Welcome to Information Governance Data Protection Act 2018

Welcome to: Information Governance Data Protection Act 2018 & Best Practice Guidelines

Learning Outcomes Understand your responsibilities Information Governance, NHS Best Practice Guidance Principles of the Data Protection Act 2018 and working within the law. Ensure availability, integrity and confidentiality of the Trusts Information Follow Trust Policies and Procedures and stay up to date with new requirements under Information Governance Read Trust Information Governance Policy

What is Information Governance?

Caldicott Principles Every Trust has a Caldicott Guardian 7 Principles : v v Justify the purpose(s) for using confidential information Don't use personal confidential data unless it is absolutely necessary Use the minimum necessary personal confidential data Access to personal confidential data should be on a strict need-to-know basis v Everyone with access to personal confidential data should be aware of their responsibilities v Comply with the law v The duty to share information can be as important as the duty to protect patient confidentiality Please remember these guidelines during everyday activities

Data Protection Act & GDPR (General Data Protection Regulations) What does this mean in practice?

Rights of a data subject I have a right to a copy of my blood results!! v The right to be informed v The right to access v The right to rectification v The right to erasure v The right to restrict processing v The right to data portability v The right to object v Rights in relation to automated decision making and profiling

Penalties for non compliance All serious Incidents must be reported to the ICO within 72 hours The new Act has greater penalties for a breach in Data Protection : 20 million euro for serious breaches of the GDPR or 4% of annual turnover • • Information Notice Assessment Notice Enforcement Notice Administration Fines • Enforcement is looked at on the following criteria : • • The nature , gravity and duration of failure The intentional or negligent character of the failure Action taken to mitigate the damage suffered by data subjects Responsibility of the controller taking into account organisational and technical measures Previous failures Categories of personal data affected How it became known to the commissioner Adherence to codes of conduct

Data Protection Act 2018 The 2018 Act applies to Personal Identifiable Data, and relates to anything we do to with that data i. e. processing: - v Collection, recording, organisation, structuring, storage v Adaptation or alteration v Retrieval, consultation, use v Disclosure by transmission, dissemination, making available v Restriction, erasure or destruction

What is Personal Identifiable Data? Personal Identifiable Data (PID) means: data which relates to a living individual who can be identified by the data Special Categories of Personal Data Sensitive personal data means: personal data relating to the data subject v v v v v Racial or ethnic origin Political opinions Religious or philosophical beliefs Trade Union Membership The processing of genetic data Data concerning health Sexual life & Sexual orientation Criminal convictions Biometric data for uniquely identifying an individual

Data Protection Principles 1. Lawfully, fairly and in a transparent manner Lawfully v You must have a legal basis for processing personal data and document this Fairly v patients should know what we do with their data: tuff S l v How its processed a Leg v Who we share it with v What the Risks, Rules and safeguards are Transparent v The Trust must ensure an Individual is made aware of exactly how the Trust process their data, verbally and in privacy notices which are clear and concise.

Unlawful access v Unlawful disclosure or misuse of personal data (including staff accessing their own personal health records or the records of colleagues, family or friends without authorisation ) is a breach of Trust policy and may constitute a criminal offence. v All incidents of this nature will be fully investigated following the Trust disciplinary procedure and may be treated as a tuff S l a serious disciplinary offence and lead to dismissal. Leg v Can lead to personal fines or custodial sentence

Data Protection Principles 2 Purpose Limitation only use and share information outside your department and with other agencies if it is appropriate and necessary to do so. 3 Data Minimisation– Adequate, relevant and limited to what is necessary. v Only obtain information for the intended purpose v Do not collect Data, just in case ff Stu l a Leg

Data Protection Principles 4 Accurate and where necessary kept up to date v Take care inputting information v Check existing records thoroughly before creating new ones v Confirm details are correct ff Stu l a Leg

Data Quality v Discharge status: alive but without permission. v The patient refused an autopsy. v Patient has left his white blood cells at another hospital. v Patient has two teenage children, but no other abnormalities. .

Data Protection Principles 5 Storage Limitations v v v Follow Trusts retention guidelines found on the intranet Storage is limited to strict minimum Periodic review of document retention dates Ensure regular housekeeping Dispose of Information in line with Trust policy 6 Integrity and Confidentiality Processed in a manner which ensures appropriate security by using both technical and organisation measures to ensure protection against: v unauthorised access and processing v Accidental loss, destruction or damage ff Stu l a Leg

Privacy by Design Data Protection Impact Assessments (DPIA) DPIA’s are a structured risk assessment used to identify the most effective way to comply with data protection obligations and meet individuals’ expectations of privacy for a new or significantly changed process. An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur. You must complete a DPIA prior to: v Building new IT systems for storing or accessing personal data v Developing legislation, policy or strategies that have privacy implications v Embarking on a data sharing initiative : or v Using data for new purposes

Practical Security Measures v Conversations Phone Bleep Mobile Where Who’s around Need to know v Transfer How sent What media Encryption Inside/outside UK – different rules v Safe Havens Policy & Procedure Secure if necessary Need to know

Organisational Security Measures v Training v Policies and Procedures v Housekeeping v Smartcards v Passwords v ID Passes DO NOT SHARE ! Keep safe & Report Loss Found on intranet Ensure you read Share Drives – Do NOT store PID! Doors/Windows Clear desk policy

Recent Trust Breaches Han Shee dover ts Camera containing breast images Freedom of informati on requests Multiple l etters se nt to wrong patient ata Identifiable d on being stored share drives

Email / Internet v Email Faster Encrypt Personal use Recalled for Access/Legal v Internet Personal use Blocked Social Media Both monitored / Report Breaches

Fax Use as a last resort - Look for alternative ways of communication. v Step 1 - Use a Safe Haven front sheet (available on the Intranet Document or IG Department zones). . . v Step 2 - call the recipient/organisation to let them know you are sending them a fax and to double check the fax number. (do not rely on pre-programmed numbers) v Step 3 - ask the recipient to confirm they have received the fax, or call them back to make sure they have received it. (Do not rely on fax receipts).

Freedom of Information v Rights of access v Format of requests v Information Governance – responsible for responses v Tight timescales v Exemptions can be applied

Lessons Learned The Independent Inquiry into Child Sexual Abuse (IICSA) were fined £ 200, 000 by the Information Commissioner’s Office (ICO). On 27 February 2017, an IICSA staff member sent a blind carbon copy (bcc) email to 90 Inquiry participants telling them about a public hearing. After noticing an error in the email, a correction was sent but email addresses were entered into the ‘to’ field, instead of the ‘bcc’ field by mistake. This allowed the recipients to see each other’s email addresses, identifying them as possible victims of child sexual abuse. Bupa Insurance Services Limited (Bupa) were fined £ 175, 000 by the Information Commissioners Office (ICO) for failing to have effective security measures in place to protect customers’ personal information. Between 6 January and 11 March 2017, a Bupa employee was able to extract the personal information of 547, 000 Bupa Global customers and offer it for sale on the dark web. The employee accessed the information via Bupa’s customer relationship management system, known as SWAN. The system holds customer records relating to 1. 5 million people. The employee sent bulk data reports to his personal email account. The compromised information, which included names, dates of birth, email addresses and nationality, was later offered for sale on the dark web.

Lessons Learned Milton Keynes University NHS Foundation Trust The Trust contacted the ICO after it received a complaint that a staff member may have accessed the individuals medical record. . The former receptionist was prosecuted for accessing the records of 12 patients without authorisation. These included the patient records of her ex-partner and a woman who claimed she had used the information to harass her. She pleaded guilty to unlawfully accessing personal data and unlawfully disclosing personal data in breach of s 55 of the Data Protection Act 1998 at Milton Keynes Magistrates' Court on 20 April and was ordered to pay £ 300, plus a victim surcharge of £ 30. ICO warns NHS employees that unlawfully accessing patient records is an offence The ICO has reminded NHS staff about the potentially serious consequences of prying into patients’ medical records without a valid reason. The warning came after a former health care assistant was ordered to pay a total of £ 1, 715 in fines and costs after pleading guilty to offences of unlawfully obtaining and unlawfully disclosing personal data. In a separate case, a former data co-ordinator at an NHS Trust was ordered to pay a total of £ 1, 134. 08 after pleading guilty to accessing sensitive medical records of colleagues and people in her locality.

Any Questions. .

IG team Heidi Walker, IG Manager & Data Protection Officer Ext: 7928 Michelle Karpel Ext: 8386 Allison Lindars Ext: 7288 Catrine Potter Ext: 7288 Tina Broadhurst Ext: 8926