Data Protection Policy & Procedure V1.0

Transcription

1 Data Protection Policy & Procedure V1.0 This policy outlines the required standards in relation to the processing of data under the Data Protection Act 1998 for: The Trust All staff members Paper Copies of this Document If you are reading a printed copy of this document you should check the Trust s Policy website ( to ensure that you are using the most current version. Ratified Date: 16/03/2011 Ratified By: Information Governance Committee Review Date: March 2014 Accountable Directorate: Safety and Governance Corresponding Author: Information Governance Manager Page 1 of 20

2 Table of Contents 1 Circulation Scope Definitions Reason for development Aims and Objectives Standards Data Protection Principles Responsibilities Individual Responsibilities Board and Committee Responsibilities Statutory Requirements Notification/ Registration Access to information Disclosure of personal data without consent Contract Clauses Transfer of Data Outside of the EEA NHS Care Records Guarantee CCTV Complaints and appeals Data Protection Incidents Training Requirements Awareness Training at Corporate Induction Level 1 Training for all staff Level 2 and Level 3 training Monitoring and Compliance References Attachments Attachment 1: Protocol for releasing patient information without consent under section 29 (3) of the Data protection Act 1998 Prevention and detection of crime Attachment 2: Consultation and Ratification Checklist Attachment 3: Equality and Diversity - Policy Screening Checklist Attachment 4: Launch and Implementation Plan Page 2 of 20

3 Meta Data Document Title: Data Protection Policy Version 1.0 Status Active Document Author: Information Governance Manager Source Directorate: Safety and Governance Directorate Date Of Release: 16/03/2011 Ratification Date 16/03/2011 Ratified by: Director of Safety and Governance & Information Governance Committee Review Date: February 2012 Related documents Access to Health Records Policy Serious Untoward Incident Policy Incident reporting Policy Data Protection Procedure and Guidance Notes - Management and Processing of Employee Personal Data CCTV Policy Superseded documents Relevant External Standards/ Legislation Key Words None Access to Health Records Act 1990 CCTV Code of Practice; Computer Misuse Act 1990 Data Protection Act Human Rights Act 1998 Freedom of Information Act 2000 Environmental Information Regulations 2004 Mental Capacity Act 2005 Section 251 and 252 of The National Health Service Act 2006, Common law on Confidentiality, NHS Code of Practice on Confidentiality, NHS Care Records Guarantee, NHS Code of Practice on Information Security,, Caldicott Guidelines, Information Governance Toolkit Regulation of Investigatory Powers Act 2000 Access to Medical Reports Act 1988 NHS Code of Practice in Records Management April 2006 NHS Code of Practice: Confidentiality November 2003 HSG(96)15 The NHS IM& T Security Manual E5498 Ensuring Security & Confidentiality in NHS Organisation HSC 1999/012 Caldicott Guardians HSC 2002/003 Caldicott Guardians & Implementing the Caldicott Standard intosocial Care Data, Protection, Confidentiality, Subject Access,IG Toolkit,CCTV, Page 3 of 20

4 1 Circulation This Policy applies equally to staff in a permanent, temporary, voluntary or contractor role acting for or on behalf of HEFT. 2 Scope This policy covers the Trust s requirements in relation to the Data Protection Act 1998 (the Act). 3 Definitions Anonymised Information: This is information which does not identify an individual directly; and which cannot reasonably be used to determine identity. Anonymisation requires the removal of name, address, full post code and any other detail or combination of detail that might support identification directly or by association, e.g. using someone s initials. Data controller: This is the person or organisation who either alone or jointly or in common with other persons determines the purpose for which and the manner in which any personal data is processed. In this case, the Trust is the Data Controller. Data processor: Any person or organisation (apart from an employee of the data controller) who processes data on behalf of the data controller. Data subject: The individual who is the subject of the personal data. This may be patients (healthcare records), staff (personnel records) complainants (complaints files) or any other individuals whose information the Trust holds. Health Record: The term health record is defined by Section 68 of the Act, and means any record which: consists of information relating to the physical or mental health or condition of an individual, and has been made by or on behalf of a health professional in connection with the care of that individual. Health Professionsal: a registered medical practitioner (a "registered medical practitioner" includes any person who is provisionally registered under section 15 or 21 of the Medical Act 1983 and is engaged in such employment as is mentioned in subsection (3) of that section.) a registered dentist as defined by section 53(1) of the Dentists Act 1984, a registered optician as defined by section 36(1) of the Opticians Act 1989, a registered pharmaceutical chemist as defined by section 24(1) of the Pharmacy Act 1954 or a registered person as defined by Article 2(2) of the Pharmacy (Northern Ireland) Order 1976, a registered nurse, midwife or health visitor, a registered osteopath as defined by section 41 of the Osteopaths Act 1993, a registered chiropractor as defined by section 43 of the Chiropractors Act 1994, any person who is registered as a member of a profession to which the Professions Supplementary to Medicine Act 1960 for the time being extends, a clinical psychologist, child psychotherapist or speech therapist, a music therapist employed by a health service body, and a scientist employed by such a body as head of department. Page 4 of 20

5 Personal data: Personal data that relates to a living individual who can be identified from that data or from that data and other information that is in the possession of or is likely to come in the possession of the data controller (The Trust). These items include surname, initials, date of birth, address and postcodes, sex, national insurance number, hospital number, forenames, occupation, NHS number, ethnic group. This is not an exhaustive list, personal data can be information that does not include any of these personal details but the individual could be identified from this information and other information in possession of data controller by association e.g. CCTV images (the Trust s CCTV Policy and Procedure details this aspect of data). Processing: In relation to information or data, processing means obtaining, recording or holding the information or data, carrying out any operation or set of operations on the information or data, including: Organisation, adaptation or alteration of the information or data Retrieval, consultation or use of the information or data Disclosure by transmission, dissemination or otherwise making available, or Alignment, combination, blocking, erasure or destruction of the information or data. Pseudonymised Information: This is like anonymised information in that in the possession of the holder it cannot be reasonably used by the holder to identify an individual for e.g. a unique number used in a research project. However it differs in that the original provider of the information may retain a means of identifying individuals. This will often be achieved by attaching codes or other unique references to information so that the data will only be identifiable to those who have access to the key or index. Pseudonymisation allows information about the same individual to be linked in a way that true anonymisation does not. Sensitive personal data: Personal information about an individual that includes religious beliefs, political beliefs, sexual life, membership of a trade union, ethnic background, criminal convictions and physical and mental health records. All information regarding health is considered sensitive under the Act. 4 Reason for development The Trust has a duty under the Act to hold, obtain, record, use, and store all personally identifiable information in a secure and confidential manner. This applies to all personal identifiable information held in manual files, computer databases, videos and other automated media about living individuals, such as personnel and payroll records, medical records, other manual files, microfiche/film, pathology results, and x-rays. The Act and the principles contained within the Act are enforceable in law, this policy sets out how the Trust will meet its obligations and how it expects all staff to meet their individual obligations. 5 Aims and Objectives This policy aims to ensure that there are appropriate processes and procedures in place to allow the Trust and it s employees to comply with the Data Protection Act 1998 and associated best practice and guidance. In particular this policy aims to: Make clear the Trust s responsibilities as a Data Controller in relation to Data Protection Act Make clear staff responsibilities in relation to Data Protection Act 1998 Page 5 of 20

6 6 Standards The Act includes 8 standards (the Data Protection Principles) which form the basis of all requirements in relation to the Trust s and staff obligations, they are as follows: 6.1 Data Protection Principles Personal data shall be processed (used) fairly and lawfully. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose(s). Personal data shall be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed. Personal data shall be accurate and kept up to date. Personal data processed for any purpose(s) shall not be kept for longer than is necessary for that purpose(s). Personal data shall be processed in accordance with the rights of the data subjects under the Act. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to personal data. Personal data shall not be transferred to a country or territory outside of the European Economic Area, unless that country or territory ensures an adequate level of protection in place. The Information Commissioner s office is the national body responsible for ensuring compliance with the Data Protection Act 1998 and providing advice and guidance. The Trust is required to notify the Information Commissioner of the purposes it uses personal identifiable information for and also about certain types of incident that may occur (the Trust s Serious Untoward Incident Policy provides detail). In addition, individuals may complain (refer to section 8.8 of this policy) to the Information Commissioner where they do not agree with the decisions of the Trust in processing subject access requests, the Trust will inform individuals of this right. 7 Responsibilities 7.1 Individual Responsibilities Chief Executive The Chief Executive retains overall responsibility to the Trust Board for overseeing an appropriate infrastructure to ensure compliance with the Data Protection Act He/she delegates operational responsibility to the Director of Safety and Governance (who is also the Caldicott Guardian) Director of Safety and Governance The Director of Safety and Governance is responsible to the Trust Board and Chief Executive in relation to data protection and will provide reports to the Trust Board in this regard. With the assistance of other senior managers within the Trust he/she will oversee a programme of activities to ensure the provision of an appropriate service and authorise remedial action when required to protect information. As Caldicott Guardian, he/she has particular responsibility for ensuring the appropriate disclosure of patient information and where required will become directly involved with the decision to disclose or withhold information. Page 6 of 20

7 7.1.3 Information Governance Manager The Information Governance Manager is responsible for the development and review of this policy in line with national requirements and legislation. He/she will liaise with other key staff within the Trust to support the continued development and regulation of processes to support the implementation of this policy. Supported by the Safety and Governance team he/she will: provide advice and support for all staff on issues relating to data protection oversee the investigation of adverse incidents in relation to data protection develop and deliver a variety of training packages and resources for all staff regarding data protection ; liaise with external organisations to develop appropriate information requesting processes and information sharing safeguards. The Trust s Information Governance Manager will be responsible for ensuring that the Trust complies with national reporting requirements (currently through the Information Governance Toolkit and Care Quality Commission Regulations). He/she will provide regular reports to the Director of Safety and Governance and appropriate committees as required on all issues relating to this policy All Staff All staff have a responsibility to ensure that they are aware of, and comply with this policy and procedures. Staff must adhere to the principles of the Data Protection Act 1998 and other relevant legislation in all dealings with, or when disclosing to external agencies, any personal, sensitive or otherwise confidential information. Where disclosure is not covered by local procedure they are responsible for seeking the advice of the Information Governance Manager. 7.2 Board and Committee Responsibilities Trust Board The Trust Board is responsible for assuring that the Trust has appropriate Information Governance systems to enable the organisation to deliver its objectives and statutory requirements Governance and Risk Committee The Governance and Risk Committee is responsible for overseeing the Trust s Governance work program. Through the Information Governance Committee it will be responsible for monitoring progress with the implementation and delivery of this policy Information Governance Committee The Information Governance Committee is responsible for ensuring the development, review and implementation of this and supporting policies. The Committee will: review and monitor activity to deliver this policy; advise on issues which may prevent implementation or compliance; review incidents which breach this policy; review and monitor the number and type of information requests; As appropriate, it will advise the Governance and Risk Committee of issues of concern in relation to the management, security and disclosure of confidential information. The Committee is also responsible for the review and ratification of the Trusts annual submission to the Information Governance Toolkit. Page 7 of 20

8 8 Statutory Requirements 8.1 Notification/ Registration The Trust must notify the Information Commissioner of: a description of the personal data being processed and the categories of the data subjects to which they relate. a description of the purposes of processing. a description of any recipients to whom the data controller intends or may disclose the data to. the name or description of any countries or territories outside the European Economic Area to which the data controller transfers or intends to transfer data. a description of the security measures taken to protect personal data. The Information Governance Manager must be made aware of all new processing. The purpose for the use of the data will be checked against the Trust s Data Protection Notification so that any new processing can be added to the Trust s notification held by the Information Commissioner as appropriate. Data must only be used for purposes declared in the Trust s notification and must not be used for other non-registered purposes. 8.2 Access to information All individuals, or in certain circumstances someone acting on their behalf, can request a copy of their personal data held by the Trust. An individual who makes a subject access request is entitled to: be told by the Trust whether any personal data is held about him/her, and be supplied with a copy of the information that forms any such personal data Requests are processed through 3 different routes in the Trust: a) Where a request is made for access to employee data, then an HR advisor will process the request (the Trust s Data Protection Procedure and Guidance Notes - Management and Processing of Employee Personal Data, refers). b) Where a request is made for access to medical records, then the Trust s Medical Records Office will process the request (the Trust s Access to Health Records Policy refers). c) Any other requests for access to data not covered by a) and b) will be processed by the Information Governance Manager in line with the standards contained in the Act. Where individuals have access to information they may wish to challenge the accuracy of the data. The Information Commissioner s Office states in a Data Protection Good Practice Note that: Personal information should be accurate, and where necessary kept up to date. This requirement will be met if a record accurately reflects the professional opinion. The Act cannot be used to challenge a professional opinion on the basis that it is inaccurate just because another person, even another practitioner, may have a different opinion. If the opinion contains factual information that is incorrect then it could be challenged. A challenge to a factual inaccuracy or the reliability of an opinion may be recorded alongside it, since it will usually be important to maintain the original record. This is because, for example, only the entire record will adequately show a medical history, record of care or why a course of action was taken. However, it is recommended that the fact that a challenge exists should be made clear on the record. (ICO, 2008 (1)) Page 8 of 20

9 Where such a challenge arises the Information Governance Manager should be contacted. 8.3 Disclosure of personal data without consent Under certain circumstances, the disclosure of personal information held by the Trust is required by law and in these situations the Trust does not require the consent of the data subject to disclose information. While the data subject should generally be made aware of the disclosure and informed why the data is being dislosed, it may not always be practicable to do so e.g. where the police have made a request for disclosure under S.29 of the Act and have requested that we do not inform the data subject. (Attachment 1 to this policy refers) The Trust will disclose personal data in the following circumstances (not an exhaustive list): NHS Security and Counter Fraud Investigations Under the NHS Act 2006 personal data should be released upon request. Disclosure to professional bodies Bodies such as the General Medical Council and the Nursing Midwifery Council carry out fitness to practice hearings. Coroner s investigations The Coroner may undertake investigations through the inquest process. No information about an identifiable third party (who is not a healthcare professional involved in the data subject s care) that may be contained in records, should be disclosed without the consent of the third party e.g. we should not release social work reports that may be included in a patient s record without the consent of the social worker. The Trust s Information Governance Manager should be contacted if a subject access request is received. 8.4 Contract Clauses All contractors employed by the Trust will be required to comply with this policy in addition to general legal requirements concerning confidentiality. Contracts must include appropriate clauses to comply with Data Protection, Confidentiality and Security requirements and the Contractors liability for any breaches of the Trust s data policies. 8.5 Transfer of Data Outside of the EEA Personal data cannot be transferred outside of the European Economic Area, unless the country has adequate levels of protection in place. The European Commission is responsible for deciding which countries have adequate levels of protection in place. This list changes on a regular basis. If identifiable information is to be shared outside of the countries in the European Economic Area please contact the Information Governance Manager who will assess whether the country has adequate levels of protection in place. 8.6 NHS Care Records Guarantee The NHS Care Records Guarantee sets out the 12 commitments to patients with regard to the new NHS Care Record and local patient records. The guarantee includes details of how we share information and with whom, patients right of access to information held about them, that staff are trained in their responsibilities, that we will adhere to the NHS Code of Practice on Confidentiality and that we will have audit processes in place to know who has accessed patient records. (DoH, 2011) 8.7 CCTV The Trust has a separate policy detailing the use of closed circuit television that is based on guidance from the Information Commissioner. The policy provides guidance on the acceptable Page 9 of 20

10 use and management of CCTV and in what circumstances the Trust will disclose footage captured by the system. (ICO, 2008 (2)) 8.8 Complaints and appeals Complaints about data protection procedures and decisions should be forwarded to the Information Governance Manager who will acknowledge the complaint and investigate the issues raised. A response will then be sent to the complainant detailing the outcome of the investigation and explaining any actions taken as a result. If the complainant is unhappy with the response at this stage of local resolution; then the complaint will be referred to a relevant senior manager to review. If the complaint cannot be resolved locally, then the complainant will be directed to the Information Commissioner s Office, who may decide to investigate the complaint further. 9 Data Protection Incidents The Data Protection Act explains what may be termed an offence and it is the responsibility of each member of staff to make sure they understand how they comply with the Act in their daily duties. A breach of this policy (or any of the Data Protection Principles) should be considered as an incident and members of staff should complete an incident report. Examples include (this is not an exhaustive list): Any unauthorised disclosure of information Any unauthorised obtaining of data Accidental loss or destruction or damage to personal data. Any unauthorised destruction/deletion of data Theft or damage to computer equipment or records Accessing a computer system using someone s else s password Accessing medical information to which you are not entitled Faxing information to the wrong number. Action will be taken against members of staff who commit a deliberate or careless breach of the Act or the requirements set out in this policy and procedure. Any member of staff keeping unauthorized data outside of the Trust s premises will be personally liable for any contravention of the Data Protection Act 1998 and could have disciplinary proceedings taken against them that could result in loss of employment. 10 Training Requirements 10.1 Awareness Training at Corporate Induction Information Governance awareness training is included as a part of corporate induction for all new starters to the organisation. It is the responsibility of the Information Governance Manager to ensure that awareness materials disseminated at Corporate Induction are kept up to date and provided in sufficient quantities to meet the need of trainers Level 1 Training for all staff The national mandate to complete IG Training for NHS staff was issued in Nov 2009 through the NHS Operating Framework Informatics Planning guidance 2010/11 which stated All staff should receive annual basic IG training appropriate to their role. (DoH, 2009) The Trust has chosen to undertake this basic (level 1) training for all staff by disseminating a series of information leaflets. The content of the leaflets is mapped to the national content covering 1. Confidentiality, 2. Data Protection and Security and 3. Records Management. Page 10 of 20

11 10.3 Level 2 and Level 3 training A Training Needs Analysis has identified staff that require additional training (level 2) in line with their specific role within the organisation. This requirement is correlated to the modules published on the Connecting for Health website, and these staff will be asked to complete the Connecting for Health modules online which includes a competency assessment and certification. (CfH 2011) Level 3 training, for staff members working in the Information Governance team, will be provided through the nationally recognised Practitioner Certificate in Data Protection. This is a qualification for those that work in the fields of data protection and privacy, the syllabus of which has been designed in consultation with the Information Commissioner s Office with accreditation by The Law Society. (PDP, 2011) 11 Monitoring and Compliance The Connecting for Health Information Governance Toolkit contains standards that relate directly to the Data Protection Act and its day to day implementation within the Trust. In particular, compliance with the requirements of the toolkit allows the Trust to provide appropriate and sufficient evidence that standards are being achieved, and signing the IG Statement of Compliance provides assurance of this fact. The evidence provided in support of the Trust s submission is independently audited on an annual basis and a report is provided to the Trust s audit committee for scrutiny. This will provide the monitoring mechanism for this policy. In addition, the Information Governance Manager will provide reports to the Trust s Information Governance Committee on all of the work undertaken in complying with the Act, highlighting areas of concern in a timely fashion. Serious incidents concerning the loss of data will be managed and reported in line with the Trust s Serious Untoward Incident Policy. This includes recording details of incidents in the Trust s annual report. 12 References Information Commissioner s Office (2), CCTV Code of Practice 2008, January 2008 Information Commissioner s Office (1), Data Protection Good Practice Note - How does the Data Protection Act apply to professional opinions?, V Department of Health (1), NHS Care Records Guarantee v5.0, January Department of Health (2), NHS Operating Framework Informatics Planning guidance 2010/11, December Connecting for Health training modules: accessed June PDP Training: accessed January Attachments Attachment 1: Protocol for releasing patient information without consent under section 29 (3) of the Data protection Act 1998 Prevention and detection of crime Attachment 2: Ratification Checklist Attachment 3: Equality Impact Assessment (EIA) Attachment 4: Launch and Implementation Plan Page 11 of 20

12 Attachment 1: Protocol for releasing patient information without consent under section 29 (3) of the Data protection Act 1998 Prevention and detection of crime Data Protection Act 1998 Prevention and Detection of Crime Patient information in the NHS is generally held under legal and ethical obligations of confidentiality. Information provided in confidence should not be used or disclosed in a form that might identify a patient without his or her consent. There are a number of exceptions to this rule, and this protocol addresses the release of information to the police under Section 29(3) of the Data Protection Act 1998 for the purpose of preventing and detecting crime. Although developed with West Midlands Police this protocol should also be followed when dealing with requests from other law enforcement agencies such as Department of Work and Pensions and UK Border Agency. Whilst the police have no general right of access to healthcare records, Section 29(3) is a discretionary exemption that may allow the release of information for the prevention and detection of crime. Application of this exemption should be on a case by case basis and it is for the data controller (the Trust) to decide if failure to disclose the information is likely to prejudice the prevention or detection of crime or the apprehension or prosecution of offenders. Therefore it is for the data controllers within the NHS to decide when it is appropriate to disclose personal data and in the case of sensitive personal data heightened criteria for such disclosures apply. The NHS Code of Confidentiality explains that Trusts are permitted to disclose personal information in order to prevent and support detection, investigation and punishment of serious crime and/or to prevent abuse or serious harm to others where they judge, on a case by case basis, that the public good that would be achieved by the disclosure outweighs both the obligation of confidentiality to the individual patient concerned and the broader public interest in the provision of a confidential service. In this situation serious crime is defined as murder, manslaughter, rape, treason, kidnapping, child abuse or other cases where individuals have suffered serious harm and all such crime may warrant breaching confidentiality. Serious harm to the security of the state or to public order and crimes that involve substantial financial gain or loss will also generally fall within this category. In contrast, theft, fraud or damage to property where loss or damage is less substantial would generally not warrant breach of confidence. Where the Trust considers that disclosure is justified it will be limited to the minimum necessary to meet the need and patients should be informed of the disclosure unless it would defeat the purpose of the investigation, allow a potential criminal to escape or put staff or others at risk. In the absence of a requirement to disclose there must be either explicit patient consent or a robust public interest justification and this decision should be made by the Trust s Caldicott Guardian. What is or isn t in the public interest is ultimately decided by the Courts and where a court order is obtained then Section 35(1) would apply which is an absolute exemption and compliance by the data controller is compulsory. Page 12 of 20

13 Data Protection Policy and Procedure v1 Data Protection Act S29(3): Law Enforcement Request for Healthcare Information When a member of West Midlands Police (or any other law enforcement agency) requires healthcare information from the Trust and the patient has not given their consent for the release of information then an application under S29(3) of the Data Protection Act should be made. West Midlands Police have a pro forma that should be used to make the request, a copy of which is attached to this protocol. As a minimum the request should include: Name and collar/warrant number of requester Contact number Address of police station Date of request Authorising signature of an Inspector or above Clear statement of what is wanted and the crime that is being investigated Under no circumstances will information be supplied to any law enforcement agency on an ad hoc or informal basis. Completed application forms should be sent to the Trust s Information Governance Office on the secure fax number The Trust will acknowledge the request and state the timescale by which time they will provide a response. Under the Data Protection Act 1998 the Trust has 40 days to respond to a request for information but will endeavour to provide a response as soon as possible. For further information on this process you may telephone: HEFT Information Governance /2629 West Midlands Police Information Commissioners Office Page 13 of 20

14 Data Protection Policy and Procedure v1 WEST MIDLANDS POLICE WA 17 (amended (Word 97 Telephone: * Extension: (8 digit code) Direct Line: Please Ask For: Station/Department: Crime Reference No: Facsimile: Crime Stoppers: Our Reference: Your Reference: - DATA PROTECTION ACT 1998 Request for Disclosure of Personal Data Under section 29(3) of the Data Protection Act In order to maintain Police Confidentiality you are requested not to inform the Data Subject(s) of this request. I am making enquiries, which are concerned with *(A) *(B) The prevention or detection of crime The apprehension or prosecution of offenders 1. Please supply the following information concerning: Name: Date of birth: Information required: 2. The information is necessary for investigating the offence of 3. Please supply reasons why this information is necessary (if this section is left blank due to the sensitivity of the investigation, the form requires the authorisation of a superintendent or higher). I can verify that the personal data requested is required for the reason given above, and that failure to disclose the data would be likely to prejudice these matters. I confirm that to the best of my knowledge the information supplied herewith is complete and accurate. 4. Signed: Rank: Name: (BLOCK CAPITALS) Date: 5. Authorising Signature: Rank: Name: (BLOCK CAPITALS) Date: This application must be authorised by an Inspector or above) * Please delete as appropriate Page 14 of 20 THIS FORM MUST BE ATTACHED TO THE CASE PAPERS AND RETAINED FOR A MINIMUM OF FIVE YEARS IN LINE WITH CURRENT FORCE POLICY. Att

15 Data Protection Policy and Procedure v1 Attachment 2: Consultation and Ratification Checklist Title Data Protection Policy and Procedure Ratification checklist 1 Is this a: Policy and procedure 2 Is this: New 3* Format matches Policies and Procedures Template (Organisation-wide) Details Yes 4* Consultation with range of internal /external groups/ individuals Information Governance Committee, HR, Equalitty and diversity, ICT, Safety & Governance, Estates, Corporate nursing 5* Equality Impact Assessment completed Yes 6 Are there any governance or risk implications? (e.g. patient safety, clinical effectiveness, compliance with No or deviation from National guidance or legislation etc) 7 Are there any operational implications? No 8 Are there any educational or training implications? Yes 9 Are there any clinical implications? No 10 Are there any nursing implications? No 11 Does the document have financial implications? Yes see training 12 Does the document have HR implications? No 13* Is there a launch/communication/implementation plan within the document? Yes 14* Is there a monitoring plan within the document? Yes 15* 16* 17* Does the document have a review date in line with the Policies and Procedures Framework? Is there a named Director responsible for review of the document? Is there a named committee with clearly stated responsibility for approval monitoring and review of the document? Yes Yes Yes Document Author / Sponsor Ratified by (Chair of Committee or Executive Lead) Fateha Choudhury Title - Information Governance Manager Sarah Woolley Title - Director of Safety and Governance Page 15 of 20

16 Data Protection Policy and Procedure v1 Date 11/03/2011 Date 11/03/2011 Page 16 of 20

17 Data Protection Policy and Procedure v1 Attachment 3: Equality and Diversity - Policy Screening Checklist Policy/Service Title: Directorate: Name of person/s auditing/developing/authoring a policy/service: Aims/Objectives of policy/service: to define a systematic approach and required standards for the development, ratification, implementation, monitoring, review and retirement of Policies and associated Procedures. Policy Content: For each of the following check the policy/service is sensitive to people of different age, ethnicity, gender, disability, religion or belief, and sexual orientation? The checklists below will help you to see any strengths and/or highlight improvements required to ensure that the policy/service is compliant with equality legislation. 1. Check for DIRECT discrimination against any group of SERVICE USERS: Question: Does your policy/service contain any Response statements/functions which may exclude people from using the services who otherwise meet the criteria under the grounds of: 1.1 Age? x 1.2 Gender (Male, Female and Transsexual)? x 1.3 Disability? x 1.4 Race or Ethnicity? x 1.5 Religious, Spiritual belief (including other belief)? x 1.6 Sexual Orientation? x 1.7 Human Rights: Freedom of Information/Data Protection Action required Resource implication Yes No Yes No Yes No If yes is answered to any of the above items the policy/service may be considered discriminatory and requires review and further work to ensure compliance with legislation. 2. Check for INDIRECT discrimination against any group of SERVICE USERS: Question: Does your policy/service contain any Response statements/functions which may exclude employees from operating the under the grounds of: 2.1 Age? x 2.2 Gender (Male, Female and Transsexual)? x 2.3 Disability? x 2.4 Race or Ethnicity? x 2.5 Religious, Spiritual belief (including other belief)? x 2.6 Sexual Orientation? x 2.7 Human Rights: Freedom of Information/Data Protection x Action required Resource implication Yes No Yes No Yes No x Heart of England NHS Foundation Trust View/Print date 02 February 2012 Page 17 of 20

18 Data Protection Policy and Procedure v1 If yes is answered to any of the above items the policy/service may be considered discriminatory and requires review and further work to ensure compliance with legislation. TOTAL NUMBER OF ITEMS ANSWERED YES INDICATING DIRECT DISCRIMINATION = 3. Check for DIRECT discrimination against any group relating to EMPLOYEES: Question: Does your policy/service contain any Response conditions or requirements which are applied equally to everyone, but disadvantage particular persons because they cannot comply due to: 3.1 Age? x 3.2 Gender (Male, Female and Transsexual)? x 3.3 Disability? x 3.4 Race or Ethnicity? x 3.5 Religious, Spiritual belief (including other belief)? x 3.6 Sexual Orientation? x 3.7 Human Rights: Freedom of Information/Data Protection Action required Resource implication Yes No Yes No Yes No If yes is answered to any of the above items the policy/service may be considered discriminatory and requires review and further work to ensure compliance with legislation. 4. Check for INDIRECT discrimination against any group relating to EMPLOYEES: Question: Does your policy/service contain any Response statements which may exclude employees from operating the under the grounds of: 4.1 Age? x 4.2 Gender (Male, Female and Transsexual)? x 4.3 Disability? x 4.4 Race or Ethnicity? x 4.5 Religious, Spiritual belief (including other belief)? x 4.6 Sexual Orientation? x 4.7 Human Rights: Freedom of Information/Data Protection x Action required Resource implication Yes No Yes No Yes No If yes is answered to any of the above items the policy/service may be considered discriminatory and requires review and further work to ensure compliance with legislation. TOTAL NUMBER OF ITEMS ANSWERED YES INDICATING INDIRECT DISCRIMINATION = 0 x Signatures of authors / auditors: Date of signing: F. Choudhury 11/03/2011 Heart of England NHS Foundation Trust View/Print date 02 February 2012 Page 18 of 20

19 Data Protection Policy and Procedure v1 Equality Action Plan/Report Directorate: Service/Policy: Responsible Manager: Name of Person Developing the Action Plan: Consultation Group(s): Review Date: The above service/policy has been reviewed and the following actions identified and prioritised. All identified actions must be completed by: Action: Lead: Timescale: Rewriting policies or procedures Stopping or introducing a new policy or service Improve /increased consultation A different approach to how that service is managed or delivered Increase in partnership working Monitoring Training/Awareness Raising/Learning Positive action Reviewing supplier profiles/procurement arrangements A rethink as to how things are publicised Review date of policy/service and EIA: this information will form part of the Governance Performance Reviews If risk identified, add to risk register. Complete an Incident Form where appropriate. When completed please return this action plan to the Trust Equality and Diversity Lead; Pamela Chandler or Jane Turvey. The plan will form part of the quarterly Governance Performance Reviews. Signed by Responsible Manager: Date: Heart of England NHS Foundation Trust View/Print date 02 February 2012 Page 19 of 20

20 Data Protection Policy and Procedure v1 Attachment 4: Launch and Implementation Plan To be completed and attached to any document which guides practice when submitted to the appropriate committee for consideration and approval. Action Who When How Identify key users / policy writers Present Policy to key user groups Add to Policies and Procedures intranet page / document management system. Offer awareness training / incorporate within existing training programmes Circulation of document(electronic) Information Governance Manager Information Governance Manager Information Governance Officer Information Governance Manager Not applicable February 2011 February 2011 March Upload April 2011 Data protection leaflets to all staff On intranet site Heart of England NHS Foundation Trust View/Print date 02 February 2012 Page 20 of 20