Data Protection & Caldicott
All patient data is treated with the utmost importance, where we adjure to all guidelines in relation to the storage and usage of all and any patient data.
Any questions or concerns should be directed at the Practice Manager
1. Purpose and Scope
To ensure that good security controls and procedures are maintained for all information created, stored and processed by the Practice, and in particular that compliance with Data Protection legislation is observed.
These procedures apply to all employees, temporary staff, volunteers, contractors and other users accessing any of the Practice information systems, wherever the user or system may be situated.
Data Protection Act Registration and Notification
The Lead Partner will nominate a Data Protection Officer (usually the Security Manager) to handle day-to-day matters relating to the Data Protection Act.
The Data Protection Officer will:
- Review the Practice’s Data Protection Act Registration details at least annually to ensure there have been no changes or additional uses and purposes introduced into working practices.
- Monitor any disclosures of personal information, particularly without the consent of the patient, to ensure there is a legitimate basis for the disclosure in line with the notification or relevant exemption.
- Produce a Patient Information leaflet that informs patients how their information is used, who may have access to that information, and details their own rights to see and obtain copies of their records.
- Ensure that personal data is not transferred to any country outside of the EEA, unless adequate levels of protection are in place.
- Ensure the annual notification is renewed annually via the Information Commissioner’s Website:
www.informationcommissioner.gov.uk - The Lead Partner must ‘sign-off’ the Data Protection notification.
2. The Lead Partner must ensure that:
- All data held is accurate and up-to-date, the minimum necessary and relevant to the purpose.
- Audits are undertaken or data quality assurance tools are utilised on a regular basis.
3. Subject Access Requests
- Under the Data Protection Act any individual has a right to ‘see’ personal information the organisation is holding about them, this can include patients requesting to see their medical records and staff requesting to see their HR/Personnel file.
- Valid requests from individuals for copies of their data under the subject access provisions of the Data Protection Act shall be passed to the Lead GP for processing.
- Valid requests must be made in writing and clearly state what information is required. Sufficient information must be supplied to confirm the identity of the requestor.
- If it is not clear what is being requested, the person requesting shall be required to complete and sign a Data Protection Act Subject Access Request Form.
- If the request is from a third party, the validity of the Consent Form must be considered before providing copies of the information requested.
- If the form is not suitable, a Practice Consent Form should be sent to the patient to confirm a proper ‘informed consent’ process took place. This is particularly important if the request is for the release of copies of a complete patient record to a third party, e.g. a solicitor, as the patient will not necessarily know what is contained in their record.
- Special arrangements will have to be made if the Data Subject cannot read or write, is deaf or blind, or cannot speak English or any other languages spoken or understood by the Practice.
- The Lead GP will inform the Practice Manager of the appropriate fee for the copies. The Practice Manager shall inform the Data Subject or Third Party, acting as their agent, of this fee. The maximum fee to be imposed for copying medical records is £50, and £10 for copies of staff personnel records.
- On receipt of the payment, the Practice Manager will extract the computer held information and take it with the paper records to the Lead GP who will review the clinical content and approve documents for copying.
- The Practice Manager will ensure that third parties named in the record will not be caused any distress by their release.
- If there is any doubt about this, the Practice Manager should contact the third party to get their consent to release the data. If this is not given, references to the third party must be removed from the copies.
- The copies of information must be forwarded to the Data Subject or their agent by recorded delivery within 40 days of the request provided any fee applied to the release has been paid.
- The reply must contain the required explanations of what the information is used for, who it is has been disclosed to if required, and an explanation if some information has been withheld.
- Copies of the requests and letters accompanying the replies should be filed in the patient’s or staff member’s file with a corresponding entry being made in a simple ‘Subject Access’ log to enable queries to be handled quickly and efficiently.
The ‘log’ should have the following content:
*Date of Request
*Data Subject Name
*Summary of Request
*Date of Response
*Summary of Information Released
*Reason for Withholding information
*Signature of the Practice Manager and of the GP
*Date dispatched – (normally within 40 days of the receipt of the request
4. All staff must ensure that:
The Caldicott Guardian is consulted before any patient identifiable information is shared with any third parties. This is to ensure that the transfer is justified and essential, and that only the minimum amount of information is transferred in each case.
The Caldicott Guardian:
- Is responsible for safeguarding the confidentiality of patient related information and will ensure that all staff are aware that they must be consulted before any such information shared with a third party.
- Can share Patient Identifiable information to directly benefit a patient with any part of the NHS in Wales under the Wales Intra-NHS Sharing Agreement and the Welsh Accord on the Sharing of Personal Information (WASPI).
- In conjunction with the Data Protection Officer and Security Manager will ensure that patient identifiable information sharing takes place in accordance with the standards set out in the ‘Confidentiality: Code of Practice for Health and Social Care in Wales’ (WAG August 2005) and the sharing is with organisations not part of NHS Wales are documented in an Information Sharing Protocol.
- Will use the (WASPI) as the basis for sharing patient identifiable information with third parties by requiring the Head of Practice to sign the Declaration of Acceptance on behalf of the practice and requiring the third party to do the same.
- Will be responsible for the production of a Personal Information Sharing Protocol (PISP) and supporting documentation as detailed in WASPI Guidance.
- Will ensure that ONLY the minimum amount of patient identifiable information necessary for the intended purpose is shared and that the information is securely transferred.
- Will implement mechanisms to ensure that any decision taken by a patient to restrict disclosure of their personal information is appropriately respected.
The Security Manager must:
Record any information exchange process in the Information Assets Register and update this if the processes change.
Access to Deceased Patients’ Records
- As soon as a patient dies, the records no longer belong to the Practice and should be returned to the BSC’s Contractor Services Department as soon as possible, and the patient’s clinical system record must be labelled inactive.
- All requests for access to the records must be forwarded to the appropriate regional member of staff at the BSC, even if you have not returned your records to the BSC. Contact details available on the ISMS website https://howis.wales.nhs.uk/sites3/page.cfm?orgId=542&pid=17844
- If requests are for Medical Reports, the above mentioned regional staff at the BSC will arrange for copies of the relevant parts of the records to be returned to you.
- If the doctor can complete the report from the inactive clinical record, approval must be sought from the NHS Wales Informatics Service (NWIS) Information Governance Department – prior to doing so.
- If the request is for copies of all or part of the record and they have not been returned to the BSC’s Contractor Services Department, the request must be sent to the above mentioned regional staff at the BSC. This must be accompanied by the full copy of the records, including clinical system prints
