Information Governance Policy
PURPOSE OF POLICY
The purpose of this policy is to ensure that PSS and all its “workers” adhere to the provisions made under the Data Protection Act (1998);
It is additionally to ensure that we follow as relevant and appropriate (as a non-NHS body); the Caldicott Principles;
It is additionally to ensure that PSS adheres to the broader approaches related to information governance in relation to managing information to support the organisation’s regulatory, risk, environmental and operational requirements.
SCOPE OF POLICY
This Policy applies to all the following groups -.
Going forward for simplicity, these groups will collectively be referred to as “workers”.
The 8 Data Protection Principles (from the Data Protection Act 1998)
Personal data shall be processed fairly and lawfully, and in particular, shall not be processed unless certain conditions are met in relation to personal data, and additional criteria observed in relation to sensitive personal data.
Personal data shall be obtained for one or more specified and lawful purpose and shall not be further processed in any manner incompatible with that purpose or those purposes.
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Personal data shall be accurate and, where necessary, kept up to date.
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
Personal data shall be processed in accordance with the rights of the data subjects under this Act.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against loss or destruction of, or damage to, personal data.
Personal data shall not be transferred to a country outside the European Economic Area, unless that country ensures an adequate level of data protection.
The Six Caldicott Principles
Justify the purpose(s) of using confidential information
Only use it when absolutely necessary
Use the minimum that is required
Access should be restricted on a strict need-to-know basis
Everyone must understand his or her responsibilities
Understand and comply with the law
LEGISLATION & NATIONAL POLICIES
Data Protection Policy 1998
NHS Confidentiality Policy June 2014
Social Care Worker Codes of Practice
NHS Scotland – Codes of Practice in maintaining Patient Confidentiality 2009
PSS POLICY COMMITMENTS
PSS is registered with the Information Commissioners Office and as part of that registration will report serious information governance incidents as well as security breaches.
PSS ensures all staff sign an agreement in relation to the principles of the Data Protection Act and Caldicott principles as part of their contract of employment
PSS ensures all staff through induction and with supportive operative guidelines are made aware of this policy and of their individual responsibilities in complying with this policy, principally around –
- gathering quality information (minimum, accurate and up-to-date data)
- sensitive information
- security of information and unauthorised use
- consent and sharing information
- only keeping what information is needed (PSS retention Schedule outlines are Statutory duties related to the retention of records)
- the right of access to information for people that PSS hold data on
- Reporting incidents in relation to Data Protection, or breaches of security
Relevant staff will have further and specific training as required, for example, (and the list is not inclusive) – in relation to rights of access to information; in relation to storing and retention of records; in relation to business continuity
PSS ensure their systems, (both IT and manual), are designed to support compliance with this policy
PSS ensures a safe environment in which to operate and manage information
PSS ensures written documentation and guidelines to support compliance with this policy is provided to staff (as relevant)
PSS ensures the relevant managers monitor compliance with this policy and the systems and operational activities that make this happen, and they regularly review its effectiveness
PSS require third party contractors to comply with the Data Protection Act (1998)
GENERAL POLICIES STATEMENT – RESPONSBILITIES FOR ALL
PSS has a responsibility for ensuring policies are kept-up-to-date, accessible and relevant, and to providing where necessary, additional communication about policies, guidelines and their implementation.
Policy Authors and the Head of Quality Management
PSS has various authors with specific expertise in writing policy and guidelines. The Head of Quality Management has an overarching responsibility for maintaining the suite of policies
Contact details are:
firstname.lastname@example.org 0151 702 5540
email@example.com 0151 702 2224
Managers have a responsibility for ensuring policies are actively followed, as they are the baseline for the operation of the business.
This means managers need to –
- Be familiar with policies
- Understand policies
- Be able to put policy into practice
- Keep up-to-date with policy changes
- Ensure your team fully understand the policy and guidelines
- Ensure your team puts policy and guidelines into practice
- Be pro-active in relation to policy updates too – you are the experts at the front line, and therefore in a great position for alerting PSS if policy and guidelines need to be updated. Please advise the Head of Quality Management directly in such situations.
Staff should understand and follow policy and guidance, particularly those relevant to their role. Staff have a responsibility to seek clarification from their manager if they do not understand policy and guidance.
1. Personal Data
Information will be personal data if it is:
a. Personal – if it is information about a living person who can be identified. This may include the individual’s name, their contact details, opinions they have expressed, a record of their presence at a particular location or time or involvement in a particular activity, details of their expense claims, human resources records, development plans etc. It also includes expressions of opinions and intentions regarding the individual.
b. Data – if it is recorded in any format. This may be recorded in a structured format that is filed as part of the normal record of business, such as within a folder referenced by name or a structured database, or any other relevant filing system. It may also be in an unstructured format, which may not be filed as a business record, such as a reference within a notebook, email or spreadsheet, photographs or CCTV footage. It includes any data held on equipment operating automatically in response to instructions (i.e. computers).
2. Sensitive Personal Data
Sensitive personal data is defined as being personal data consisting of information relating to:
- The racial/ethnic origin of the data subject
- Political opinions
- Religious or other beliefs
- Whether the data subject is a member of a trade union
- Physical or mental health condition
- Sexual activities of the data subject
- The commission or alleged commission of any offence, or
- Proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in any such proceedings.
3. Data Subject
A data subject is any living individual who is the subject of personal data; for example a current, past or prospective employee or service user, or a contractor or supplier. When a data subject asks to see information that PSS holds on them, it is called the ‘Subject Access Request’.
Processing covers any action that can be done with data. That includes obtaining, recording, holding, organising, adapting, altering, retrieving, consulting, using, transferring, disclosing, aligning, combining, transcribing, printing, filing, sorting, blocking, erasing or destroying data. In short, processing is ‘doing something with data’.
5. Information governance
PSS working definition of information governance – Information governance is the set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information at an enterprise level, supporting an organization’s immediate and future regulatory, legal, risk, environmental and operational requirements.