Data Protection Act

1.0 Introduction
The Data Protection Act 1998 (DPA) covers personal data held manually and electronically and is closely linked to the Freedom of Information (2000) and Human Rights Acts (1998).

Its focus is on promoting the rights of individuals in respect of their privacy and the right to confidentiality of their data. The responsibility to maintain the confidentiality of data resides with the Data Controller even if an agent or subcontractor performs the processing.

The Trust has a legal obligation to comply with all appropriate legislation in respect of data, information and ICT Security. It also has a duty under the establishment order to comply with guidance issued by The Department of Health, the NHS Executive, and other advisory groups to the NHS and guidance issued by professional bodies. The Trust believes individual’s right of confidentiality are paramount.

All legislation relevant to an individual’s right of confidence and the ways in which that can be achieved and maintained are paramount to the Trust. This relates to roles that are reliant upon computer systems such as patient administration/payment, purchasing, invoicing and treatment planning. The Data Protection Act also regulates the use of manual recordsrelating to patients, staff and others whose information may be held within the Trust.

The Trust collects and uses information about identifiable individuals in the course of its operations.   These include current, past and prospective patients, employees, suppliers, contractor clients/customers, and others with whom it communicates.   In addition, it may occasionally be required by law to collect and use certain types of personal information to comply with the requirements of government departments.   Under the DPA 1998, all forms of personal information must be dealt with properly however it is collected, recorded and used – whether automatically, within accessible records or relevant filing systems – and there are safeguards to ensure this in the DPA 1998.

Conformance with the DPA is part of the Trust’s overall duty of confidentiality towards its patients, staff, and all other individuals with whom it deals. Consequences of non-compliance with the relevant legislation are given in Section 12.0

The Trust regards the confidence and trust of its staff, patients and service users as a crucial element in its role in delivering the highest quality health care services.   The lawful and correct processing of personal information is a key part of building and maintaining that trust and confidence so the Trust will therefore:

  • Fully implement all aspects of the DPA 1998 and the Freedom of Information Act 2000.
  • Make all patients, staff and other individuals fully aware of both their rights and obligations under the Act, by holding mandatory induction courses, information on the Trust intranet and ad hoc support to staff via the Compliance Manager.
  • Implement adequate and appropriate physical and technical security measures and organisational measures to ensure the security of all information contained in or handled by those computer systems managed by the Trust, or by other agencies on behalf of the Trust.
  • Transfer personal data outside the European Economic Area (EEA), only with the explicit informed consent of the individual concerned.

A full copy of the Data Protection Act is held by the Compliance Manager who is a member of the Information Governance Committee.  Any queries from staff or patients regarding this policy, the DPA or any other confidentiality issues, should be addressed to:
The Compliance Manager
Kestrel House
Hellesdon Hospital
Drayton High Road

2.0 Purpose
To provide a statement of the policy and principles adopted by Norfolk & Suffolk NHS Foundation Trust (the Trust/NSFT) which govern the processing of personal data as specified in the DPA (1998)

To detail how the Trust meets its legal obligations and NHS requirements concerning confidentiality and information security standards. The requirements within the policy are primarily based upon the DPA as the key piece of legislation covering security and confidentiality of personal information.

To deliver fully the Principles of Data Protection, as stated in the DPA (1998) see Section 6.0

3.0 Definitions (from the Data Protection Act (1998)
Any information which:
• Is processed using equipment operating automatically in response to instructions
• Is recorded with the intention of being processed
• Is recorded as part of a relevant filing system
• Forms part of an accessible record, including health records

Data Protection
• Ensuring that personal data about an individual is processed fairly and lawfully in order to protect the rights of an individual

Data Subject
The individual to whom the personal data relates

Data Controller
The person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

This term comprises not only individuals but also organisations such as companies and other corporate and unincorporated bodies of persons. In the case of NSFT the Trust Secretary is the Data Controller.

Data Processor
Any person or organisation (other than an employee of the data controller) who processes (including storing or otherwise managing) the data on behalf of the data controller.

Obtaining, recording or holding the information or carrying out any operation or set of operations on the information, including:

  • acquiring the data,
  • organising and managing the information or data,
  • retrieving and using the information or data,
  • disclosing or sharing the information or data by fax, letter, e-mail, or any other means of transmission or dissemination,
  • archiving, disposing of or destroying the information or data

Personal Data/Person Identifiable Data
Personal data means data which relates to a living individual, organised in such a way that the individual can be identified from the data; it includes factual data as well as any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Personal data held in electronic or paper form within the Trust includes:

  • All identifiable patient information including health records
  • All identifiable staff information
  • Any other identifiable personal information held on suppliers, contractors etc.

Any of the following information will/could constitute person identifiable information (this list is not exhaustive):
• Name
• Address
• Post code
• Date of birth
• NHS Number
• National Insurance Number
• Carer’s details
• Next of kin details
• Contact details
• Bank details
• Lifestyle
• Family details
• Voice and visual records (e.g. photographs, tape recordings).

Sensitive Data
Certain types of data are regarded as sensitive, and the Act stipulates that special measures must be taken in the processing and protection of this type of data. Sensitive data includes:

  • Racial or ethnic origins
  • Political opinions
  • Religious other similar beliefs
  • Membership of a trade union
  • Physical or mental health or condition
  • Sexual life
  • The commission of any offence
  • Any proceedings for any offence, or the sentence of any court in such proceedings

Relevant Filing System
Any set of information relating to individuals structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.

Any person or organisation to whom the data are disclosed, but does not include any person to whom disclosure is made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law

European Economic Area
The following European countries or territories: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark (excluding the Faroe Islands), Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom (excluding the Isle of Man and the Channel Islands)

4.0 Duties and Responsibilities
The Trust will fully discharge its responsibilities implied by the Principles contained with the DPA by putting in place procedures, and by monitoring these procedures through annual audit to:

  • Observe fully conditions regarding the fair collection and use of information
  • Meet its legal obligations to specify the purposes for which information is used
  • Collect and process appropriate information only to the extent that it is needed to fulfil operational needs or to comply with any legal requirement
  • Ensure the quality of information used
  • To apply strict checks to determine the length of time information is held
  • Ensure that the rights of people about whom information is held can be fully exercised under the act, this includes monitoring the management of rights of access
  • Take appropriate technical and organisational security measures to safeguard personal information
  • Ensure that the necessary measures are taken to safeguard all sensitive personal data
  • Ensure that the necessary measures are taken to ensure the proper disclosure of information between agencies
  • Ensure that personal information is not transferred abroad without suitable safeguards

The Trust will also fully conform to the rules for notification.  These responsibilities include ensuring that:

  • That a notification is lodged in its name with the Information Commissioner
  • That the notification is lodged within the stipulated time period
  • That the notification is full, correct and up-to-date
  • That any changes are notified within the stipulated time period.

Chief Executiv

  • Overall responsibility for the implementation and delivery of the DPA 1998 on behalf of the Trust

Data Protection Officer (DPO)

  • Has devolved responsibility from the Chief Executive
  • For NSFT this is the Compliance Manager (DPA/FOI)
  • Facilitating the implementation of this policy
  • Supporting Trust staff to understand their responsibilities
  • Jointly responsible (with the Caldicott Guardian)for ensuring the effective integration of respective policies for control of clinical and non-clinical information

Caldicott Guardian

  • Advising Trust staff
  • Ensuring adequate arrangements are put in place to protect patient identifiable information
  • For NSFT this is the Deputy Medical Director

Clinical Leads and Operational Managers (all Localities and Services/Departments)

  • To understand the Act and other related guidance
  • Establishing appropriate procedures to control and manage information and to ensure that these procedures are followed
  • Ensuring that staff are aware of this policy

All staff

  • Ensuring that personal information is processed in accordance with the rights of the individual
  • Ensure compliance with the DPA 1998 and to actively respond to any concerns relating to confidentiality
  • To understand the Act

5.0 Applicability
This policy covers all aspects of business relating to personal information within the Trust and is not solely patient related.   It includes information held by all areas such as (this list is not exhaustive):

  • Healthcare (In-Patient And Community)
  • Mental And Physical Health
  • Access & Assessment Teams
  • Primary Care Teams
  • Learning Disabilities Services
  • Child and Adult Protection
  • Human Resources (including Criminal Records Bureau checks on staff)
  • Payroll & Finance
  • Procurement
  • Estates and Facilities (Maintenance)
  • Occupational Health.

It covers all methods of holding information and all media used to store information including (this list is not exhaustive)

  • Manually stored paper data, e.g. Card index files, medical records etc.
  • Computer referenced paper data, e.g. Health records, personnel records, etc.
  • Computerised data held in computer applications and databases
  • Tapes and other data from CCTV systems
  • Data held offsite in archive storage
  • Data held on CD ROMs, computer disks, memory sticks etc.

6.0 The Principles of Data Protection
First Principle Personal information shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met

There is a requirement to make the general public, who may use the services of the NHS, aware of why the NHS needs information about them, how this is used and to whom it may be disclosed. The Trust is obliged under the DPA and Caldicott to produce a patient information leaflet

A clear policy of consent is needed to ensure the first principle is addressed. The Trust has formally adopted a policy on this subject (see C71: Consent to Examination or Treatment)
Second Principle Personal information shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes

The Trust is required to complete a notification with the Information Commissioner on all databases which hold and/or process personal information about living individuals. It is a criminal offence if this notification is not kept up to date
Third Principle Personal information shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed

Information collected from individuals should be justifiable as being required for the purpose they are being requested
Fourth Principle Personal information shall be accurate and, where necessary, kept up to date

The Trust must ensure that all information held on any media is accurate and up to date. The accuracy of the information can be achieved by implementing validation routines

Users of software will be responsible for the quality of the data by carrying out quality assurance and participating in activities dictated by the Data Quality Group

Staff information should also be checked by Line Managers or by the Workforce and Organisation Development Department
Fifth Principle Personal information shall not be kept for longer than necessary for that purpose or those purposes
All records are affected by this principle regardless of the media they are held, stored or retained. HSC 1999/053 provides comprehensive guidance

If the information on the computer or in manual records is not the main record, this is considered to be transient data. Procedures must be put in place to give guidance to users
Sixth Principle Personal information shall be processed in accordance with the rights of data subjects under the Act

Under this principle of the DPA individuals have the following rights:

  • Right of subject access
  • Right to prevent processing likely to cause harm or distress
  • Right to prevent processing for the purposes of direct marketing
  • Right in relation to automated decision taking
  • Right to take action for compensation if the individual suffers damage
  • Right to take action to rectify, block, erase or destroy inaccurate data
  • Right to make a request to the Information Commissioner for an assessment against an organisation to establish whether any part of the Act has been contravened.

Seventh Principle Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal information and against accidental loss or destruction of, or damage to, personal data

The Trust has a legal obligation to maintain confidentiality standards for all patient identifiable information. This includes the disposal of non-clinical waste

The Trust must ensure all electronic systems are maintained in line with BS7799.
Eighth Principle Personal information shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data

Patient data should not normally be sent to any countries outside of the EEA as these countries do not have the necessary legislation in place to protect the data covered by the DPA 1998

7.0 Individual Rights
Individuals have rights under the DPA in respect of their own personal data held by others. The Trust will ensure that all individuals are aware of their rights under the Act, and will fully comply with the delivery of these rights to individuals.

The rights of the individual are:

  • To be informed about the use made of personal data
  • To be informed about the purpose of processing, the source and the recipients of the data
  • To be informed of any logic used in automated decisions
  • To be provided with a copy of his record, where the effort to provide such is reasonable
  • To have incorrect data corrected, blocked, erased or destroyed
  • To have previous recipients of such data informed
  • To object where substantial damage or distress may be caused
  • To object where personal data are used for direct marketing
  • To take action for compensation if an individual suffers damage
  • To make a request to the Information Commissioner for an assessment to be made as to whether any provision of the Act has been contravened.

The Trust will ensure that every individual is aware of his rights and of how to exercise these rights.

8.0 Subject Access Requests
All data subjects, or someone acting on their behalf, can request to view their personal data held by the Trust.

All applications regarding service user personal data must be made in writing to the Compliance Manager (see also C10: Confidentiality policy).

If a member of staff requires a copy of their personal data, a request can be made via their line manager.

9.0 Disclosures to Others
The Trust may receive requests to obtain personal data from sources other than the individual.  See C10: Confidentiality policy for guidance on how to handle such requests.

Statutory Requests: all statutory requests from external agencies will be complied with by the Trust via the Compliance Manager.  If appropriate, the patient may be informed that the data has been disclosed unless this would prejudice criminal investigations.

Medico-Legal: all requests from solicitors and healthcare providers will only be complied with if the Trust is in receipt of the written consent of the patient or their representative.  All requests will be managed the Trust Secretary.

Police: all requests from the police for personal data will be viewed on a case-by-case basis via the Compliance Manager, or via the Head of Risk Management and Security or the Local Security Management Specialist for issues including Security Incident Reporting System (SIRS).  All requests must be in writing using the documentation provided by the Police authority.

The most likely legal bases for disclosure (without the patient’s consent) to the police are:

  • Prevention of Terrorism Act 1989 and Terrorism Act 2000 – it is a statutory duty to inform the police about information gained (including personal information) about terrorist activity.
  • The Road Traffic Act 1988 – It is a statutory duty to inform the police, when asked, the name and address (not clinical information) of drivers who are allegedly guilty of an offence.
  • Court Order – where the courts have made an order the information must be disclosed unless the Trust decides to challenge the order of the court.
  • Applications made by the Police under the Police and Criminal Evidence Act (PACE) Regulations, for example where somebody may be seriously injured if the police are not informed or where the police are investigating a ‘serious arrestable offence’. Serious harm to the security of the state or public order and serious fraud will also fall into this category. Minor offences would generally not warrant breach of confidence.

10.0 Exemptions
There are specific reasons why access to personal data may be denied including:

  • where the data released may cause serious harm to the physical or mental condition of the patient, or any other person
  • where access would disclose information relating to or provided by a third party. where consent had not been received by the third party to release their data. N.B. this does not include information recorded by Trust employees as part of their normal duties
  • where it is assessed that a patient, under the age of 16, cannot understand the implications of accessing their records.

11.0 Cost and Timescales
An application for data access can cost up to a maximum of £50 and a period of 40 days is allowed for the Trust to provide the data although it is recommended that requests are complied with within 21 days (DoH, 2003)

12.0 Non-compliance
Non-compliance with the relevant legislation could result in individuals, employees and the Trust being prosecuted for offences under the DPA as follows.

  • Processing personal data without notifying the Information Commissioner.
  • Processing personal data for any purpose other than that covered by the Trust’s notification to the Information Commissioner.
  • Unauthorised disclosure of personal data e.g. disclosure to a person/organisation not entitled to receive it.
  • Failure to comply with an information/enforcement notice issued by the Information Commissioner.
  • Modifying personal data subject to a subject access request.
  • Offences around misinformation when registering with the Information Commissioner

13.0 Training & Awareness
All staff will complete mandatory training (classroom or e-learning) as set out in the Trust’s Training Needs Analysis and/or the Information Governance Toolkit (e.g. Introduction to Information Governance, Health Record Keeping).

All training provided with regards to data protection will be recorded on the trust training database. Agency and contract staff are subject to the same rules.

In addition, many staff are bound by their professional Codes of Conduct.

14.0 Workforce
Staff contracts of employment are monitored by the Trust Workforce and Organisation Department.  All contracts of employment include a data protection and general confidentiality clause, agency/bank and contract staff are subject to the same rules.

Any member of staff, current, past or potential (applicants) who wishes to have a copy of their information under the subject access provision of the DPA have the right to access information held on them.

A breach of the Data Protection requirements could result in disciplinary action (see HRP016: Disciplinary policy)

The Trust is required to undertake criminal records check on certain groups of staff. The CRB is fully committed to compliance of the DPA 1998 and the Freedom of Information Act 2000.

15.0 Contact within the Trust
General enquires under the DPA (1998) should be addressed to:  The Compliance Manager
Kestrel House
Hellesdon Hospital
Drayton High Road

16.0 Legislation to Restrict Disclosure of Personal Identifiable Information

  • Human Fertilisation and Embryology ( disclosure of information ) Act 1992
  • Venereal Diseases Act 1917 and Venereal Diseases Regulations of 1974 and 1992
  • Abortion Act 1967
  • The Adoption Act 1976

17.0 Legislation Requiring Disclosure of Personal Identifiable Information

  • Public Health (Control of Diseases) Act 1984 and Public Health (Infectious Diseases) Regulations 1985
  • Education Act 1944 (for immunisations and vaccinations to the NHS Trusts from Schools)
  • Births and Deaths Act 1984
  • Police and Criminal Evidence Act 1984.

18.0 Bibliography

  • HSG(96)15 The NHS IM&T Security Manual Ensuring Security and Confidentiality in NHS Organisations
  • HSG(96)18 The Protection & Use of Patient Information
  • HSC 1999/012 Caldicott Guardians
  • HSC 2002/003 Caldicott Guardians & Implementing the Caldicott Standard into Social Care
  • HSC 1999/053 For the Record
  • BS7799 Information Security Standards
  • HSC 1999/217 Preservation, retention and destruction of GP General Services Records Relating to Patients
  • Protection of Children Act 1999
  • Police Act 1997.