Director or on-call manager. Their concerns will be dealt with within the agreed Safeguarding Children & Young People policy/procedures or the Safeguarding of Adults at Risk policy, and in line with corresponding Local Authority safeguarding procedures, to which reference should be made in the report. The safety of children and vulnerable adults should always be given the highest priority and should override considerations of confidentiality.

If any member of staff feels that any of the situations outlined above apply, then it is essential that they discuss the matter with their line manager, duty manager, or any other senior member of staff.

7. Data Protection by Design

Any employee processing personally identifiable information for Creative Support must ensure that:

only the minimum necessary personal data is processed

that pseudonymisation is used wherever possible

that processing is transparent (where feasible, allowing individuals to monitor what is being done with their data)

“Pseudonymisation” refers to the use of other identifying data in place of individuals’ names (such as an employee number) where it is not necessary for that processing activity to disclose names, e.g. for the purposes of compiling reports or statistical information. Employees must “granularise” sets of personal data pertaining to more than ten individuals when these are being shared in any format (digital or hard copy). Large spreadsheets, lists and any other such sets of data should be broken down into smaller units such that any one transfer does not include information on more than ten individuals. This applies even if the data has also been pseudonymised. More details on the process of data protection by design can be found in the Procedure for the Management of Personal and Sensitive Information policy document.

8. Processing Data in Services: Principles of Privacy and Confidentiality

Service User Data

Creative Support will establish individual files for each service user, which the staff supporting the service user are responsible for maintaining. Records must be kept up to date and relevant, ensuring that each entry is signed and dated. Services using the ECCO system for recording service user information will follow the Mobile Device Policy and Electronic Information Security policy to ensure that service user data is kept secure.

Staff should avoid taking hard copies of service user files out of the office; although there may be exceptional circumstances where service user files need to be removed. In such cases, the agreement of the Service Manager must be sought before removing files from their usual



Version 1.2


Approved by:

location. Such instances should be documented by giving the name of the person taking the file, the service user’s name and expected date of return. If removing a file, copies of the front sheets or ‘grab sheets’ detailing essential information should be retained, so that staff working with the service user will have access to such information in the event of an emergency. When files are returned to their original location this also must be documented.

The confidentiality of service user files must be respected and maintained at all times. Paper files must not be left open on desks or around the office, and must be stored in a lockable cabinet when not being used. Digital files must be stored securely in accordance with the Electronic Information Security policy.

Letters and other information from external agencies (known as “third party information”) should be immediately date stamped and filed after reading. Third party information must be readily accessible to the relevant members of staff and should not be stored in places other than the main case file.

Access to a service user’s file is limited to the support worker(s), their line manager or those members of staff who are directly involved in the support of the service user, or to staff involved in the auditing of the service provided.

If a service user approaches a reception area or office expressing information of a personal nature, it should be made clear to them that there is a private interview space, if needed, and that personal information does not need to be given in a public area if they are not comfortable doing this.

Where possible, telephone calls should be passed directly to the member of staff who would most appropriately deal with the enquiry. If this is not possible, then a message should be taken, and passed to the member of staff in question. Where the information is personal this should be placed in an envelope marked ‘Private & Confidential’, dated and signed by the person taking the message. If a call is urgent and the relevant member of staff is not available, brief details should be taken, and then referred to the relevant line manager, on-call manager or other senior member of staff.

Service users who phone an office should be made aware that they do not have to give personal information over the phone, especially if they cannot speak to the person dealing with their case.

Please refer to the corporate Procedure for the Management of Personal and Sensitive Information for more details.

Employee data

Supervision files in services must be kept in a locked filing cabinet, with access restricted to the line manager, service manager and relevant administrative staff where appropriate.

Staff telephone numbers and addresses must not be kept in any accessible phone books or card indexes on view in the service. If an emergency call comes in for a member of staff or service user, the person taking the call should take the message and contact the person concerned directly. If enquiries are made about a member of staff the enquirer's name should be taken and the member of staff informed. Staff are instructed never to give out staff or service user telephone numbers or addresses where there is doubt as to the enquirer’s identity, or to whether the individual has consented to their personal information being shared. If staff have any doubts as to what action they should take, they should pass the query to their line manager or a member of the Human Resources Team during normal office hours, or to the relevant on call or the Out of Hours service at any other time.



Version 1.2


Approved by:

Sick notes are confidential documents and should be handed to a line manager, Payroll, or a member of the Human Resources Team, in a sealed envelope marked “Private & Confidential”.

Enquiries from statutory authorities for information about staff (e.g. Police), should always be referred to the Human Resources Department or the relevant line manager/Service Director.

9. Subject Access Requests

Creative Support is committed to working in an open and honest manner with our service users and employees. As per Article 15 and Recital 63 of the GDPR, data subjects have, “the right of access to [their] personal data...and to exercise that right easily and at reasonable intervals, in order to be made aware of, and verify, the lawfulness of the processing”. This right will be protected and upheld for all employees and service users as described below.

Employee Data

Employees may request to see their personal data that is processed by Creative Support, and to know our reasons for doing so. This is called a “subject access request”, which an employee can make by submitting a Request for a Copy of Information Held on an Individual form (Appendix 1) to the organisation’s the Data Protection Lead or the Personnel Manager.

Information requested by the employee will be provided as soon as possible and no later than one month after the receipt of the form named above. We aim to provide a copy of the data requested within five working days of receipt of the written request. If you have any particular needs, we will endeavour to provide the information you have requested in an accessible format (e.g. providing large print copies for those with sight loss).

Employees making subject access requests must specify when making their request specifically which items of personal data it is they wish to see.

There will be no charge to the employee for making a subject access request, unless the request is manifestly unfounded, excessive or repetitive, in which case a fee may be charged.

In April 2018, Creative Support launched a new Payroll and HR system, using the iTrent cloud platform, which allows individual employees to be able securely to access their personal data controlled by Creative Support. Employees will be able to access their personal data to confirm its accuracy, to rectify any errors or update changes as they occur.

Employee data contained in confidential references or Disclosure and Barring Service (DBS) Checks

Creative Support uses the Disclosure & Barring Service (DBS) to help assess the suitability of applications for positions of trust. Creative Support complies fully with the DBS code of practice and care standards recruitment requirements.

Disclosure information is never kept on an applicant’s personnel file and is stored separately and securely in a lockable, not portable, storage cabinet. Access to the cabinet and information stored within is strictly controlled and limited to those who are entitled to access as part of their duties. For further information, please refer to the corporate policy, Secure Storage, Use and Retention of Disclosure Information.

Confidential references received by Creative Support are not exempt from data subject access requests. However, in deciding whether to disclose information, it is necessary also to consider



Version 1.2


Approved by:

the data privacy rights of the referee. Information contained in or about a confidential reference need not be provided if the release of the information would identify an individual referee unless:

● The referee has given his or her consent ● The identity of the referee can be protected by anonymising the information ● It is reasonable in all the circumstances to release the information without consent.

Even if a referee states that they do not want their comments to be shared, we are obliged to provide the reference to the subject if it is reasonable in all the circumstances to comply with the request without the referee’s consent. In considering whether it is reasonable, the Information Commissioner’s Office (ICO) advises that, as data controllers, we should take account of factors such as:

● Whether the referee was given express assurances of confidentiality ● Any relevant reasons the referee gives for withholding consent ● The potential or actual effect of the reference on the individual ● The fact that a reference must be truthful and accurate and that without access to it

the individual is not in a position to challenge its accuracy ● That good employment practice suggests that an employee should have already been

advised of any weaknesses ● Any risk to the referee.

Creative Support cannot refuse to disclose information from a confidential reference without giving a reason.

If disclosure of a reference would identify only the organisation that has given the reference rather than a specific individual, disclosure would not be an issue.

If a subject access request is received for information contained in a confidential reference that has been sent or received internally, it will be treated in the same way as a reference from an external referee. Internal references are not exempt from data subject access.

Service User Data

Service users may access their own case files on request (with the exception of third party information, assessments and other documents which draw on third party information), providing notice is given. The relevant line manager must be notified whenever the service user requests access to their file. Access will normally be arranged within 72 hours. In practice we may be able to respond to requests much more quickly. Reasons for delay may include:

● Waiting for a key worker to be on duty. ● Ensuring the service user is suitably prepared. ● Ensuring that someone is available to discuss the contents with the person if

necessary. A member of staff will remain with the service user while they are reading their file. If any recorded information is challenged by the service user, the information should not be removed but the objection will be recorded and the matter referred to the line manager who will take the appropriate action. Third party information, including information made available verbally and subsequently recorded in the file, can be shared with service users, only with the explicit consent of the



Version 1.2


Approved by:

originator of that information, which should be in writing and should specify exactly with whom the information can be shared.

It may not always be possible to disclose to service users all information kept on file. This particularly applies to third party information (in the event that the agency or individual has not given us permission) or because an individual could be put at risk by sharing information. There may also be some circumstances under which it is not appropriate to disclose some information in a service user’s file to the individual concerned, for example when it is possible that this may have a negative impact on that person’s mental health or wellbeing.

If a service user wishes to retain copies of any information this should be agreed, although permission must be granted by the third parties for third party information.

10. Sharing personally identifiable information with third parties.

In the processing and sharing of service user and employee data with other professionals, we are guided by the seven “Caldicott Principles” as given in the Report on the Review of Patient-Identifiable Information (DOH, 1997) and the subsequent report, The Information Governance Review: To Share or Not to Share (DOH, 2013). These principles are:

● Principle 1 - Justify the purpose(s) for using confidential information. Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian.

● Principle 2 - Don't use personal confidential data unless it is absolutely necessary. Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).

● Principle 3 - Use the minimum necessary personal confidential data. Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out.

● Principle 4 - Access to personal confidential data should be on a strict need-to-know basis. Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes.

● Principle 5 - Everyone with access to personal confidential data should be aware of their responsibilities. Action should be taken to ensure that those handling personal confidential data - both clinical and non-clinical staff - are made fully aware of their responsibilities and obligations to respect patient confidentiality.

● Principle 6 - Comply with the law. Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements.

● Principle 7 - The duty to share information can be as important as the duty to protect patient confidentiality. Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

All requests made to Creative Support employees regarding service users should be considered in the light of these principles.



Version 1.2


Approved by:

When requests for service user information are made verbally, the third party should be asked for their full name, job title, phone number and office location, and for the precise reason for requesting such information. If any doubt as to what is the appropriate action to take, staff should seek guidance from their supervisor, on call service or Service manager. Before divulging any information, staff should take care to identify the caller (for example, by ringing back a social worker - having checked the authenticity of the phone number - or by checking the person’s identity with a duty manager of the social worker’s office). These steps should take only a few minutes and should not obstruct enquiries of an urgent nature. Most professionals and agencies will understand and respect the member of staff who politely explains the need to work within the law and the terms of Creative Support policy in this regard. All police requests for information regarding a service user should immediately be referred to the staff member’s line manager, on call service, or the Out of Hours service. In some cases it will be appropriate for the line manager to consult with other professionals involved in the service user’s care (e.g. consultant psychiatrist or social worker) before making a decision as to whether information should be disclosed. Refer to the corporate policy, Police Enquiries - How to Respond for more information. 11. Principles of Information Governance

Creative Support recognises the need for an appropriate balance between openness and confidentiality in the management and use of information, while seeking to work within the legal framework as outlined above. Creative Support recognises the duty to share accurate information with other health organisations and other agencies in a secure and legally compliant manner consistent with the interests of employees and service users, and in some circumstances, the public interest. Equally important is the need to ensure high standards of data protection and confidentiality to safeguard personal and sensitive (including commercially sensitive) information. Underpinning this is the integrity needed for electronic and paper information to be accurate, relevant, and available to those who need it.

Staff must ensure at all times that high standards of data quality, data protection, integrity, confidentiality and records management are met in compliance with the relevant legislation and NHS guidance. It is the responsibility of all staff to familiarise themselves with this policy and adhere to its principles.

There are four key interlinked strands to the Information Governance policy:

● Openness ● Legal Compliance ● Information Security ● Quality Assurance

Openness

Non-confidential information on Creative Support and its services will be made available to the public through a variety of media, in line with Creative Support’s code of openness.

Creative Support will establish and maintain policies to ensure compliance with the Freedom of Information Act.

Service users will be able to exercise their right to access information relating to their own health and social care and their rights as service users (Please refer to section 8 above).



Version 1.2


Approved by:

Creative Support will have clear procedures and arrangements for liaison with the press and broadcasting media.

Creative Support will have clear procedures and arrangements for handling queries from service users, the public, and other parties.

Legal Compliance

Creative Support regards all identifiable personal information relating to service users as confidential.

Creative Support regards all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise.

Creative Support will establish and maintain policies to ensure compliance with the GDPR, the Data Protection Act, Human Rights Act, common law confidentiality and other relevant legal codes and requirements.

Creative Support will establish and maintain policies for the controlled and appropriate sharing of service user information with other agencies, taking account of relevant legislation (e.g. Health and Social Care Act, Crime and Disorder Act, Protection of Children Act).

Information Security

Creative Support will establish and maintain policies for the effective and secure management of its information assets and resources.

Creative Support will promote effective confidentiality and security practice to its staff through policies and training.

Creative Support will undertake an annual review of its information security and business continuity arrangements and this will be reported to the Board of Trustees.

Creative Support will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security. Creative Support will ensure all IG incidents which are assessed as potential Serious Incidents Requesting Investigation (SIRI) and are reported through the Information Governance Toolkit and/or the Information Commissioner’s Office (ICO) as appropriate. Refer to the separate Information Governance Reporting policy for more information.

Information Quality Assurance

Creative Support will establish and maintain policies and procedures for information quality assurance and the effective management of records.

Managers are expected to take ownership of, and seek to improve, the accuracy and quality of information within their services, with due regard to the information functions and service delivery requirements. It is expected that managers in services will routinely audit service user and staff information stored locally for accuracy, consistency and relevance.

Wherever possible, information quality should be assured at the point of collection. Data standards will be set through clear and consistent definition of data items, in accordance with national standards. Creative Support will promote information quality and effective records management through policies, procedures/user manuals and training. Refer to the separate Procedure for the Management of Personal and Sensitive Information for more details.



Version 1.2


Approved by:

12. Information Governance Management

The framework for the management of Information Governance combines both corporate and clinical governance, and as such is wider in scope than data protection, also incorporating records management, information risk, information security, risk management, and business continuity.

Creative Support operates an Information Governance Management Group (IGMG) which meets regularly to design, implement and monitor policies and procedures that ensure compliance with the standards of the DSP Toolkit across the organisation. The IGMG is chaired by a Service Director and the IG Lead, and reports to the bi-monthly Finance and Audit Committee. The Board of Trustees will have overall responsibility for Information Governance, and will formally endorse Creative Support’s annual IG improvement plan.

The implementation of IG-related policies and the annual IG improvement plan will be carried out across Creative Support by all involved staff and will be led by the Information Governance Lead, the Senior Information Risk Officer, the Caldicott Guardian and supporting teams. This work will be co-ordinated by the IGMG.

The IGMG submitted its self-assessment for compliance with Level 2 of the Information Governance Toolkit (IGT) standards in January 2018, and in demonstration of our commitment to continuous improvement in all areas of Information Governance is working towards full compliance with the new Data Security and Protection Toolkit (which replaces the IG Toolkit) in 2018-19.

The DSP is an annual self-assessment tool which is undertaken in relation to a set of defined standards. These standards are:

● There is senior ownership of data security and protection within the organisation. ● There are clear data security and protection policies in place and these are understood

by staff and available to the public. ● Individuals’ rights are respected and supported (GDPR Art 12-22) ● Records of processing activities are documented for all uses and flows of personal

information (GDPR Article 30) ● Personal information is used and shared lawfully. ● The use of personal information is subject to data protection by design and by default ● Effective data quality controls are in place ● Personal information processed by the organisation is adequate (and not excessive)

for the purposes. ● There is a clear understanding of what Personal Confidential Information is held. ● Personal Confidential Information is processed/shared legally and securely. ● Staff are supported in understanding their obligations under the National Data

Guardian’s Data Security Standards. ● There has been an assessment of data security and protection training needs across

the organisation. ● Staff receive suitable data security and protection training. ● Staff pass the data security and protection mandatory test. ● Staff with specialist roles receive data security and protection training suitable to their

role. ● Leaders and board members receive suitable data protection and security training. ● The organisation maintains a current record of staff and their roles. ● Staff roles are linked to IT accounts. Staff moves in, out or across the organisation are

reflected by IT accounts administration.



Version 1.2


Approved by:

● All staff understand that their activities on IT systems will be monitored and recorded for security purposes.

● Process reviews are held at least once per year. ● Participation in reviews is comprehensive, and clinicians are actively involved. ● Action is taken to address problem processes as a result of feedback at meetings or

in year. ● A confidential system for reporting security breaches and near misses is in place and

actively used. ● Users know how to spot an incident and where to report it, and incidents are effectively

reported. ● All user devices are subject to anti-virus protections while email services benefit from

spam filtering deployed at the corporate gateway. ● Known vulnerabilities are acted on based on advice from CareCERT, and lessons are

learned from previous incidents and near misses. ● There is a continuity plan in place for data security incidents, and staff understand how

to put this into action. ● There is an effective annual test of the continuity plan for data security incidents. ● All software has been surveyed to understand if it is supported and up to date. ● Unsupported software is categorised and documented, and data security risks are

identified and managed. ● Supported systems are kept up-to-date with the latest security patches. ● All networking components have had their default passwords changed. ● Web applications owned by the organisation are secured against OWASP Top 10

vulnerabilities. ● All organisations receive a penetration test annually, whether commercially sourced or

in-house. The scope of the pen-test is articulated to the SIRO and signed by them. ● A data security improvement plan has been put in place on the basis of the assessment

and has been approved by the SIRO. ● The organisation can name its suppliers, the products and services they deliver and

the contract durations. ● Basic due diligence has been undertaken against each supplier according to ICO and

NHS Digital guidance. ● All disputes between the organisation and its suppliers have been recorded and any

risks posed to data security have been documented. Further information on each of these standards is available at the DSP Toolkit website at https://www.dsptoolkit.nhs.uk/

The DSP Toolkit will be used by Creative Support to conduct a baseline audit and construct action plans to ensure future IG compliance and continuous improvement. The work programmes in individual areas will be created by adherence to the IGT standards and to the national standards appropriate to the specific field of activity.

https://www.dsptoolkit.nhs.uk/

APPENDIX 1

REQUEST FOR A COPY OF INFORMATION

HELD ON AN INDIVIDUAL

REQUEST FOR A COPY OF INFORMATION HELD ON AN INDIVIDUAL

As part of Creative Support’s compliance with the Data Protection legislation, each person who has a relationship with the company has the right to be provided with a copy of the current personal information held on them for data processing.

We will endeavour to provide a copy of the data requested within five working days of receipt of the written request; some requests may require more time to collate all the information. In all instances we will respond promptly and in any event no later than one month from receipt of the written request, as stipulated in the legislation.

Please read the policy on Data Protection and Information Governance (and appended privacy statement) which lists all the types of personal data that may be held on you.

Please complete this form and submit to either Julie Cooke, Service Director, or the Personnel Manager. This request will be processed and therefore comes under the provisions for data processing, to which you are giving your explicit consent.

Your Name:

____________________________________________________________________

The Data/information of which you require a copy:

Your signature: Date: Date received by Head Office: Considered by: Date: Outcome:

APPENDIX 2

PRIVACY STATEMENTS

Version 2 March 2019

Privacy Statement for Creative Support Employees

Why we process your personal data

As of 25th May 2018, Creative Support exercises its right under the General Data Protection Regulation

(GDPR) and UK Data Protection Act 2018 to control and process personal information about its

employees. We process this data as it is necessary to perform the contract of employment held

between Creative Support and its employees.

Your privacy is of the utmost importance to us, and data protection is built into our processing at every

stage. This means that while we do not require your consent in order to process your personal data,

we will only retain and use personal data when we have a legally justifiable reason for doing so that

balances our interests as an employer with your rights as an employee.

Your personal data is shared only with those departments within Head Office, and external

organisations who also have a legal basis for using it in order to fulfil our obligations to you as an

employee. We never sell or share your information with any organisations for marketing purposes.

Creative Support do not use your personal data for any automatic profiling or decision making.

Your rights

You have the right to see what personal information Creative Support processes about you, and to

know our reasons for doing so. In turn, Creative Support has an obligation to keep information about

you accurate and up-to-date. If you become aware of any information we hold about you that is

inaccurate, or if any of your personal details have recently changed, please notify us and we will

update our records accordingly.

You have the right to request to see all your personal information that Creative Support records and

processes, using a “Request for Copy of Information Held on an Individual” form appended to the

corporate Data Protection and Information Governance policy.

You have the right to “data portability” with respect to your personal information, which means that

you may request for it to be sent to you in a format that can be moved, transferred or copied across

different services.

The types of personal information we process include:

● personal details, i.e. names, addresses, contact numbers, date of birth ● family details, i.e. marital status, next of kin and emergency contacts (including your GP) ● nationality ● whether you have a current driver’s licence ● whether you are registered as disabled ● bank account details


We also process sensitive categories of personal information that may include:

● racial and ethnic origin ● trade union membership ● information about your mental or physical health, insofar as this pertains to your job role ● sexual orientation

Creative Support will not record or process information about your political or religious opinions,

philosophical beliefs, sexual orientation or gender identity, or any other categories of personal

information named in Article 9 of the GDPR, except where you have disclosed this information and

given us your explicit consent to record and process it.

You have the right to “data portability” with respect to your personal information, which means that

you may request for it to be sent to you in a format that can be moved, transferred or copied across

different services. Creative Support will not transfer any of your personal data outside of the European

Union.

How we protect your personal data

The information we keep on you is held securely whether it is held in paper or digital formats. Hard

copies of personal information are stored in secure offices. Information that is held digitally is kept

securely and can be accessed only by the Creative Support employees who are specifically involved

with that aspect of your employment.

The digital systems we may use to process and share your personal data may include one or more of

the following:

Microsoft Office StaffPlan

Ecco OneTouch Egress

Airtable

All of these systems have been assessed to check that they are secure and fully compliant with data

protection legislation, in the interests of protecting your personal data. Further information can be

found in our corporate policies, Data Protection and Information Governance and Management and

Archiving of Records.

Volunteers

We also process the personal data of individuals who work for Creative Support as volunteers. If you

are a volunteer who does not receive support from Creative Support, the only personal data of yours

we will process will be what we collected from you when you applied to become a volunteer. If you

volunteer for us while also receiving Creative Support services, the Volunteers Team will process only

the personal data you provided to them, and not any additional personal data that your Creative

Support carers have on record in order to support you.


How to contact us

Creative Support’s Senior Information Risk Owner is Julie Cooke, Service Director, whose contact

details are as follows:

Wellington House 131 Wellington Road Stockport SK1 3TS Phone: 0161 236 0829 Email: [email protected] You may also wish to contact a member of the Information Governance Team at

[email protected] if you have any general queries about how your personal data is processed

and protected.

You have the right to log a complaint with the Information Commissioner’s Office (ICO) if you have

any concerns about the way that Creative Support is using your personal data. More information can

be found at the ICO’s website at https://ico.org.uk/concerns/ or by calling their helpline on 0303 123

1113.

mailto:[email protected]


https://ico.org.uk/concerns/

Version 2

March 2019

Privacy Statement for Creative Support Service Users

Why we process your personal data

Creative Support processes information about you to enable us to deliver health and social care to

you. This means that we will only collect information about you that we need to know in order to

provide our services.

The information we collect about you may include your full name, address, contact information, next

of kin or emergency contact information, information about your medical history, diagnosis, housing

history, and historical and current support needs. What information we record will depend on your

individual needs.

We may also need to share information about you with other people or organisations involved in your

care; for example, your GP, other medical professionals, Social Worker, appointee or housing provider.

Again, this information is only ever shared when it is in your interests as a service user towards whom

Creative Support has a duty of care.

We take your privacy very seriously and will never disclose any of your personal information to anyone

who does not also have a justifiable reason for using it. We will never sell or give your information to

any third parties for marketing or profiling purposes, or for the purposes of any automatic profiling.

We will not transfer your information outside of the European Union for any purpose.

Your rights

You have the right to know which other organisations we share your information with and the reasons

for doing so. A member of staff in your Creative Support service will be able to provide you with the

details about other organisations with which we share your information.

In some cases, Creative Support or another organisation may be authorised to act as your appointee

(meaning that they support you with managing your money and benefits). This may involve us sharing

your tenancy agreement, budget information, requisitions and bills, bank statements and benefit

letters with your appointee.

You have the right to ask us to keep the information we hold on you up-to-date. If any of your personal

circumstances change, or you think we may be holding information on you that is incorrect, please

notify a member of Creative Support staff in your service.

If you wish to see a copy of the information that Creative Support records on you, you have the right

to do so and may submit a “Request for a Copy of Information Held on an Individual” form, which is

available on request.

Version 2

March 2019

How we protect your personal data

The information we keep on you is held securely whether it is held in paper or digital formats. Hard

copies of personal information are stored in secure offices either onsite at your residence or in the

local Creative Support office. Information that is held digitally is kept securely and can be accessed

only by the Creative Support staff involved in your care.

The digital systems we may use to process and share your personal data may include one or more of

the following:

Microsoft Office StaffPlan

Ecco OneTouch Egress

Airtable

All of these systems have been assessed to check that they are secure and fully compliant with data

protection legislation, in the interests of protecting your personal data. The Creative Support staff

who support you will be able to tell you about which of these electronic systems are used for

processing your personal data.

Volunteers

We also process the personal data of individuals who work for Creative Support as volunteers. If you

are a volunteer who does not receive support from Creative Support, the only personal data of yours

we will process will be what we collected from you when you applied to become a volunteer. If you

volunteer for us while also receiving Creative Support services, the Volunteers Team will process only

the personal data you provided to them, and not any additional personal data that your Creative

Support carers have on record in order to support you.

How to contact us

Creative Support’s Senior Information Risk Owner is Julie Cooke, Service Director, whose contact

details are as follows:

Wellington House 131 Wellington Road Stockport SK1 3TS Phone: 0161 236 0829 Email: [email protected]


Version 2

March 2019

You have the right to log a complaint with the Information Commissioner’s Office (ICO) if you have

any concerns about the way that Creative Support is using your personal information. More

information can be found at the ICO’s website at https://ico.org.uk/concerns/ or by calling their

helpline on 0303 123 1113.

More information about how and why we process your information, as well as how we securely

archive and later dispose of your information can be found in our corporate policies, Data Protection

and Information Governance and Records Management and Archiving. If you wish to see a copy of

these policies, you can request them from a member of Creative Support staff service, by phoning

0161 236 0829 or emailing [email protected] If you would like to know more about how

and why we process your personal data, and the measures we have in place to ensure that it is

processed securely and protected, you may also contact of member of the Information Governance

team at the number above or by email at [email protected]

https://ico.org.uk/concerns/



data protection and information governance · 2019-07-18 · data protection and information...

Documents