data protection policy - the rotherham nhs foundation trust · web viewthe rotherham nhs foundation...

Ref No: 108

DATA PROTECTION POLICY

SECTION 1PROCEDURAL INFORMATION

Version: 6Ratified by: Document Ratification GroupDate ratified: September 2018Name of author: IG Assurance and Security ManagerName of responsible committee: Information Governance CommitteeDate issued: September 2018Review date: September 2019Target audience: All Staff, Contractors, agents, elected

members, FT members, charitable groups, partners or other service providers of the Trust

Copyright © 2018 The Rotherham NHS Foundation Trust

Document History SummaryVersion Date Author Status Comment1.0 02.04.08 Human Resources

AdvisorDraft Initial Draft document

1.1 28.04.08 Human Resources Advisor

Draft Draft to Head of Information for comments

2.0 05.09.08 Head of Information

Draft Policy combined with Health Records Subject Access Policy


Draft Comments incorporated


Draft Feedback from IGSG incorporated


Approved Feedback from IGSG and revised approval mechanism incorporated

3a 15.07.11 Head of Information & Performance

Draft To take account of integration with Community Services and EPR

3b 25.11.11 Head of Information & Performance

Draft Feedback from IGSG incorporated

3c 07.12.11 Head of Information & Performance

Draft Revisions to Appendix 2 – Release of Health Records

3d 03.03.11 Head of Information & Performance

Draft Feedback from Policy Ratification Group incorporated

3e 14.05.12 Head of Information & Performance

Draft Revisions to approval mechanism and certain titles in roles and responsibilities section

3 24.05.12 Head of Information & Performance

Final PRG approved

4a 30.11.15 IG Assurance and Security Manager

Draft Review

4b 07.12.15 IG Assurance and Security Manager

Draft Reviewed following IGC member comments.

4c 11.01.16 IG Assurance and Security Manager

Draft Amended following comments from DRG.

4 Jan 2016 IG Assurance and Security Manager

Final Ratified by Trust Document Ratification Group

5a May 2018 IG Assurance and Security Manager

Draft Updated to include reference to Data Protection Act 2018.

Version 6 DATA PROTECTION POLICY of 24Please check the intranet to ensure you have the latest version

5 May 2018 IG Assurance and Security Manager


6a Sept 2018 IG Assurance and Security Manager

Draft Updated to include changes in the Data Protection Act 2018.

6b Sept 2018 IG Assurance and Security Manager

Draft Updated to include all changes in the Data Protection Act 2018 and changes to Trust Internet.

6 Sept 2018 IG Assurance and Security Manager



Section 1 ContentsSection Title Page

1 Introduction 6

2 Purpose & Scope 6

2.1 Purpose 6

2.2 Scope 7

3 Roles & Responsibilities 7

4 Procedural Information 11

4.1 Registration and Notification to the Information Commissioner 11

4.2 The Six Principles of Data Protection 11

4.3 Rights of the Data Subject 11

4.4 Exemptions 12

4.5 Sensitive Personal Data 12

4.6 Processing Data 13

4.7 Transferring Data Abroad 13

4.8 Written Requests to Supply Data (Subject Access Requests (SARs)) 13

4.9 Withholding Data 14

4.10 Opting In/Out 14

4.11 Possible Consequences of a Breach of Confidentiality 14

5 Definitions & Abbreviations 15

5.1 Definitions 15

5.2 Abbreviations 15

6 References 15

7 Associated Documentation 16

Section 1 AppendicesAppendix Title Page

Appendix 1 Subject Access Request for non-health records 17


Section 2 ContentsSection Title Page

8 Consultation and Communication with Stakeholders 20

9 Document Approval 20

10 Document Ratification 20

11 Equality Impact Assessment 20

12 Review and Revision Arrangements 20

13 Dissemination and Communication Plan 20

14 Implementation and Training Plan 21

15 Plan to monitor the Compliance with, and Effectiveness of, the Trust Document 22

15.1 Process for Monitoring Compliance and Effectiveness 22

15.2 Standards/Key Performance Indicators 23

Section 2 AppendicesAppendix Title Page

Appendix 1 Completed Equality Impact Assessment 24


1. INTRODUCTION

The Rotherham NHS Foundation Trust is committed to compliance with the Data Protection Act 2018 and will follow procedures that aim to ensure that all employees, contractors, agents, elected members, partners or other service providers of the Trust are fully aware of and abide by their duties and responsibilities under the DPA and also taking account of the requirements set out in the following legislation:

Crime and Disorder Act 1998

Human Rights Act 1998

Police Act 1997

Access to Health Records Act 1990

Freedom of Information Act 2000

The Trust will ensure that personal data is handled, legally, securely, efficiently and effectively and in accordance with the eight principles of the Data Protection Act 2018 (see paragraph 4.2 below).

This Policy sets out the process for accessing both Health Records and Non-Health Records held by the Trust.

In order to operate efficiently the Trust will collect and use data relating to patients receiving care and the people with whom it collaborates including members of the public, current, past and prospective employees, suppliers and other visitors. In addition, it may be required by law to collect and use data in order to comply with the statutory requirements of the Department of Health, the NHS England, the Health and Social Care Information Centre and other government departments.

All personal data, regardless of how it is collated, recorded, utilised and disposed of, whether on paper, by computer or other recording material, will be handled by the Trust within the safeguarding principles of the DPA and Information Governance frameworks issued by the Department of Health.

2. PURPOSE & SCOPE

2.1 Purpose

This policy applies to the handling of all Personal Data that is used within the Rotherham NHS Foundation Trust, held on any media including CCTV, Dictaphone, electronic or manual records.

This Policy can be found in the Information Governance Policies section of the Trust’s Intranet.


This Policy forms part of a framework of other Information Governance policies which can also be found on the Trust’s Intranet (see section 7 for further details).

2.2 Scope

This Policy applies to all employees of the Trust, including Medical and Dental employees, contractors, agents, elected members, FT members, charitable groups, partners or other service providers of the Trust.

3 ROLES & RESPONSIBILITIES

Roles ResponsibilitiesChief Executive The Chief Executive has overall responsibility for:

Ensuring that the processes are in place for the implementation of the policy.

Ensuring that the processes are in place for the monitoring of the policy.

These responsibilities are delegated as described.Data Controller The Rotherham NHS Foundation Trust is the Data

Controller. The Chief Executive has overall responsibilities for the organisation and may delegate relevant duties to both the Data Protection Officer and Senior Officers as appropriate.

Data Protection Officer The designated Data Protection Officer will be responsible for ensuring overall compliance with the Data Protection Act 2018, Access to Health Records Act 1990 and this policy. This officer holds responsibility to the Chief Executive and Board with delegated roles and responsibilities documented in their job description.

All staff will be made aware of the identity of the Data Protection Officer and the policies and procedures surrounding Data Protection and Confidentiality.

Data Owners Data Owners will be identified for all items of Personal Data kept and used by the Trust. The Data Owners will normally be the most appropriate departmental manager or designated Information Asset Owner (IAO) and will be responsible for risk management of the information asset(s) within their responsibility.

Data Protection Lead For the purpose of implementation of this Policy, the nominated Data Protection Lead for the Trust is responsible for reviewing the Data Protection Register annually and for notifying the Information Commissioner of any changes within 28 days.


Roles ResponsibilitiesThe Data Protection Lead, in conjunction with the Senior Information Risk Owner will determine, through appropriate management and the use of strict criteria and controls, the purpose for which non-clinical personal data can be processed.

Senior Information Risk Owner (SIRO)

The SIRO shall advise the Chief Executive, as Accounting Officer, and the Trust Board on data protection issues and provide periodic reports and briefings. The SIRO is a member of the Trust Board, who is responsible to ensure organisational information risk is properly identified and managed and that appropriate assurance mechanisms exist.

The Caldicott Guardian The Caldicott Guardian has lead responsibility for strategy and governance issues (relating to patient information), confidentiality & data protection expertise, internal information processing and information sharing with external bodies.

The Caldicott Guardian will authorise the sharing of patient information when consent has not been obtained.

IG Assurance & Security Manager

The IG Assurance & Security Manager will act as the Privacy Officer for the Trust. They will ensure adequate processes are in place to maintain the security of personal data held, and that audit mechanisms are implemented to ensure compliance.

Information Governance Team

The Information Governance Department will be responsible for the implementation of this policy

Health Records Manager The Health Records Manager will ensure health records are maintained according to national legislation and guidance. The Health Records Manager will act as the Data Officer in relation to clinical data/health records.

The Health Records Manager will provide practical support and advice to all employees on the application of this Policy in relation to clinical data/health records.

Health Records Representatives

As designated by the Health Records Manager, Health Records representatives will collect and process appropriate data and only to the extent that it is required to fulfil operational needs or to comply with any statutory or information governance standards.

Head of Human Resources

The Head of Human Resources must ensure that personal data held by the Human Resources Department is protected from unauthorised or unlawful access, loss or disclosure. The Head of Human Resources will act as


Roles Responsibilitiesthe Data Officer in relation to Human Resources records.

Human Resources Representatives

As designated by the Head of Human Resources, Human Resources representatives will collect and process appropriate data and only to the extent that it is required to fulfil operational needs or to comply with any statutory or information governance standards.

The Human Resources Department will provide practical support and advice to all employees on the application of this Policy in relation to non-clinical data.

Director of Estates and Facilities

Shall be responsible for compliance with the DPA and related legislation in relation to personal data obtained through the Directorate’s activities including but not exclusive to:

Telephone logging The use of CCTV Staff Car Parking Card issue ID Badges

Trade Unions/Employee Representatives

Trade unions will collect and maintain personal data in order to provide membership services and comply with certain statutory obligations.

All personal data will be treated with the utmost confidentiality and with appropriate levels of security.

Contractors/Consultants/Partners or other Servants or Agents

All collaborators with the Trust must ensure that:-

They and all of their employees who have access to personal data held or processed for or on behalf of the Trust are aware of this Policy and are fully trained in and are aware of their duties and responsibilities under the DPA. Any breach of any provision of the DPA will be deemed as being a breach of any contract between the Trust and that individual, company, partner or firm.

Data Protection audits required by the Trust are permitted upon request

The Trust is indemnified against any prosecutions, claims, proceedings, actions or payments of compensation or damages, without limitation.

All Employees Employees are responsible for ensuring that this Policy (and related policies in paragraph 7) is followed.

Employees must ensure that personal data is kept secure


Roles Responsibilitiesat all times against unauthorised or unlawful loss or disclosure and in particular will ensure that personal data is kept:-

In a safe place where there would be no unauthorised access, and must not be left unattended in public/waiting areas

In a locked filing cabinet or drawer where possible In an office with restricted access, or On disk, memory stick or other electronic storage

system, appropriate security measures must be used (contact the IT Service Desk for further information)

Employees must:-

Check that any personal data they provide to the Trust is accurate and up to date

Ensure data provided by and recorded for others (i.e. patients) is accurate and up to date

Inform the Trust of any changes to personal data they have provided, e.g. change of address, change of name, photographic identity

Check the accuracy of data, including sensitive data, which the Trust may send out from time to time, in order to update existing personal data.

Understand that they must be appropriately trained and supervised to handle Data including requests for the disclosure or sharing of Data

Employees have the right to request a copy of their personal data held by the Trust (see paragraph 4.8 – Written Requests to Supply Data).

Any breach of this Policy and Procedure may result in disciplinary action being taken.


4 PROCEDURAL INFORMATION

4.1 Registration and Notification to the Information Commissioner

The IG Assurance and Security Manager is responsible for notifying the Information Commissioner regarding the Trust’s Data Protection Register Entry and for supplying details of any subsequent amendments.

The Register Entry describes in general terms, the personal data being processed by the Trust and includes:

Staff Administration Accounts and Records Health Administration and Services Research Crime Prevention and Prosecution of Offenders Public Health Administration of Membership Records Data Matching Advertising, Marketing & Public Relations Fundraising Pastoral Care Property Management Realising the Objectives of a Charitable Organisation or Voluntary

Body

4.2 The Six Principles of Data Protection

The Data Protection Act 2018 stipulates that anyone processing personal data must comply with the Six Principles of good practice. These Principles, which are legally enforceable, are as follows:- Used fairly, lawfully and transparently Used for specified, explicit purposes Used in a way that is adequate, relevant and limited to only what is

necessary Accurate and, where necessary, kept up to date Kept for no longer than is necessary Handled in a way that ensures appropriate security, including

protection against unlawful or unauthorised processing, access, loss, destruction or damage

4.3 Rights of the Data Subject

To access information of which they are the subject To consent or to withhold consent To opt out of direct marketing To restrict automated decision making To ask for an assessment To apply for subject access


4.4 Exemptions

The rights of Data Subjects can be restricted on the following grounds:-

National security Crime and taxation Health, education and social work Regulatory activities Journalism, literature and art Research, History and statistics Legal privilege Confidential references given by the Data Controller Further categories introduced by the Secretary of State

4.5 Sensitive Personal Data

The DPA 2018 makes a distinction between personal data and “sensitive” personal data which refers to the following:-

Racial or ethnic origin Political opinion Religious or other beliefs Trade Union membership Physical or mental health or condition Sexual life Criminal proceedings or convictions

Sensitive personal data can be processed provided that at least one of the following conditions has been met:-

The Data Subject has given their explicit consent It is necessary for monitoring equal opportunities It is a legal requirement of the subject’s employment It is necessary to protect the vital interests of the subject It is carried out by certain non-profit bodies established for political,

philosophical, religious or trade union purposes It is necessary for legal proceedings It is necessary for medical purposes The Secretary of State has given consent It is necessary for the prevention or detection of any unlawful act It is necessary for the provision of services such as confidential

counselling or advice It is necessary for insurance or occupational pension scheme contracts

This list is not exhaustive and new categories may be added by the Secretary of State.

4.6 Processing Data


An essential requirement of the DPA is that all data must be processed “fairly”. The Trust will therefore ensure that:-

The Data Subject will not be deceived or misled The Data Subject will be informed of the purpose for which the

personal data is intended to be used by the Information Officer or their nominated deputy

The Data Subject will be informed whether the data is likely to be passed to a third party

4.7 Transferring Data Abroad

Personal Data will not be transferred outside of the United Kingdom unless that country or territory “ensures adequate level of protection” for the rights and freedoms of Data Subjects.

Transfers of Data may take place:

Where the data subject has given explicit consent It is necessary to perform or make a contract By reason of substantial public interest Is part of Personal Data on a Public Register Is on terms approved by the Information Commissioner Patient Identifiable Information must only be transferred outside

the UK on approval of the Caldicott Group / Caldicott Guardian

4.8 Written Requests to Supply Data (Subject Access Request (SARs))

The Trust maintains two processes for SARs: The SARs for patients’ records of health records and the other non-health records. The Trust has standard operating procedure for the SAR of health records which is available on The Hub and Trust external Internet pages.

The SAR for non-health records procedure is outlines in the appendix 1.

Upon written request from the Data Subject, the Data Officer, or their nominated deputy, is obliged to supply:-

A description of the Data The purpose for which Data is being held The source of the Data The person(s) to whom the Data will be or may be disclosed

Proof of identity will be required to ensure that data is provided to the correct individual. Where a request is made in person, two original pieces of documentation, for example a recent utility bill or bank statement showing the individual’s name and current address, will be required. In some cases additional details such as a passport or photo ID driving licence may be required due to the sensitive nature of the information held. Where the


request is to be sent via the post, this will only be sent to the registered address for the individual. If another address is stipulated, this will be investigated further to determine the legitimacy of the request.

The Data Officer will supply everything held at the time the application was made within 1 month (see paragraph 4.9. below regarding disproportionate effort).

4.9 Withholding Data

Data may be withheld either if the Subject agrees or the supply of information would involve disproportionate effort.

Data may also be withheld if it identifies a third party.

4.10 Opting In / Out

Employees must read carefully any documentation which implies their consent to the processing of personal data, for example, the completion of a booking form for a conference which states that information may be used for other specific purposes as this may be beyond the control of the Trust.

On occasions where an employee may be asked to participate in any photographic or other publicity campaign on behalf of the Trust, employees will be consulted and unless the employee explicitly opts out, consent will be assumed by attendance in the photograph or campaign.

Employees have the right to opt out of Direct Marketing and in deciding to do so, should ensure that the relevant tick box indicating Direct Marketing is NOT checked.

The Trust will ensure that employees are kept informed of the methods used to arrive at any automated decisions (e.g. job applications) thereby giving the choice of opting out of the process.

4.11 Possible Consequences of a Breach of Confidentiality (From the Trust Code of Conduct for Staff)

The Trust employs three levels of breach relating to confidentiality. Penalties for these infractions will range from informal warnings through to dismissal.

Minor Misconduct: Inadvertent disclosure of privileged or confidential information.

Serious Misconduct: Careless disclosure of privileged or confidential information.

Gross Misconduct: Deliberate disclosure of privileged or confidential information to unauthorised people.

5 DEFINITIONS AND ABBREVIATIONS


5.1 Definitions

Data – Information held on a computer, filing system or part of any accessible record

Data Controller – Data controllers will usually be organisations or a person who either alone or jointly in common with others determines the purposes for which personal data will be used. The IG Assurance and Security Manager will carry out this role within the Trust.

Data Officer – A person designated by the Data Controller to process data requests and jointly ensures methods are in place to secure personal data. The Director of Human Resources & Health Records Manager will carry out this role within the Trust.

Data Protection Lead – The role of the Data Protection Lead is to ensure that the organisation complies with the Data Protection Act 2018, and to ensure that employees are fully informed of their own responsibilities for acting within the law and that the public, including employees, are informed of their rights under the Act.

Data Subject – An individual who is the subject of the personal data being kept

Personal Data – Information relating to a living individual who can be identified from the Data and other information in the possession of the Data Controller and includes any expression of opinion about that individual.

5.2 Abbreviations

CSU Clinical Service UnitDPA The Data Protection Act 2018EPR Electronic Patient RecordFT Foundation TrustHODs Heads of DepartmentIT Information TechnologyICO The Information Commissioner’s OfficeIAO Information Asset OwnerIGC Information Governance CommitteeSIRO Senior Information Risk Owner

6 REFERENCES

The Data Protection Act 2018

Freedom of Information Act 2000

NHS Information Governance Toolkit

Data Protection Good Practice – Information Commissioners Office


NHS Employers – Policies and best practice procedures

Benchmarking other NHS and Public Sector Data Protection practices

7 ASSOCIATED DOCUMENTATION

IT Security & Acceptable Use Policy

Health Records Policy

Information Governance Policy

Policy on the Use & Protection of Patient Information (Confidentiality Code of Conduct)

Corporate Records Management Policy

Risk Register & Risk Management Policy

Safe Haven Policy

Subject Access Request SOP


Section 1Appendix 1

THE DATA PROTECTION ACT 2018

SUBJECT ACCESS REQUEST FORM – NON HEALTH RECORDS

Please refer to the attached guidance notes overleaf.

SECTION A: PERSONAL DETAILS

Surname: Former name (if applicable):

MR/MRS/MISS/MS: First Name(s):

Date of Birth: Employee No:

Present Address: Post Code

Telephone No:

Mobile No:

SECTION B: DETAILS OF THE DATA REQUESTED

Subject/Topic/Area

SECTION C: PROOF OF IDENTIFICATION

Documents Supplied (See attached Guidance Notes)

SECTION D:

The completed form and supporting proof of identity should be submitted to:Chief Human Resources Officer, Data Officer, Rotherham General Hospital, Moorgate Road, Rotherham S60 2UD

Signature of applicant: ………………………………………………………………………

Date ……………………………

PRINT NAME: …………………………………………………………………………………


SUBJECT ACCESS REQUEST FORM GUIDANCE NOTES – NON HEALTH RECORDS

1. Personal Details: Please complete your personal details as requested. Please tell us if you have been previously known by any other name. If you are requesting historical information, please provide as many details as possible, e.g. previous addresses (use a separate sheet if necessary.

2. Details of the Data you require: You should give as much assistance as

you can about particular areas to search so that we can give you what you require without delay. You should also give any relevant reference numbers that might be useful. These details are required to assist in locating the data so that you can be given a copy of everything.

3. Proof of Identification: Proof of name and address is required to ensure we only give information to the correct person. We require two original pieces of documentation, for example, a recent utility bill, bank statement (photocopies are not acceptable) showing your name and address. In some cases, additional details such as a passport or photo ID driving licence may be required due to the sensitive nature of the information held.

4. Keep your documents secure: Always send important documents by recorded delivery or other special post as necessary. The Trust cannot be held liable for items lost in the post.

5. If you have any questions relating to identification requirements or any other aspect of a subject access request, please contact the Human Resources Department by telephone on 01709 820000.


DATA PROTECTION POLICY

SECTION 2DOCUMENT DEVELOPMENT, COMMUNICATION, IMPLEMENTATION AND

MONITORING


8. CONSULTATION AND COMMUNICATION WITH STAKEHOLDERS

The Deputy Health Records Manager and the Interim Director of Human Resources were consulted on revision of the policy and subject access processes.

Specialist knowledge was sought from:

IG Assurance and Security Manager Caldicott Co-ordinator Members of the Information Governance Committee

9. APPROVAL OF THE DOCUMENT

This policy has been approved by the Information Governance Committee.

10. RATIFICATION OF THE DOCUMENT

The Trust Document Ratification Group has ratified this policy.

11. EQUALITY IMPACT ASSESSMENT STATEMENT

The Trust aims to design and implement services, policies and measures that meet the diverse needs of its service, population and workforce, ensuring that none are placed at a disadvantage. See Appendix 1 for the results of the assessment on this policy.

12. REVIEW AND REVISION ARRANGEMENTS

This policy will be reviewed by the Information Governance Committee within a three year time period or sooner if required by legislation or organisational change.

The Information Governance Assurance and Security Manager will be the lead officer for ensuring the policy is reviewed and approved according to the method identified.

13. DISSEMINATION AND COMMUNICATION PLAN

To be disseminated to

Disseminated by

How When Comments

Quality Governance Team via policies email

Author Email Within 1 week of ratification

Remove watermark from ratified document and inform Quality Governance Team if a revision and which document it replaces and


To be disseminated to

Disseminated by

How When Comments

where it should be located on the intranet. Ensure all documents templates are uploaded as word documents.

Communication Team(documents ratified by the document ratification group)

Quality Governance Team

Email Within 1 week of ratification

Communication team to inform all email users of the location of the document.

All email users Communication Team

Email Within 1 week of ratification

Communication team will inform all email users of the policy and provide a link to the policy.

Key individuals

Staff with a role/responsibility within the document

Heads of Departments /Matrons

Author Meeting/Email as appropriate

When final version completed

The author must inform staff of their duties in relation to the document.

All staff within area of management

Heads of Departments /Matrons

Meeting / Email as appropriate

As soon as received from the author

Ensure evidence of dissemination to staff is maintained. Request removal of paper copiesInstruct them to inform all staff of the policy including those without access to emails

14. IMPLEMENTATION AND TRAINING PLAN

The responsibility for implementing this policy lies with the Information Governance Department. The Information Governance Department are


responsible for ensuring that all relevant areas within the Trust are made of aware of any changes required in the policy.

The implementation process will commence upon approval of this policy by the Trust Document Ratification Group. It is the responsibility of Matrons/Heads of Departments/Service to ensure that new staff receive information about this policy and it should be part of any local inductions. They must also ensure that any changes to this policy are effectively communicated within their areas of responsibility.

The Health Records and Human Resources departments will ensure relevant staff are aware of and follow the subject access process.

Information Governance training is a core MAST subject that all staff must complete on an annual basis. This is undertaken via e-learning on the ESR system. The Information Governance Team will provide assistance to Human Resources to ensure departments are equipped to undertake this training, and where applicable, local assistance will be provided.

15. PLAN TO MONITOR THE COMPLIANCE WITH, AND EFFECTIVENESS OF THE TRUST DOCUMENT

15.1 Process for Monitoring Compliance and Effectiveness

• Overall monitoring of the Policy will be actioned by the Information Governance Committee

Audit/Monitoring Criteria

Process for monitoring e.g. audit, survey

Audit / Monitoring performed by

Audit / Monitoring frequency

Audit / Monitoring reports distributed to

Action plans approved and monitored by

Reporting of confidentiality breaches

Trust’s Incident Reporting System

All Staff As and when incidents occur

Confidentiality Incidents are reported at Caldicott and Information Governance meetings

As per Trust’s incident Reporting Policy. Where an issue has arisen that requires disciplinary action, Trust Disciplinary Policy will be followed

Unannounced Audit. The audit will entail a walkthrough of the department, and the completion

Caldicott Security Audit

Member of the Caldicott Group & Ward Dept Manager

A rolling programme of unannounced audits will

Caldicott Group and Manager of Ward/Dept audited

Caldicott Group and Manager of Ward/Dept audited


Audit/Monitoring Criteria

Process for monitoring e.g. audit, survey

Audit / Monitoring performed by

Audit / Monitoring frequency

Audit / Monitoring reports distributed to

Action plans approved and monitored by

of the Caldicott Security Audit Checklist

from the area being audited. A log of areas audited and individuals involved will be maintained by the Caldicott Coordinator

be undertaken on a quarterly basis

Reporting of SI (Serious Incidents) to ICO (Information Commissioner’s Office)

Department of Health SIRI (Serious Incident Requiring Investigation) Tool

Information Governance Team

As and when incidents occur

Information Governance Committee


Audits of processes related to subject access requests for health records

Audit Health Records

A rolling programme of unannounced audits



Audits of processes related to subject access requests for non-health records

AuditHuman Resources Department

A rolling programme of unannounced audits



15.2 Standards/Key Performance Indicators (KPIs)

All Subject Access Requests responded to within the specified timescales

Information Governance Toolkit


Section 2Appendix 1

EQUALITY IMPACT ASSESSMENT (EIA) INITIAL SCREENING TOOLDocument Name: Data Protection Policy Date/Period of Document: Jan 2016 – Jan 2019

Lead Officer: Senior Information Risk Owner (SIRO) Directorate: Corporate

Services Reviewing Officers: IG Assurance and Security Manager

Function Policy Procedure Strategy Joint Document, with whom?Describe the main aim, objectives and intended outcomes of the above:Data must only be processed in accordance with the rights of Data Subjects and in accordance with the Data Protection Act 2018To ensure data is processed fairly and lawfully.

You must assess each of the 9 areas separately and consider how your policy may affect people’s human rights.1. Assessment of possible adverse impact against any minority groupHow could the policy have a significant negative impact on equality in relation to each area?

Response If yes, please state why and the evidence used in your assessment

Yes No1 Age? x2 Sex (Male and Female? x3 Disability (Learning Difficulties/Physical or Sensory Disability)? x4 Race or Ethnicity? x5 Religion and Belief? x6 Sexual Orientation (gay, lesbian or heterosexual)? x7 Pregnancy and Maternity? x8 Gender Reassignment (The process of transitioning from one

gender to another)?x

9 Marriage and Civil Partnership? xYou need to ask yourself: Will the policy create any problems or barriers to any community of group? Yes/No Will any group be excluded because of the policy? Yes/No Will the policy have a negative impact on community relations? Yes/NoIf the answer to any of these questions is yes, you must complete a full Equality Impact Assessment

2. Positive impact:Could the policy have a significant positive impact on equality by reducing inequalities that already exist?Explain how will it meet our duty to:

Response If yes, please state why and the evidence used in your assessment

Yes No1 Promote equal opportunities x2 Get rid of discrimination x3 Get rid of harassment x4 Promote good community relations x5 Promote positive attitudes towards disabled people x6 Encourage participation by disabled people x7 Consider more favourable treatment of disabled people x8 Promote and protect human rights x

3. SummaryOn the basis of the information/evidence/consideration so far, do you believe that the policy will have a positive or negative adverse impact on equality?Positive Please rate, by circling, the level of impact Negative

HIGH MEDIUM LOW NIL LOW MEDIUM HIGHDate assessment completed:November 2015

Is a full equality impact assessment required?

Yes(documentation on the intranet)

No
