Search

Dr Berni Rogers
Dr Shelley Carter
Dr Kate Smeaton
Dr Amanda Betsworth
Dr Lisa Maplesden
Practice Manager Fiona Francis

Data Protection and Confidentiality Policy

1. Relevant To

1.1 This policy is relevant to all employees of Littledown Surgery, including staff on honorary contracts, volunteers and third party contractors who process person identifiable information.

2. Introduction

2.1 This Policy is required in order to inform on the lawfulness and security of personal information, in line with the General Data Protection Regulation 2016, the Data Protection Act 2018 and Common Law Duty of Confidentiality.

2.2 This Policy provides staff with guidance on processing information in accordance with the principles and legal obligations of the Data Protection Act 2018, Confidentiality NHS Code of Practice, Caldicott Report 1997, Caldicott Review 2013 and National Data Guardian’s Review on Data Security, Consent and Opt-Outs.

2.3 This Policy also encompasses the Records Management Code of Practice for Health and Social Care 2016, which sets out the legal and professional responsibility of all staff in relation to the creation, use, storage and disposal of records in the performance of their duties. 

2.4 Staff should be aware that all records are public records, including email and may be subject to Subject Access Requests and Freedom of Information requests.

3. Scope

3.1 This policy aims to inform staff of appropriate use of personal information and their responsibilities.

4. Purpose

4.1 The purpose of this policy is to:

  • promote best practice in the processing of personal identifiable data;
  • ensure that all staff are appropriately trained in the management of personal identifiable data;
  • outline the procedure for reporting and investigating suspected breaches of confidentiality and/or loss or theft of personal data;
  • provide assurance to patients, staff and general public that personal identifiable data is processed lawfully and held securely.

5. Confidentiality

5.1 During the course of their work staff will routinely have access to patient identifiable information, whether verbal, written or electronic.  Everyone working within the NHS has a legal duty to keep information confidential and such information must not be disclosed or discussed except to authorised personnel on a ‘need to know’ basis.

5.2 Health care information is collected from patients in confidence and attracts a legal duty of confidence until it has been effectively anonymised.  This legal duty, established under common law, prohibits information use or disclosure without consent.  Such consent may be explicit but it more likely to be implied, e.g. referring a patient onwards for care from another provider.  The common law duty of consent applies only to the information which attracts the common law duty of confidentiality and should not be confused with consent as lawful basis for processing personal information found within the Data Protection Legislation.

5.3 At the time of creating a record, staff should ascertain from the patient which relatives and, friends or carers can receive information regarding their condition and those who they do not give permission to receive information.  This should be clearly documented within the patients’ health record where required.  Where relatives and carers are heavily involved in the patients’ care, staff should ascertain to what level they should continue to be informed. 

5.4 The Confidentiality NHS Code of Practice states: “It is extremely important that patients are made aware of the information disclosures that must take place in order to provide them with high quality healthcare. In particular, Clinical Governance and Clinical Audit, which are wholly proper components of healthcare provision, might not be obvious to patients and should be drawn to their attention.”  Patient information leaflets and the Organisations Privacy Notice should fulfil the organisations obligation under the Confidentiality NHS Code of Practice as well as the concept of ‘Transparency’ under Article 5(1)(a) General Data Protection Regulation.

5.5 The disclosure and use of confidential patient information needs to be both lawful and ethical, detailed in s.12 of the Confidentiality Code of Practice.  A confidentiality model adapted from the Confidentiality NHS Code of Practice can be found at Appendix C.

5.6 Safeguards that are put in place to help protect confidentiality are commonly referred to as ‘Safe Haven Procedures’.  Guidance on the secure transfer of information can be found at Appendix D.  Where the sharing of information is available through a more secure electronic process, this should be favoured over older, more outdated processes.

6. Confidentiality and Young People

6.1 The principles of confidentiality apply equally to all patients regardless of age. Young people (including those under 16) are entitled to equal confidentiality male or female as all other patients. This includes respecting their wishes to withhold information from parents or guardians. The GP involved will determine the competency of a young person seeking treatment and will determine the extent to which confidentiality guidelines apply in each case.  Care must be taken to ensure that this right of confidentiality is not inadvertently breached by following the procedural guidelines in force.

6.2 It is generally recognised that parents will accompany children up to 13 years of age, many will continue to do so past this age but the clinician can check if they are happy to have the parent there.

6.3 A person between the ages of 14-16 can come and see a clinician alone. However, a clinician must believe that they are capable of understanding the choices of treatment and their consequences. This includes contraceptive advice, but the principles apply to other treatments, including abortion.  The clinician will document that the young person was seen on their own and that they are judged to be competent as per the Fraser Guidelines and Gillick Competency detailed below.

6.4 The policy of the Practice is to support young people in exercising their choice of medical treatment, and to deal with them in a sympathetic and confidential manner. Where a young person presents at the surgery without adult support they may be booked in to see a clinician in the normal way. Where there is some question of the urgency of an appointment the matter should be referred to a doctor or nurse to triage the request.

6.5 The Fraser guidelines apply more in the treatment of contraceptive advice and care for girls.

  • The Clinician must be satisfied that the girl understands the advice given.
  • That he cannot persuade her to inform the parents.
  • That she is likely to continue having sexual intercourse with or without contraceptive treatment.

6.6 The Gillick Competency in brief is as follows:- 

It is not enough that she should understand the nature of the advice which is being given but she should be sufficiently mature to understand it.

It is also commonly believed that “the parental rights yields to the child’s right to make their own decisions when they reaches a sufficient understanding and intelligence to be capable of making up their own mind on the matter requiring decision”

7. Data Protection

7.1 Data Protection legislation is derived from the General Data Protection Regulation (GDPR) 2016/679 and the Data Protection Act (DPA) 2018.  This legislation provides the Data Protection principles, lawful bases for processing, subject access rights and transfers of data to third country requirements. 

7.2  Article 5(1) of the GDPR provides six data protection principles to be upheld:

a) data shall be processed lawfully, fairly and in a transparent manner;

b) data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific, historical research purposes or statistical purposes shall (in accordance with Article 89(1)) not be considered to be incompatible with the initial purposes;

c) data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which that are processed (data minimisation);

d) data shall be accurate and where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) data are kept in a form which permits identification of data subject for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes (in accordance with Article 89(1)) subject to implementation of the appropriate technical and organisational measures required in order to safeguard the rights and freedoms of the data subject;

f) data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).

7.3 Article 89(1) specifies “processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject”.  This requires ensuring that there are technical and organisational measures in place which respect and uphold the concept of data minimisation and where purposes can be fulfilled with data that uses pseudonymisation or other data minimisation techniques, they should be used. Guidance on pseudonymisation and anonymisation techniques can be found in Appendix E.

7.4 Article 5(2) of the GDPR provides that the controller shall be responsible for, and be able to demonstrate compliance with, Article 5(1).

Principle One: Lawful processing

7.5 For processing of personal data to be lawful (Article 5(1)(a)) it must meet one of the requirements within Article 6(1):

a) consent for data to be used for one or more specific purposes;

b) processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into the contract;

c) processing is necessary for compliance with a legal obligation to which the controller is subject;

d) processing is necessary in order to protect the vital interests of the data subject or another natural (living) persons;

e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

7.6 For processing of special categories of data to be lawful (Article 5(1)(a)) it must meet one of the requirements within Article 9(2):

a) explicit consent for one of more specified purposes;

b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law;

c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

d) processing is carried out in the course of legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on the condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside of that body without the consent of the data subjects;

e) processing relates to personal data which are manifestly made public by the data subject;

f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

g) processing is necessary for reasons of substantial public interest which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject;

h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health and social care systems and services, or pursuant to contract with a health professional and subject to the conditions and safeguards referred in Article 9(2)(3); (i) Personal data may be processed for such purposes when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Member state law or established by national competent bodies or by another person also subject to an obligation of secrecy;

i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Member state laws which provide suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

7.7 Although ‘Consent’ is listed as a lawful basis for processing both personal and special categories of data, Recital 43 makes it clear that Public Authorities should not be relying on consent due to the imbalance of power between the data subject and the data controller: In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.”

Principle Two: Specified, explicit and legitimate purposes

7.8 The Practice, as a Data Controller, is required to specify the purposes of processing data e.g. for the provision and administration of Healthcare, what data is to be included and to whom it will be disclosed. 

7.9 In doing so, the Practice has to consider the data that it requires and is obliged to notify and register its collection purposes with the Information Commissioner.  The current processes that the Practice has registered with the ICO are:

a) staff administration;

b) accounts and records;

c) health administration and services;

d) public health;

7.10 Should any member of staff be processing personal data for any purpose other than those listed then you should immediately inform the Data Protection Officer.

Principle Three: Adequate, relevant and limited to what is necessary

7.11 The minimum amount of data necessary and proportionate for the purpose(s) of processing should be collected

Principle Four: Accurate and up to date

7.12  All reasonable steps should be taken to ensure that data is legible, accurate, complete, timely and complies with the Records Management Code of Practice for Health and Social Care.

Principle Five: Not kept for longer than is necessary

7.13 The Practice Manager is responsible for the overall management and confidential disposal of staff records and should review personnel files regularly and ensure that staff records are maintained and, where relevant, summary files are created confidentially disposing of any information which is no longer required.

7.14 The Assistant Practice Manager is responsible for the overall management and confidential disposal of Health Records, in line with the Records Management Code of Practice for Health and Social Care, ensuring that appropriate procedures are in place for the transfer of deducted records.

Principle Six: Appropriate Security

7.15 The Practice has technical safeguards in place, such as secure email, encryption, Anti-Virus products and regular external penetration testing.

8. Rights of Data Subject Access

The right of subject access

8.1 Under Article 15 GDPR 2016, Data Subjects have the right of access to information about them held by a Data Controller.  A data subject (patient or staff) has the right to request confirmation as to whether information is being processed and if so:

a) the purpose of the processing;

b) the categories of personal data concerned;

c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular any third countries or international organisations;

d) where possible, the envisaged period for which the personal data will be stored and the criteria which determine that period;

e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing personal data concerning the data subject or to object to such processing;

f) the right to lodge a complaint with the supervisory body;

g) where the personal data are not collected from the data subject, any available information as to their source;

h) the existence of automated decision-making and if it exists, meaningful information about the logic involved and the significance of the envisaged consequences of such processing.

8.2 This information is contained within the Practice’s Privacy Notice.

8.3 Article 15 also provides data subjects with the right to obtain a copy of the personal data undergoing processing and requires a response within one month of the receipt of the request, free of charge, in an intelligible format.  The Subject Access Policy can be found on TeamNet. 

8.4 Staff should not be exercising their right of access by using the Practice’s clinical or employment systems to view their own records or that of friends and family and should instead follow the same procedure as any other patient or employee without access to systems.  

8.5 Staff should not place pressure on colleagues or use workarounds to try and navigate the system in order to obtain results or appointments faster; this would not only breach data protection principles but would also breach the Practice’s NHS Contract.  Misuse of information and access to systems in this way would constitute misconduct as per the Practice’s Disciplinary Policy and could result in dismissal, prosecution for the individual under s.170 of the Data Protection Act 2018, and potential enforcement / contractual implications for the Practice.

8.6 The period of response for a subject access request can be extended by two further months if necessary where there is, for example, complicated post-processing of information required to make the data intelligible or to identify the data subject. Where the deadline is extended the data subject must be informed, within the original one-month timeframe, with an explanation of the delay.

8.7 Where a request is deemed to be “unfounded or excessive” the controller has the right to refuse an information request or to charge a “reasonable fee” to cover the resulting administrative costs.  The data subject should be informed, within the one-month time period, of the reasons for not taking action or for charging a fee.  Guidance on unfounded and excessive requests can be found in Appendix F.

8.8 Requests can be refused and/or redacted where granting access would disclose information likely to cause serious harm to the physical or mental health of the patient or another individual and the data subject does not already know the information.  Any redactions should be approved by the Caldicott Guardian or the patient’s GP.  Requests can also be refused and/or redacted where granting access would disclose information which the Practice is not the data controller of, or information relating to or provided by a third party who could be identified from that information and has not provided consent for the release of the information.

8.9 This does not apply to health professionals who have complied, or contributed to, either the record or the individuals care.  Schedule 2, Part 3, Section 17(1) of the Data Protection Act 2018 provides an exemption for the processing of third party personal data where the health data test is met.  The Health Data test is met whereby the information in question is contained within a health record and the third party is a health professional who has compiled or contributed to the health record or who, is his or her capacity as a health professional, has been involved in the diagnosis, care or treatment of the data subject.  There are also Social Work Data tests and Education Data tests in s.17(2) and s.17(3).

8.10 When considering redacting information, the data subjects rights should be held in the highest regard and removal or redaction should only be used where absolutely necessary. 

8.11 Anything written about a patient or employee may ultimately be scrutinised by that patient or employee, therefore all entries into records and communications concerning a particular individual, including emails, should be objective and factual. 

8.12 Requests can be made by the individual concerned or their legal representative; a solicitor acting on their behalf, their carer, parent, guardian, or an appointed representative.  Where the request is not made by the individual themselves it must be accompanied by either a signed authority from the patient, or evidence of legal representation to take decisions.

8.13  Access rights to deceased records are contained within the Access to Health Records Act 1990 and are available where a personal representative has a legal claim arising from the death of the patient or the death may have been caused by negligence, someone who may be entitled to compensation is allowed access to the records relating to the death.

The right to rectification

8.14 Article 16 GDPR contains the right of rectification.  Where a data subject feels that information is incorrect, they have the right to ask for it to be rectified – this right applies to information of fact and not opinion.  Incorrect demographic information will be immediately corrected.  If the information is of a clinical nature this will ned to be reviewed and investigated by the Practice as a potential breach in Records Management procedures and data quality issues.  The investigation will yield one of two outcomes:

a) the Practice deems the information to be correct at the time of recording and the record will not be amended.  A statement from the data subject may be placed within the record to demonstrate that they disagree with the information held, and the data subject has the right to appeal to the Information Commissioner;

b)  the Practice agrees that the information is incorrect.  However, it is not legal to modify or remove information within the record as it represents historical information which may have influenced subsequent events or decisions made.  A note will be place into the file which alerts the reader of the inaccuracy and the correct facts.  The data subject and the Practice will agree the content of the note together.

The right to be forgotten

8.15 Article 17 GDPR contains the right to be forgotten; this is a limited right with regards to health care and employment information.  The legal obligation to retain information as per the Health Records Act 1958 in order to maintain patient safety and continuity of care, as well as upholding our obligations as an employer, take precedent over the data subjects right.  Exemptions from the GDPR provisions for Healthcare can be found in Schedule 3 of the Data Protection Act 2018.  

8.16 The retention schedules within the Records Management Code of Practice for Health and Social Care 2016 are followed, unless there is another legal obligation to retain information for longer for example, financial records.  Information will not be destroyed before the retention period is over.  Where a data subject requests the ‘right to be forgotten’, a note will be placed on their record to indicate that they would like their information disposed of as soon as legally admissible.

The right to restrict processing

8.17 Article 18 GDPR contains the right to restrict processing however, it can only be exercised in the following circumstances:

a) the data subject contests the accuracy of the data;

b) the processing is unlawful;

c) the data subject objects to the processing of their data whilst the data controller seeks to verify the legitimate grounds for continuing processing.

8.18 The right to restrict processing of healthcare data for direct care should not be taken lightly and only in extreme circumstances, having given the data subject the opportunity to meet with a relevant clinician who can properly explain the limited services and treatments available to the data subject.  

8.19 Data subjects are allowed to restrict the processing of identifiable data for secondary purposes and should be provided with information on the National Data Opt-Out available on the NHS Digital website.

The right to data portability

8.20 This right only applies where the original processing is based on the data subject’s consent or fulfilment of a contract that they are party to, and if the processing is automated.  However, in the spirit of the regulations, Subject Access Requests should be provided in a useful electronic format and where possible in a commonly used and machine readable format.

The right to object

8.21 Data subjects can object to specific types of data processing, including direct marketing, processing based on legitimate interests or in the wider public interest, and processing for research or statistical purposes.  Once a data subject raises an objection, the data controller should demonstrate the legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise of defence of a legal claim.  Until the justification can be provided, processing of personal data must be suspended.  The right is aligned with the right to restrict processing and data subjects should be provided with information on the National Data Opt-Out available on the NHS Digital website. 

The right to appropriate decision making

8.22 Data subjects have the right “not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them”.  The Practice has not identified any decision-making processes which are solely automated and without human interaction, which produces a legal effect for the data subject. 

8.23 All NHS records are Public Records under the Public Records Act 1958.  The Organisation will take actions as necessary to comply with all legal statutory and professional obligations

9.  Third Country Transfers 

9.1 Article 44 GDPR 2016 specifies that any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation, shall take place only if the country of destination has adequate legislation and appropriate safeguards. 

9.2 Alongside the United Kingdom, the following countries are all members of the EEA and are safe for secure transfer of personal data by the European Commission: 

Scroll to Top