SH IG 18

Data Protection & Confidentiality Policy

Version: 8

Summary This policy provides the framework to ensure that the Trust complies with
the requirements of the General Data Protection Regulations May 2018,
Data Protection Act 2018; Caldicott Principles and NHS Code of
Confidentiality.

Keywords Data Protection Act; General Data Protection Regulations; Caldicott

Guardian; principles; confidentiality; information governance; information
security;

Target audience All staff employed by Southern Health NHS Foundation Trust,
Contractors, Volunteers Interns, Apprentices, Governors and Non-
Executive Directors who have access to confidential personal information

Date issued August 2020

Approved & Information Governance Group Date of meeting:

Ratified by 13/07/2020

Next review date August 2021

Author Lesley Barrington, Head of Information Assurance

Executive Director Heather Mitchell, Director of Strategy & Infrastructure Transformation /

SIRO / Data Protection Officer

Mayura Deshpande, Caldicott Guardian

Equality Impact Assessment (for policies only)

The Equality Impact Assessment has been completed. The assessment document is held centrally
and is available by contacting [email protected]

1
SH IG 18 Data Protection & Confidentiality Policy
Version 8
August 2020
 Version Control
Change Record

Date Author Version Section Reason for Change

07/02/13 Lesley Barrington V2 Inclusion of reference to Privacy Impact Assessment

Procedure and Template.
24/03/13 Lesley Barrington V2 Update of SIRO and Caldicott Guardian
10/12/13 Lesley Barrington V3 All Minor updates and amendments
10/12/13 Lesley Barrington V3 3.3 Update re. Caldicott Review
10/12/13 Lesley Barrington V3 5.2 Update re. Caldicott Review – inclusion of new
principle 7. – information sharing
10/12/13 Lesley Barrington V3 5.3 Update re. newly published HSCIC Guide to
Confidentiality – inclusion of 5 rules
10/12/13 Lesley Barrington V3 11 Updated references
July 2015 Louise Hartland 3 18 Updated TNA (Appendix 1)
March Lesley Barrington 4 6&7 Updated job titles
2016 4 8 Addition 4.9 – reference to IGG
11 inclusion of Health and Social Care (Safety and
Quality) Act 2015
17 Updated references and websites
Included reference to IG SIRI incident reporting
process
App 2 Updated Equality IA Screening Tool
Sept 2016 Sharon France 4 5.9 Paragraph 4 Change to HRA process
R&D to Log requests
11 Supporting Evidence
All Remove reference to withdrawn policy SH IG 19
February Lesley Barrington 5 All Review in light of new General Data Protection
2018 Regulation May 2018
31/01/19 Lesley Barrington 6 All Annual review – minor amendments
Addition of 4.9
Addition of 5.1.8 – legal basis
Addition of 5.1.9 – criminal offence data
29/04/19 Donna Woolley 6 4 & 15 Legacy name change: generic email from HP-TR. to
SHFT
17/02/20 Lesley Barrington 7 All Annual review – minor amendments
16/06/20 Lesley Barrington 8 4.2 Minor amendment - Updating and clarification
regarding data subject rights regarding “right to
rectification” – approved by Caldicott Guardian

Reviewers/contributors

Name Position Version Reviewed &

Date

Information Governance Group Membership Dv02 – 09/01/2012

Information Governance Group Membership / IG Leads V3 – 12/12/2013
Clinical and Area Directors V3 - 12/12/2013
Helen McCormack Caldicott Guardian V3 – 13/12/2013
Jennifer Dolman Clinical Director V3 – 13/12/2013
Information Governance Group Membership V4 – 14/03/2016
Information Governance Group Membership V4 12/09/2016
Information Governance Group Membership V5 – Feb 2018
Information Governance Group Membership V6 – 11/03/2019
Information Governance Group Membership V7 – 17/02/2020
Mayura Deshpande Caldicott Guardian V8 – 16/06/2020

2
SH IG 18 Data Protection & Confidentiality Policy
Version 8
August 2020
 Data Protection & Confidentiality Policy
Information on a page

This page summarises the key information or key steps in a process to follow. This does not
negate the need to be aware of and to follow the further detail provided in the document.

Data Protection and Confidentiality are legal requirements on all staff working in the Trust.
The purpose of this policy is to ensure that personal data and information held and
processed by the Trust or held and processed on its behalf by Third Parties, is handled in a
safe and secure manner which complies with legislation and best practice relating to data
protection and confidentiality.

The Data Protection Act (DPA) 2018 and General Data Protection Regulations (GDPR/DPA
18) came into force on 25th May 2018.

The key principles in the new Regulations are the same as the DPA – but some of the
language has changed – i.e. instead of “schedules and conditions” there are “recitals and
articles”.

Data Protection should not been seen as a barrier to processing and sharing information –
as long as a defined “legal basis” has been identified and recorded.

GDPR/DPA 18 brings in a new “principle” of “transparency and accountability”. This means

that Data Controllers (i.e. the Trust) has to ensure that Data Subjects (i.e. public; patients;
staff) are aware of the processing of their personal data – and this information is readily
available to them. To achieve this, the Trust public and staff intranet websites have been
updated.

As a public authority (i.e. NHS), the Trust does not rely on “consent” to process Data
Subject’s information. Refer to the Trusts Privacy Notice, available on the Trust website:
https://www.southernhealth.nhs.uk/patients-and-carers/your-information-your-rights/

However, staff should always consider gaining consent from patients when considering
whether to share information (i.e. further processing) – and SH IG 46 and SH IG 48 should
be reviewed. Consent to share information should be recorded on the appropriate clinical
record keeping system and/or paper as appropriate.

All staff must complete annual Information Governance Training – which covers Data
Protection and Confidentiality. See SH IG 17 Information Governance Policy

Staff must respect a Data Subject’s right to confidentiality and must not access patient or
staff information on any system (electronic or paper) that relates to family (including
spouses; children; parents etc.) or friends, even if it is considered to be within their role in the
organisation. Failure to comply could result in disciplinary action.

If staff require advice or support on any Data Protection or Confidentiality matter, they should
contact the Information Assurance Team: [email protected] in the
first instance, who may escalate the issue to either the Data Protection Officer or Caldicott
Guardian.

3
SH IG 18 Data Protection & Confidentiality Policy
Version 8
August 2020
 Contents
Section Title Page
1. Introduction 5

2. Scope 6

3. Duties and responsibilities 6

4. Main content 7
4.1 GDPR Article 5 – principles 7
4.2 GDPR – data subjects rights 8
4.3 Privacy Notice 9
4.4 Lawful/legal basis 9
4.5 Caldicott Principles 9
4.6 Confidentiality: NHS Code of Practice 10
4.7 Patient confidentiality 11
4.8 Staff confidentiality 11
4.9 Exemptions to confidentiality 12
4.10 Disclosing information against subject’s wishes 12
4.11 Non-disclosure 13
4.12 Personal identifiable data in Medical Research 13
4.13 Data Protection Impact Assessment 13

5. Training requirements 13

6. Monitoring compliance 13

7. Document review 14

8. Associated Trust documents 14

9. Supporting references 14

10. Definitions 14

Appendices
1. GDPR/DPA 18 Processing – legal framework 16

4
SH IG 18 Data Protection & Confidentiality Policy
Version 8
August 2020
 Data Protection & Confidentiality Policy
1. Introduction

This document describes Southern Health NHS Foundation Trust (the Trust) policy on Data
Protection (General Data Protection Regulations 2018/Data Protection Act 2018); NHS Code
of Confidentiality and Caldicott requirements, and employees’ responsibilities for the
safeguarding of confidential information held both manually (non-computer in a structured
filing system) and electronically.

The Trust holds and manages a great deal of personal and confidential information relating
to patients, service users and carers, the public and employees of the NHS.

Data protection laws exist to strike a balance between the rights of individuals to privacy and
the ability of organisations to use data for legitimate business purposes.

The General Data Protection Regulation and Data Protection Act 2018 came into force on
25th May 2018 and replace the Data Protection Act 1998 which came into force on 1st March
2000. The Regulation/DPA is concerned with "personal and sensitive data" about living,
identifiable individuals which is "automatically processed or manually stored as part of a
relevant filing system or accessible record”. It need not be particularly sensitive information,
indeed it can be as little as a name and address.

The Regulation/DPA is divided to “Recitals” and “Articles” and works in two ways, giving
individuals certain rights whilst requiring those who record and use personal information
certain responsibilities. The Regulations incorporates the following principles which are
binding for all organisations processing data:

Article 5 Principles relating to processing of personal data

Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject
('lawfulness, fairness and transparency');

(b) collected for specified, explicit and legitimate purposes and not further processed
in a manner that is incompatible with those purposes; further processing for
archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes shall, in accordance with Article 89(1), not be considered to be
incompatible with the initial purposes ('purpose limitation');

(c) adequate, relevant and limited to what is necessary in relation to the purposes for
which they are processed ('data minimisation');

(d) accurate and, where necessary, kept up to date; every reasonable step must be
taken to ensure that personal data that are inaccurate, having regard to the purposes for
which they are processed, are erased or rectified without delay ('accuracy');

(e) kept in a form which permits identification of data subjects for no longer than is
necessary for the purposes for which the personal data are processed; personal data
may be stored for longer periods insofar as the personal data will be processed solely for
archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes in accordance with Article 89(1) subject to implementation of the
appropriate technical and organisational measures required by this Regulation in order
to safeguard the rights and freedoms of the data subject ('storage limitation');

5
SH IG 18 Data Protection & Confidentiality Policy
Version 8
August 2020
 (f) processed in a manner that ensures appropriate security of the personal data,
including protection against unauthorised or unlawful processing and against accidental
loss, destruction or damage, using appropriate technical or organisational measures
('integrity and confidentiality').

ALL STAFF HAVE A LEGAL DUTY TO PROTECT THE PRIVACY OF INFORMATION

ABOUT INDIVIDUALS

2. Scope

This policy covers all identifiable information created, processed and stored on living
individuals, patients or staff. Throughout this document the term “patient” is used to refer to
an individual who is receiving a service from the Trust, and this term includes those people
who are also known as “Service Users”, and “Clients”. Similarly the terms “clinician” and
“health professional” are used, but should be interpreted as encompassing social care staff
and NHS practitioners.

3. Duties and responsibilities

The Trust has established a structure to deliver information governance, to meet the
requirements of data protection and confidentiality.

3.1 The Chief Executive has a duty to ensure that:

 staff are aware of the need to comply with the GDPR/DPA 18, in particular with the rights
of patients wishing to access personal information and or their health records.
 staff are aware of requirements of the common law duty of confidence as set out in
Confidentiality: NHS Code of Practice.
 arrangements with third parties who process personal data on behalf of the Trust are
subject to a written contract which stipulates appropriate security and confidentiality.

3.2 The Trust’s Caldicott Guardian is the Medical Director. The Caldicott Guardian is
responsible for agreeing and reviewing protocols for governing the transfer and disclosure of
personal confidential data across the Trust and supporting agencies. To assist with the
volume and diversity of this task the Caldicott Guardian is supported by the Head of
Information Assurance.

3.3 The Senior Information Risk Owner (SIRO) has ultimate responsibility for the management
and mitigation of risks associated with the Trusts information management processes. This
responsibility is formally delegated from the Chief Executive via a letter of delegation. The
SIRO shall:
 Be accountable for the management and protection of all Information Assets
 Take overall ownership of the Information Risk Management Policy
 Provide a focal point for managing information risks and incidents
 Lead on Business Continuity in the context of Information Risk
 Act as champion for Information Risk on the Board
 Advise the Board on the effectiveness of Information Risk Management
 Ensure that Information Risk Assessments and management processes are embedded
 Lead and foster a culture for protecting and using information and data;

6
SH IG 18 Data Protection & Confidentiality Policy
Version 8
August 2020
  Lead communications on Information Governance and Security throughout the
organisation
 Chair the Information Governance Group (IGG).

3.4 The Data Protection Officer has overall responsibility for managing and effectively
implementing all activities necessary to achieve compliance with the GDPR/DPA 18
throughout the Trust:
 To inform and advise the organisation and its employees about their obligations to comply
with the GDPR/DPA 18 and other data protection laws
 To monitor compliance with the GDPR/DPA 18 and other data protection laws, including
managing internal data protection activities, advise on data protection impact
assessments; train staff and conduct internal audits
 To be the first point of contact for supervisory authorities and for individuals whose data is
processed (patients/staff) [delegated to the Head of Information Assurance]

3.5 The Head of Information Assurance main responsibility is to:

 Facilitate all the data protection and Caldicott functions within the Trust to support the
above
 Advise and update the Trust in relation to directives/guidance from the Information
Commissioner and the Department of Health; NHS England; NHS Digital
 Maintain an up to date Notification under the GDPR/DPA 18 with the regulatory body
(Information Commissioner’s Office).
 Via the Information Governance Framework – ensure that the Caldicott Guardian, Data
Protection Officer and Senior Information Risk Owner (SIRO) are informed of relevant
issues and decisions are recorded

3.6 Senior Operational/Clinical/Service Managers are responsible for ensuring compliance

with policies and that staff attend and pass the annual mandatory IG training, and breaches
and issues raised by staff are acted upon. Managers are also responsible for ensuring that
Information Asset Owners and Administrators are appointed (see SH IG 17).

3.7 The Information Governance Group, is chaired by the SIRO/Data Protection Officer and is
the forum responsible for ensuring that the Trust complies with the GDPR/DPA 18. It meets
bi-monthly – and reports to Audit Assurance & Risk Committee, which reports to Trust Board.
[See SH IG 17 Information Governance Policy for detail.]

3.8 All staff have the responsibility of ensuring that patients are informed about the Trust
Privacy Notice – which details information processing and rights. This should be done at an
appropriate time to the patient, taking into account their health and well being at the time.

4. Main content

The General Data Protection Regulations/DPA 2018: Principles and Practices to ensure
compliance:

4.1 GDPR Article 5: Data Protection Principles:

1. Personal data shall be processed lawfully, fairly and in a transparent manner in relation to
the data subject [lawfulness, fairness and transparency]
2. Personal data shall be collected only for specified, explicit and legitimate purposes, and
not further processed in a manner that is incompatible with those purposes [purpose
limitation]
3. Personal data shall be adequate, relevant and limited to what is necessary in relation to
the purposes for which they are processed [data minimisation]

7
SH IG 18 Data Protection & Confidentiality Policy
Version 8
August 2020
 4. Personal data processed shall be accurate and, where necessary, kept up to date
[accuracy]
5. Personal data shall be kept in a form which permits identification of data subjects for no
longer than is necessary for the purposes for which the personal data are processed
[storage limitation]
6. Personal data shall be processed in a manner that ensures appropriate security of the
personal data, including protection against unauthorised or unlawful processing and
against accidental loss, destruction or damage, using appropriate technical of organisation
measures [integrity and confidentiality]

4.2 Under the GDPR/DPA 18, data subjects have certain rights, which must be upheld:

 Be informed - through privacy notices (see below) and Data Protection Impact
Assessments

 GDPR Article 13 – Right of Access – via Subject Access Requests [Refer to SH IG 12

Access to Personal Records Procedure]

 GDPR Article 16 - Rectification - to have inaccuracies corrected.

However, it should be noted that diagnosis and clinical opinion is a matter of clinical
judgement and cannot be changed solely at the patient’s request. [Refer to SH IG 07
Amending Inaccuracies Procedure]

 GDPR Article 17 – Right to Erasure - to have information erased (right to be forgotten).

This right is not absolute and only applies in certain circumstances. The right to erasure
does not apply to NHS organisations as the legal basis for processing is “public task” – i.e.
carried out in the public interest or in the exercise of official authority.

 GDPR Article 21 - Object to processing

Article 21 of the GDPR gives individuals the right to object to the processing of their
personal data at any time. This effectively allows individuals to stop or prevent an
organisation from processing their personal data. An objection may be in relation to all of
the personal data an organisation holds about an individual or only to certain information.
It may also only relate to a particular purpose the organisation is processing the data for.

The right to object only applies in certain circumstances. Whether it applies depends on
the purposes for processing and the organisations lawful basis for processing. From the
Trusts perspective, individuals can object as the Trust is processing information under the
legal basis of “public task”.

However, even in these circumstances this is not an absolute right, and the Trust can
refuse to comply if:
 The Trust can demonstrate compelling legitimate grounds for the processing, which
override the interests, rights and freedoms of the individual (which in this case may
include a clinical risk assessment of the individual’s circumstances)
 or the processing is for the establishment, exercise or defense of legal claims.

In these circumstances, if the individual is objecting to having clinical information kept in

an electronic format, (i.e. in RiO) then this should be raised with the Records Team via
email: [email protected] who will support the team to manage the process.
Ultimately, it is the decision of the Caldicott Guardian whether the objection is to be
upheld or refused, depending on the clinical circumstances.

 Prevent automated decision-making and profiling

8
SH IG 18 Data Protection & Confidentiality Policy
Version 8
August 2020
  Data portability – have information provided in electronic format and not hinder the data
subject's transmission of personal data to a new data controller

 Consent to process - silence, pre-ticked boxes or inactivity does not constitute consent to
process

4.3 Privacy Notice

GDPR requires data controllers to provide certain information to people whose data they hold
and use; this is known as a Privacy Notice (PN). The Trust publishes it’s Privacy Notice on
the Trust Public Website: https://www.southernhealth.nhs.uk/patients-and-carers/your-
information-your-rights/

4.4 Lawful/legal basis for processing

GDPR/DPA 18 requires that all organisations identify the legal basis for any processing (i.e.
collecting, using, storing etc.) of personal or special category information relating to data
subjects (patients and staff).

As a publically funded body, the legal basis for processing this information is GDPR Article 6
1(e) - processing is necessary for the performance of a task carried out in the public
interest or in the exercise of official authority vested in the controller

Special Categories of personal data - Racial or ethnic origin; political opinions; religious or
philosophical beliefs; trade-union membership; processing of genetic data; biometric data (for
the purpose of uniquely identifying a natural person); data concerning health; data
concerning a natural person’s sex life or sexual orientation:

Article 9 2(h) - Processing is necessary for the purposes of preventive or occupational

medicine, for the assessment of the working capacity of the employee, medical
diagnosis, the provision of health or social care or treatment or the management of
health or social care systems and services on the basis of Union or Member State law
or pursuant to contract with a health professional

For more information relating to lawful basis – refer to Appendix 1.

4.5 Caldicott Principles for handling personal confidential data:

1. Justify the purpose(s)

Every proposed use or transfer of personal confidential data within or from an organisation
should be clearly defined and scrutinised, with continuing uses regularly reviewed, by an
appropriate Guardian.

2. Don't use personal confidential data unless it is absolutely necessary

Personal confidential data items should not be included unless it is essential for the specified
purpose(s) of that flow. The need for patients to be identified should be considered at each
stage of satisfying the purpose(s).

3. Use the minimum necessary personal confidential data

Where the use of personal confidential data is considered to be essential, the inclusion of
each individual item of information should be considered and justified so that the minimum
amount of identifiable information is transferred or accessible as is necessary for a given
function to be carried out.

4. Access to personal confidential data should be on a strict need-to-know basis

9
SH IG 18 Data Protection & Confidentiality Policy
Version 8
August 2020
 Only those individuals who need access to personal confidential data should have access to
it, and they should only have access to the data items that they need to see. This may mean
introducing access controls or splitting data flows where one information flow is used for
several purposes. Health care organisations should be aware of the research conducted
within the organisation, and should ensure research teams are accountable to them (from
MRC Executive Summary – Personal Information in Medical Research).

5. Everyone with access to personal confidential data should be aware of their

responsibilities
The organisation must ensure that those handling personal confidential data, both clinical
and non-clinical staff, are made fully aware of their responsibilities and obligations to respect
patient confidentiality.

6. Understand and comply with the law

Every use of personal confidential data must be lawful. The Caldicott Guardian, Director of
Health Technology and Outcomes, is responsible for ensuring that the organisation complies
with legal requirements.

7. The duty to share information can be as important as the duty to protect patient
confidentiality
Health and social care professionals should have the confidence to share information in the
best interests of their patients within the framework set out by these principles. They should
be supported by the policies of their employers, regulators and professional bodies.

The Health and Social Care (Safety and Quality) Act 2015 includes a legal duty requiring
health and adult social care bodies to share information where this will facilitate care for an
individual. [Refer to SH IG 46 Information Sharing Policy for details]

4.6 The 'Confidentiality: NHS Code of Practice'

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/200146/Confid
entiality_-_NHS_Code_of_Practice.pdf was published by the Department of Health following
major consultation in 2002/2003. The consultation included patients, carers and citizens; the
NHS; other health care providers; professional bodies and regulators. The guidance was
drafted and delivered by a working group made up of key representatives from these areas.
The Code of Practice is a guide to required practice for those who work within or under
contract to NHS organisations concerning confidentiality and patients’ consent to the use of
their health records. This document uses the term ‘staff’ a convenience to refer to all those
to whom this code of practice should apply. Whilst directed at NHS staff, the Code is also
relevant to any one working in and around health services. This includes local authority staff
working in integrated teams and private and voluntary sector staff.

This document:
a. introduces the concept of confidentiality;
b. describes what a confidential service should look like;
c. provides a high level description of the main legal requirements;
d. recommends a generic decision support tool for sharing/disclosing information;
e. lists examples of particular information disclosure scenarios.

Also available is the Supplementary Guidance: Public Interest Disclosures – published in

November 2010 which provides guidance to NHS staff in making what are often difficult
decisions on whether a breach of patient confidentiality can be justified in the public interest.

Following the publication of the Caldicott Review in March 2013, the Health & Social Care
Information Centre published “A guide to confidentiality in health and social care” which
identified five rules for treating confidential information with respect:

10
SH IG 18 Data Protection & Confidentiality Policy
Version 8
August 2020
 Rule 1: Confidential information about service users or patients should be treated
confidentially and respectfully

Rule 2: Member of a care team should share confidential information when it is

needed for the safe and effective care of an individual

Rule 3: Information that is shared for the benefit of the community should be
anonymised

Rule 4: An individual’s right to object to the sharing of confidential information about

them should be respected

Rule 5: Organisations should put policies, procedures and systems in place to

ensure the confidentiality rules are followed

The full version is available here: https://www.gov.uk/government/publications/the-

information-governance-review

4.7 Patient Confidentiality

Health information is collected from patients in confidence and attracts a common law duty of
confidence until it has been effectively anonymised. This legal duty prohibits information use
and disclosure without consent – effectively providing individuals with a degree of control
over who sees information they provide in confidence. This duty can only be overridden if
there is a statutory requirement, a court order, or if there is a robust public interest
justification.

On admission and/or on first contact with the service for a particular matter, all patients
should be asked which relatives, friends or carers they wish to receive information regarding
treatment and progress, and those they specifically do not give permission to receive
information. This information must be recorded in the clinical records – i.e. electronic patient
systems, or in the paper records.

In cases where relatives have been heavily involved in patient care, the patient must be
explicitly asked as to what level these relatives can be kept informed. This is particularly
important in cases where relatives are requesting information on the patient’s condition,
perhaps before the patient has been informed.

For further guidance – refer to SH IG 46 Information Sharing Policy and SH IG 48

Information Sharing - Staff Guidance

As a research active organisation staff might screen patients’ records to identify any potential
research participants with the Consultants permission. Patients may also be approached by
staff regarding participation in a particular research study in order to obtain consent.

In the event of the patient being unable to give permission the Mental Capacity Act 2005
must be followed. Staff should refer to the Mental Capacity Act Policy and procedures for
detail.

In all cases, the wishes expressed must be appropriately documented in the patient’s
clinical records.

4.8 Staff Confidentiality

All staff are required to keep confidential any information regarding patients and staff, only
informing those that have a need to know. In particular, telephone conversations and
electronic communications should be conducted in a confidential manner.

11
SH IG 18 Data Protection & Confidentiality Policy
Version 8
August 2020
 Confidential information must not be disclosed to unauthorised parties without prior
discussion and confirmation with a senior manager in the Trust. Staff must not process any
personal information in contravention of the GDPR/DPA 18.

Staff must not access patient or staff information on any system (electronic or paper) that
relates to family (including spouses; children; parents etc.) or friends, even if it is considered
to be within their role in the organisation.

Any breaches of these requirements will potentially be regarded as serious misconduct and
as such may result in disciplinary action.

All staff have a confidentiality clause in their contract of employment. The Trust has an
approved Data Protection and Confidentiality clause in all contracts with 3rd party contractors
and suppliers who process personal information.

4.9 Exemptions to confidentiality

In certain circumstances personal information may be disclosed and guidance is below.
However it is vital in each case that staff make an assessment of the need to disclose the
information and document that the information has been released to whom and for what
reason. If they are in any doubt, they should seek advice from their Team Manager/Senior
Clinician or the Caldicott Guardian.

4.10 Disclosing Information against the Subject's wishes

The responsibility to withhold or disclose information without the data subject's consent lies
with the senior manager or senior clinician involved at the time and cannot be delegated.

Circumstances where the subject's right to confidentiality may be overridden are rare.
Examples of these situations are:
 Where the subject's life may be in danger, or cases in which s/he may not be capable of
forming an appropriate decision
 Where there is serious danger to other people, where the rights of others may supersede
those of the subject, for example a risk to children or the serious misuse of drugs
 Where there is a serious threat to the healthcare professional or other staff
 Where there is a serious threat to the community
 In other exceptional circumstances, based on professional consideration and consultation.

The following are examples where disclosure without consent is required:

 Births and deaths - National Health Service Act 1977
 Notifiable communicable diseases - Public Health (Control of Diseases) Act 1984
 Poisonings and serious accidents at the work place - Health & Safety at Work Act 1974
 Terminations - Abortion Regulations 1991
 Child abuse - Children’s Act 1989 and The Protection of Children Act 1999
 Drug Addicts - Drugs (Notification of Supply to Addicts) Regulations 1973
 Road traffic accidents - Road Traffic Act 1988
 Prevention/detection of a serious crime e.g. terrorism, murder - The Crime and Disorder
Act 1998

If in doubt, staff should seek guidance, in confidence, from the senior Clinician or the
appropriate Senior Manager or the Information Governance Manager or the Caldicott
Guardian.

The Trust will support any member of staff who, after using careful consideration,
professional judgement, and has sought guidance from their manager, can
satisfactorily justify and has documented any decision to disclose or withhold
information against a patient's wishes.

12
SH IG 18 Data Protection & Confidentiality Policy
Version 8
August 2020
 4.11 Non–Disclosure of personal information contained in a health record
An individual requesting access to their health records may be refused access to parts of the
information if an appropriate clinician deems exposure to that information could cause
physical or mental harm to the data subject or a third party. Clinicians should be prepared to
justify their reasons in a court of law if necessary. In all cases reasons for non-disclosure
must be documented.

Where access would disclose information relating to or provided by a third party, consent for
release must be sought from the third party concerned, unless that third party is a health
professional who had provided the information as part of their duty of care. Where the third
party does not consent, the information may be disclosed provided the identity of the third
party is not revealed. The Information Commissioner’s Code of Practice suggests that this
might be done by omitting names and identifying particulars from the records. Care should
be taken to ensure that the information if released is genuinely anonymous.

Further guidance is available from SH IG 12 Access to Personal Records Procedure and the
Records Team – email: [email protected].

The Information Commissioner’s Guide provides guidance on issues of law concerning the
right of access to personal data: https://ico.org.uk/for-organisations/guide-to-data-
protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-
access/

4.12 Personal Identifiable Data in Medical Research

All project based research within the Trust must comply with the Data Protection & Caldicott
Guardian Principles as set out within this Policy, be registered by the Research and
Development Department and undergo review through the NHS Health Research Authority
(HRA) approval process to provide assurance to our Trust, our patients and the public that all
research meets the necessary legal and compliance standards.

4.13 Data Protection Impact Assessment Procedure and Template

All projects and processes that involve processing personal information or intrusive
technologies give rise to privacy issues and concerns. To enable the Trust to address the
privacy concerns and risks the GDPR/DPA 18 requires a Data Protection Impact
Assessment (DPIA) be completed, and signed off by the Data Protection Officer and/or the
Information Governance Group. Refer to SH IG 29 Privacy Impact Assessment Procedure
and Template for details.

5. Training requirements

All staff are required to complete the annual mandatory Information Governance Training,
which includes modules on data protection and confidentiality. Monthly reports will be
provided to operational managers to ensure compliance, and this will be monitored via the
Division Specific Performance Review process and the Information Governance Group

6. Monitoring Compliance

Element to be Lead Tool Frequency Reporting arrangements

monitored
Data Security Head of NHS October Via the Information Governance
& Protection Information Digital and March Group
Toolkit Assurance DSPT – annually

13
SH IG 18 Data Protection & Confidentiality Policy
Version 8
August 2020
 7. Document review

The document will be reviewed annually, or sooner if changes in legislation occur or new
best practice evidence becomes available.

8. Associated trust documents

 SH IG 12 Access to Personal/Clinical Records Procedure
 SH IG 29 Privacy Impact Assessment Procedure and Template
 SH IG 46 Information Sharing Policy & Guidance
 SH IG 07 Amending Inaccuracies in Records Procedure
 SH IG 62 Information Governance Incident Reporting Procedure
 SH HR 06 Disclosure and Barring Service (BDS) and Employment Checks Policy
 SH IG 13 Information Lifecycle Police

9. Supporting references

 The Caldicott Manual – NHS Executive http://www.nationalhealthexecutive.com/

 UK Information Commissioners Office website https://ico.org.uk/ for General Data
Protection Regulations 2018
o Medical Research Council - Personal Information in Medical Research
(Executive Summary)
o Information: To share or not to share? The Information Governance Review
(known as the Caldicott 2 Review); Department of Health; March 2013
 Information: To Share or not to Share – Government Response to the Caldicott
Review; Department of Health; September 2013
https://www.gov.uk/government/organisations/department-of-health
 NHS Code of Confidentiality https://digital.nhs.uk/search?q=confidentiality&s=s
 A guide to confidentiality in health and social care – treating confidential information
with respect; Health & Social Care Information Centre; V1.1 September 2013
https://digital.nhs.uk/search?q=confidentiality&s=s
 Health Research Authority: http://www.hra.nhs.uk/about-the-hra/our-plans-and-
projects/assessment-approval/
 Confidentiality, Privacy and Data Protection e-learning resource available:
https://www.hra.nhs.uk/planning-and-improving-research/learning/e-learning/
 Southern Health Research and Development website:
http://www.southernhealth.nhs.uk/research/

10 Definitions

 The General Data Protection Regulation (GDPR/DPA 18) May 2018 and UK Data
Protection Act 2018 provide controls on the handling of personal identifiable information
for all living individuals. Central to the Act is compliance with the principles (above),
designed to protect the rights of individuals about whom personal data is processed
whether an electronic or a paper record.

 The Access to Health Records Act 1990 provides controls on the management and
disclosure of health records for deceased patients. Thus the personal representative of
the deceased or a person who might have a claim arising from the patient’s death can
apply to request access to the files.

14
SH IG 18 Data Protection & Confidentiality Policy
Version 8
August 2020
  The Caldicott Report 1997 provides guidance to the NHS on the use and protection of
personal confidential data/information, and emphasises the need for controls over the
availability of such information and access to it. It makes a series of recommendations
which led to the requirement for all NHS organisations to appoint a Caldicott Guardian
who is responsible for compliance with the 6 (original) Caldicott confidentiality principles.

A review of the Caldicott Principles took place during 2012, chaired by Dame Fiona
Caldicott. The report “The Information Governance Review – To share or not to share”
was published in April 2013, which included an added Principle. The recommendations
from the report were ratified by the Government in September 2013. See sections 5.2
and 5.3 for detail.

 The Common Law Duty of Confidentiality prohibits use and disclosure of information,
provided in confidence unless there is a statutory requirement or court order to do so.
Such information may be disclosed only for purposes that the data subject has been
informed about and has consented to, provided also that there are no statutory restrictions
on disclosure. This duty is not absolute, but should only be overridden if the holder of the
information can justify disclosure as being in the public interest, for example, to protect the
vital interests of the data subjects or another person, or for the prevention or detection of a
serious crime.

 The NHS Code of Confidentiality (2003) provides the standards and framework that all
staff working within the NHS must adhere to (see below).

15
SH IG 18 Data Protection & Confidentiality Policy
Version 8
August 2020
 Appendix 1: GDPR/DPA 18 Processing – legal basis

 Personal data – any information relating to an identifiable person who can be directly or
indirectly identified – name; identification number, location data or online identifier
o Personal data that has been pseudonymised can fall within the scope depending
on how difficult it is to attribute the pseudonym to an individual
Lawfulness of processing personal data – Article 6

6; 1 a the data subject has given consent to the processing of his or her personal data for one
of more specific purposes:
6; 1 b processing is necessary for the performance of a contract to which the data subject is
party or in order to take steps at the request of the data subject prior to entering into a
contract
6; 1 c processing is necessary for compliance with a legal obligation to which the data
controller is subject
6; 1 d processing is necessary in order to protect the vital interests of the data subject or of
another natural person

6; 1 e processing is necessary for the performance of a task carried out in the public
interest or in the exercise of official authority vested in the controller
*see below for detail of legal obligations

6; 1 f processing is necessary for the purposes of the legitimate interests pursued by the
controller or by a third party, except where such interests are overridden by the interests
or fundamental rights and freedoms of the data subject which require protection of
personal data, in particular where the data subject is a child

*6; 1-e – legal obligations

 Health and Social Care (Quality & Safety) Act 2015

 Health & Social Care Act 2012
 Care Act 2014
 The Children Act 1989
 The Children Act 2004
 Childcare Act 2006
 Children (Leaving Care) Act 2000
 Children and Families Act 2014
 National Health Service Act 1977
 National Health Service Act 2006
 Education Act 2002
 Special Education Needs and Disability Regulations 2014
 Localism Act 2011
 Immigration and Asylum Act 1999
 Crime and Disorder Act 1998
[*See table at the end for the detail of the relevant sections of the above legislation]

Sensitive data – “special categories of personal data”

Article 9 – Processing of special categories of personal data

16
SH IG 18 Data Protection & Confidentiality Policy
Version 8
August 2020
 1. Racial or ethnic origin; political opinions; religious or philosophical beliefs; trade-union
membership; processing of genetic data; biometric data (for the purpose of uniquely
identifying a natural person); data concerning health; data concerning a natural person’s
sex life or sexual orientation – SHALL BE PROHIBITED ***[see below]

2. Paragraph 1 shall NOT APPLY if one of the following applies:

2 (a) The data subject has given EXPLICIT consent to the processing of those personal
data for one or more specified purposes, except where Union or Member State law
provide that the prohibition referred to in paragraph 1 may not be lifted by the data
subject
2 (b) Processing is necessary for the purposes of carrying out the obligations and exercising
specific rights of the controller or of the data subject in the field of employment and
social security and social protection law, in so far as it is authorised by Union or
member State law or a collective agreement pursuant to Member State law providing for
appropriate safeguards for the fundamental rights and the interests of the data subject
2 (c) Processing is necessary to protect the vital interests of the data subject or of another
natural person where the data subject is physically or legally incapable of giving
consent
[Capacity Act would apply – or if the person is at risk i.e. Mental Health Act Assessment]
2 (d) Processing is carried out in the course of its legitimate activities with appropriate
safeguards by a foundation, association or any other not-for-profit body with a political,
philosophical, religious or trade-union aim and on condition that the processing relates
solely to the members or to former members of the body or to persons who have regular
contact with it in connection with its purposes and that the personal data are not
disclosed outside that body without the consent of the data subjects
2 (e) Processing relates to personal data which are manifestly made public by the data
subject
2 (f) Processing is necessary for the establishment, exercise or defence or legal claims or
whenever courts are acting in the judicial capacity.

2 (g) Processing is necessary for reasons of substantial public interest, on the basis of Union
or Member State law which shall be proportionate to the aim pursued, respect the
essence of the right to data protection and provide for suitable and specific measures to
safeguard the fundamental rights and the interests of the data subject

2 (h) Processing is necessary for the purposes of preventive or occupational medicine,

for the assessment of the working capacity of the employee, medical diagnosis,
the provision of health or social care or treatment or the management of health or
social care systems and services on the basis of Union or Member State law or
pursuant to contract with a health professional and subject to the conditions and
safeguards referred to in paragraph 3
Paragraph 3: Personal data referred to in para 1 may be processed for the purposes
referred to in point (h) of para 2 when those data are processed by or under the
responsibility of a professional subject to the obligation of professional secrecy under
Union or Member State law or rules established by national competent bodies or by
another person also subject to an obligation of secrecy under Union or Member State
law or rules established by national competent bodies
2 (i) Processing is necessary for reasons of public interest in the area of public health, such
as protecting against serious cross-border threats to health or ensuring high standards
of quality and safety of health care and of medicinal products or medical devices, on the
basis of Union or Member State law which provides for suitable and specific measures
to safeguard the rights and freedoms of the data subject, particular professional
secrecy; or

17
SH IG 18 Data Protection & Confidentiality Policy
Version 8
August 2020
 2 (j) Processing is necessary for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes in accordance with Article 89(1)
based on Union or Member State law which shall be proportionate to the aim pursued,
respect the essence of the right to data protection and provide for suitable and specific
measures to safeguard the fundamental rights and interests of the data subject

*Legislation table

Legislation Legal gateway Organisati

on
Health and Social Section 3(1),(2)(a)(b): All
Care (Quality & (1)This section applies in relation to information about an
Safety) Act 2015 individual that is held by a relevant health or adult social care
commissioner or provider (“the relevant person”).
(2)The relevant person must ensure that the information is
disclosed to (a)persons working for the relevant person, and
(b)any other relevant health or adult social care commissioner or
provider with whom the relevant person communicates about the
individual.
Health & Social Part 5 – contains guidance about specific duties of co-operation, All
Care Act 2012 including creating a Health and Wellbeing Board, which must, for
the purpose of advancing the health and wellbeing of the people
in its area, encourage persons who arrange for the provision of
any health or social care services in that area to work in an
integrated manner.
Care Act 2014 Section 1 – (1) The general duty of a local authority, in Local
exercising a function under this Part in the case of an individual, authorities
is to promote that individual’s well-being.
Well-being in this Part includes:
(b) physical and mental health and emotional well-being;
(c) protection from abuse and neglect;
(f) social and economic well-being;
Care Act 2014 Section 3 – Local authorities must exercise their functions under Local
this Part with a view to ensuring the integration of care and authorities
support provision with health provision and health-related
provision where it considers that this would—
(a) promote the well-being of adults in its area with needs for
care and support and the well-being of carers in its area,
(b) contribute to the prevention or delay of the development by
adults in its area of needs for care and support or the
development by carers in its area of needs for support, or
(c) improve the quality of care and support for adults, and of
support for carers, provided in its area (including the outcomes
that are achieved from such provision).
The Children Act Section 47(9)(11): All
1989 Where a local authority are conducting enquiries under this
section, it shall be the duty of any person mentioned in
subsection (11) to assist them with those enquiries (in particular
by providing relevant information and advice).
The persons are—.
(a) any local authority;
(d) any Local Health Board , Special Health Authority, Primary
Care Trust, National Health Service trust or NHS foundation
trust; and

18
SH IG 18 Data Protection & Confidentiality Policy
Version 8
August 2020
 (e) Any person authorised by the Secretary of State for the
purposes of this section.
The Children Act A local authority may also request help from those listed above Local
1989 in connection with its functions under Part 3 of the Act. Part 3 of authorities
the Act, which comprises of sections 17-30 allows for local
authorities to provide various types of support for children and
families
The Children Act Section 10 – Co-operation to improve well-being. Local
2004 (2) The arrangements are to be made with a view to improving authorities
the well-being of children in the local authority’s area so far as CCG’s
relating to—.
(a) Physical and mental health and emotional well-being;
(b) Protection from harm and neglect; (e) Social and economic
well-being.
(4) For the purposes of this section each of the following is a
relevant partner:
District councils
The police
The probation service
Youth offending teams (YOTs)
Health and Wellbeing Board.
Any clinical commissioning group for an area any part of which
falls within the area of the authority
The Children Act Section 11 – Arrangements to safeguard and promote welfare. All
2004 The section applies to
(a) a local authority in England
(b) a district council which is not such an authority;
(c) a Strategic Health Authority;
(d) a Special Health Authority, so far as exercising functions in
relation to England, designated by order made by the Secretary
of State for the purposes of this section;
(e) a Primary Care Trust;
(f) an NHS trust all or most of whose hospitals, establishments
and facilities are situated in England;
(g) an NHS foundation trust;
Childcare Act Section 1 - General duties of local authority in relation to well- Local
2006 being of young children. authorities
(1)An English local authority must—.
(a)improve the well-being of young children in their area, and
(2) In this Act “well-being”, in relation to children, means their
well-being so far as relating to—.
(a) Physical and mental health and emotional well-being;
(b) Protection from harm and neglect;
(e) Social and economic well-being.
Children (Leaving The main purpose of the Act is to help young people who have Local
Care) Act 2000 been looked after by a local authority, move from care into living authorities
independently in as stable a fashion as possible. To do this it
amends the Children Act 1989 (c.41) to place a duty on local
authorities to assess and meet need.
The responsible local authority is under a duty to assess and
meet the care and support needs of eligible and relevant children
and young people and to assist former relevant children, in
particular in respect of their employment, education and training.
Sharing information with other agencies will enable the local
authority to fulfil the statutory duty to provide after care services
to young people leaving public care.

19
SH IG 18 Data Protection & Confidentiality Policy
Version 8
August 2020
 Children and Section 23 - places a duty on health bodies to bring certain All
Families Act 2014 children to local authority’s attention, where the health body has
formed the opinion that the child has (or probably has) special
educational needs or a disability
Children and Section 25 - places a duty on a local authority to exercise its Local
Families Act 2014 functions with a view to ensuring the integration of educational authorities
provision, training provision with health care and social care
provision where it thinks that this would –
(a) promote the well-being of children or young people in its area
who have special education needs or a disability, or
(b) improve the quality of special educational provision in its area
or outside its area for children it is responsible for who have
special educational needs
National Health Section 22 - Co-operation between health authorities and local All
Service Act 1977 authorities.
(1)In exercising their respective functions NHS bodies (on the
one hand) and local authorities (on the other) shall co-operate
with one another in order to secure and advance the health and
welfare of the people of England and Wales.
National Health Section 82 – Places a duty on NHS bodies and local authorities All
Service Act 2006 to co-operate with one another in order to secure and advance
the health and welfare of the people of England and Wales.
Education Act The duty laid out in section 11 of the Children Act 2004 mirrors All
2002 the duty imposed by section 175 of the Education Act 2002 on
LEAs and the governing bodies of both maintained schools and
further education institutions. This duty is to make arrangements
to carry out their functions with a view to safeguarding and
promoting the welfare of children and follow the guidance in
Safeguarding Children in Education (DfES 2004).
The guidance applies to proprietors of independent schools by
virtue of section 157 of the Education Act 2002 and the
Education (Independent Schools Standards) Regulations 2003.
Section 21 of the Act, as amended by section 38 of the
Education and Inspections Act 2006, places a duty on the
governing body of a maintained school to promote the well-being
of pupils at the school. Well-being in this section is defined with
reference to section 10 of the Children Act 2004 (see paragraph
5.5 above). The Act adds that this duty has to be considered with
regard to any relevant children and young person’s plan.
This duty extends the responsibility of the governing body and
maintained schools beyond that of educational achievement and
highlights the role of a school in all aspects of the child’s life.
Involvement of other services may be required in order to fulfil
this duty so there may be an implied power to work
collaboratively and share information for this purpose.
Special Section 6 states, where the local authority secures an EHC All
Education Needs needs assessment for a child or young person, it must seek the
and Disability advice and information in relation to educational, medical needs,
Regulations 2014 psychological needs and advice and information relating to
Social Care from the named authorities. The Regulations also
requires the local authority to seek advice and information from
any other person the local authority thinks is appropriate.
Section 7 states: “When securing an EHC needs assessment a
local authority must consult (a) the child and the child’s parent,
or the young person and take into account their views, wishes
and feelings” and (d) “engage the child and the child’s parent, or

20
SH IG 18 Data Protection & Confidentiality Policy
Version 8
August 2020
 the young person and ensure they are able to participate in
decisions.
Localism Act Section 1 - This has repealed the wellbeing powers of the Local Local
2011 Government Act 2000 (but not for Welsh Authorities). The authorities
general power of competence is a new power available to local
authorities in England that will allow them to do “anything that
individuals generally may do”.
Immigration and Section 20 - provides for a range of information sharing for the All
Asylum Act 1999 purposes of the Secretary of State:
To undertake the administration of immigration controls to detect
or prevent criminal offences under the Immigration Act;
To undertake the provision of support for asylum seekers and
their dependents
Crime and Section 17 - Duty to consider crime and disorder implications. Local
Disorder Act (1) Without prejudice to any other obligation imposed on it, it authorities
1998 shall be the duty of each authority to which this section applies to
exercise its various functions with due regard to the likely effect
of the exercise of those functions on, and the need to do all that
it reasonably can to prevent, crime and disorder in its area.
(2) This section applies to a local authority, a joint authority,
[F1the London Fire and Emergency Planning Authority,] a police
authority, a National Park authority and the Broads Authority.

21
SH IG 18 Data Protection & Confidentiality Policy
Version 8
August 2020