Skip to main content

Data protection regulations policy

Contents

  1. Introduction
  2. Purpose
  3. Scope
  4. Responsibilities, accountabilities and duties
  5. Procedure implementation
  6. Training implications
  7. Monitoring arrangements
  8. Equality impact assessment screening
  9. Links to any other associated documents
  10. References
  11. Appendices

1 Introduction

This policy aims to ensure that personal data and information held and processed by Rotherham, Doncaster and South Humber NHS Foundation Trust (hereafter referred to as ‘the trust’) or held and processed on its behalf by third parties, is handled in a safe and secure manner which complies with legislation and best practice relating to data protection and confidentiality. Details of handling subject access requests under the act are set out in the subject access request policy.

2 Purpose

The purpose of this policy is to enable the trust and its staff to comply with current data protection legislation and regulations, in particular the Data Protection Act (DPA) 2018. This provides protection, as well as rights of access, to personal data and information held by the trust. That information may relate to Staff and volunteers as well as to patients and the public.

3 Scope

This policy entails all personal data held by, or on behalf of, the trust, its processing, storage, handling and usage. Such data includes but is not limited to:

  • employee and staff records
  • patient data and records
  • personal data relating to volunteers working with the trust
  • personal data in all formats including, but not limited to, paper copy, digital records and CCTV

4 Responsibilities, accountabilities and duties

This policy applies to all those working for the trust in whatever capacity, including the trust’s staff, volunteers, students, temporary workers, contractors, suppliers and third parties (hereafter referred to as ‘employees’). It applies to third party providers who may hold information belonging to the trust, including patient information. Suppliers are also expected to follow this approach as part of their own obligations under the DPA 2018.

  • Shall, this term is used to state a mandatory requirement of this policy.
  • Should, this term is used to state a recommended requirement of this policy.
  • May, This term is used to state an operational requirement of this policy.

5 Procedure or implementation

5.1 Overview of data protection regulations

The trust shall fully support and comply with the principles of the DPA of 2018. This act covers “personal data” which can be used to identify a living individual.

The DPA 2018 applies the standards set out in the EU general data protection regulation (GDPR) (opens in new window) but has been amended to reflect the national context. The DPA 2018 updates and replaces the DPA of 1998 and came into effect on 25 May 2018.

The trust shall register annually with the information commissioner’s office (ICO). This is a requirement placed upon the trust as a body that manages and processes personal data.

5.2 Data Protection Act (2018)

The DPA stipulates (opens in new window) that anyone processing personal data must comply with the following principles, in which personal data shall be:

  • processed lawfully, fairly and in a transparent manner in relation to individuals (“fair, lawful and transparent”)
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial (“purpose limitation”)
  • used in a way that is adequate, relevant and limited to only what is necessary (“data minimisation”)
  • accurate and, where necessary, kept up to date (“accuracy”)
  • kept for no longer than is necessary (“storage limitation”)
  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage (“confidentiality and integrity”)

The legislation stipulates that there shall be accountability which requires organisations to take responsibility for what they do with personal data and how they comply with the other principles. There must also be appropriate measures and records in place to be able to demonstrate compliance.

The DPA 2018 provides conditions for the processing of any personal data. It also makes a distinction between personal data and “sensitive” personal data.

Although the DPA 2018 does not apply to deceased persons, the NHS has issued guidance which states that, where possible, the same level of confidentiality should be afforded to the records and information relating to a deceased person as applies to a living person.

For definitions, refer to the ico website (opens in new window).

5.3 Data protection impact assessments (DPIA)

A data protection impact assessment (DPIA) (opens in new window) is a process to help organisations identify and minimise the data protection risks of a project.

Staff shall complete a DPIA when seeking to process information that is likely to result in a high risk to individuals. To assess the level of risk, both the severity and likelihood of any impact to an individual(s) should be considered.

Staff should ask the data protection officer (DPO) for their advice on the DPIA and document it as part of the process.

5.4 Privacy notice and fair processing

The UK GDPR requires that data controllers provide certain information to people whose data they hold and use. This is known as a privacy notice (PN) (opens in new window).

The trust shall provide PNs to all patients and all staff, identifying who the data controller is, including contact details for the DPO. The PN should also explain the purposes for which personal data is collected and used, how the data is used and disclosed, how long it is kept, and the controller’s legal basis for processing.

A statement of fair processing or PN should also be provided on the trust’s website. This reflects the requirement for a statement of fair processing set out in the recommendations of the Caldicott review (opens in new window).

5.5 NHS Caldicott principles

The trust shall also comply with the Caldicott principles which focus on the protection and processing of patient-identifiable information within the NHS. The principles include:

  • justify the purpose for collecting or holding patient-identifiable information
  • do not use patient-identifiable information unless it is absolutely necessary
  • use the minimum necessary patient-identifiable information
  • access to patient-identifiable information should be on a strict need to know basis
  • everyone should be aware of their responsibilities
  • understand and comply with the law
  • the duty to share information can be as important as the duty to protect patient confidentiality

The Caldicott guardian (opens in new window) has been appointed by the trust to advise the trust board on the matter of patient confidentiality and promote safe and secure handling of patient data.

5.6 Network and information systems regulation (NISR)

The networks and information systems regulation (NISR) aims to raise the levels of overall security and resilience of network and information systems for operators of essential services across the UK and defines a set of principles used to guide decision-making.

These principles fall under four main objectives:

  • managing the security risks  by ensuring appropriate organisational structures, policies, and processes are in place to understand, assess and systematically manage security risks to the network and information systems supporting essential services
  • protecting against cyber attacks by ensuring proportionate security measures are in place to protect essential services and systems from cyber attack
  • detecting cyber security events  by ensuring security defences remain effective and detecting cyber security events affecting, or with the potential to affect, essential services
  • response and recovery planning, having capabilities to minimise the impact of a cyber security incident on the delivery of essential services including the restoration of those services where necessary

5.7 NHS code of practice

Under the NHS code of practice, individuals have a right to confidentiality. Further guidance regarding confidentiality can be found in the NHS code of conduct. Please refer to the NHS code of practice for confidential information (opens in new window) for further detail.

5.8 Freedom of Information Act 2000

The Freedom of Information Act (FOI) 2000 provides public access to information held by public authorities. It does this in two ways:

  • public authorities are obliged to publish certain information about their activities
  • members of the public are entitled to request information from public authorities

The act covers any recorded information that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland. Information held by Scottish public authorities is covered by Scotland’s own Freedom of Information (Scotland) Act 2002.

Public authorities include government departments, local authorities, the NHS, state schools and police forces.

Recorded information includes printed documents, computer files, letters, emails, photographs, and sound or video recordings.

The act does not give people access to their own personal data (information about themselves) such as their health records or credit reference file. If a member of the public wants to see information that the trust holds about them, they should make a subject access request under the DPA.

5.9 Roles and responsibilities

The following are the key responsibilities regarding data protection regulations:

  • chief executive and the trust’s board, have ultimate accountability for actions and inactions in relation to this policy
  • senior information risk officer (SIRO), responsible for having overall accountability for data governance and risk management in the trust. The SIRO must brief the board and provide assurance through the ‘statement of internal control’ that the data protection and the approach to confidentiality is effective in terms of resource, commitment and execution
  • Caldicott guardian, has responsibility for ensuring that there are adequate standards for protecting patient information and that all data transfers are undertaken in accordance with the Caldicott principles
  • data protection officer (DPO), is a mandatory requirement of all public authorities in accordance with the Data Protection Act (2018). They are responsible for challenging and advising the board on data protection to ensure that the trust remains compliant

Further detail is provided in the information governance policy.

The trust shall:

  • ensure there is always one person with overall responsibility for personal data protection
  • provide training for all staff on personal data protection legislation and regulations, and ensure access to further guidance and support
  • provide clear lines of reporting and supervision for compliance with personal data protection
  • carry-out regular checks to monitor and assess the processing of personal data
  • develop and maintain DPA procedures and records to include roles and responsibilities, notification, subject access requests, training and compliance testing

The trust’s response to this guidance, with associated roles and accountabilities, is set out in the information governance policy.

The trust’s procedure for handling subject access requests is contained in the subject access request policy.

5.10 Policy compliance and breach notification

Any breach of data protection and confidentiality can have severe implications for the trust and data subjects and can impact the reputation of the trust and the NHS as a whole. Any breach of the DPA 2018 constitutes a serious disciplinary offence. The ICO regulates data protection and has the power to enforce compliance.

As a data controller, the trust is required to notify the relevant regulatory body that it is processing personal data. Data controllers must renew their notification with the relevant regulatory body on an annual basis. Failure to notify constitutes a criminal offence. Any changes to the register must be notified to the relevant regulatory body within 28 days of taking place. The DPO shall be responsible for notifying and updating the relevant regulatory body.

All breaches of information security, including near miss events, shall be communicated to the relevant information asset owner (IAO) and to the SIRO as per the Information security incident management policy. In the event that a breach concerns the loss or theft of personal or sensitive personal data, the DPO shall be informed immediately. Day-to-day the DPO shall be the first point of contact between the trust and the ICO. The SIRO, supported by the DPO must ensure the ICO is informed of any breach within 72 hours of its discovery.

6 Training implications

6.1 All Staff DSA policy

  • How often should this be undertaken: Upon commencement of employment and annually thereafter.
  • Length of training:  1 and a half hours.
  • Delivery method: E-learning or face to face.
  • Training delivered by whom: IG or NHS Digital e-learning package.
  • Where are the records of attendance held: ESR.

7 Monitoring arrangements

7.1 Policy

  • How: Review of best practice against the policy will be undertaken annually.
  • Who by: Head of information governance.
  • Reported to: Information governance group and health informatics group.
  • Frequency: Annually through auditing.

This policy shall be reviewed every two years or in response to significant changes due to security incidents, variations of law and or changes to organisational or technical infrastructure.

This policy is by the DPO or head of IG and maintained by the SIRO on behalf of the board. Questions relating to its content or application should be addressed to the DPO or head of IG.

In the event of a national health emergency such as the covid-19 pandemic, this policy still applies, unless it is superseded by specific clauses mandated by the trust’s business continuity policy.

8 Equality impact assessment screening

The completed equality impact assessment for this policy has been published on this policy’s webpage on the trust policy library or archive website.

Follow the link to download the equality impact assessment: EIA.

8.1 Privacy, dignity and respect

The NHS Constitution states that all patients should feel that their privacy and dignity are respected while they are in hospital. High Quality Care for All (2008), Lord Darzi’s review of the NHS, identifies the need to organise care around the individual, ‘not just clinically but in terms of dignity and respect’.

As a consequence the trust is required to articulate its intent to deliver care with privacy and dignity that treats all service users with respect. Therefore, all procedural documents will be considered, if relevant, to reflect the requirement to treat everyone with privacy, dignity and respect, (when appropriate this should also include how same sex accommodation is provided).

8.1.1 How this will be met

No issues have been identified in relation to this policy.

8.2 Mental Capacity Act 2005

Central to any aspect of care delivered to adults and young people aged 16 years or over will be the consideration of the individuals capacity to participate in the decision making process. Consequently, no intervention should be carried out without either the individual’s informed consent, or the powers included in a legal framework, or by order of the court.

Therefore, the trust is required to make sure that all staff working with individuals who use our service are familiar with the provisions within the Mental Capacity Act (2005). For this reason all procedural documents will be considered, if relevant to reflect the provisions of the Mental Capacity Act (2005) to ensure that the rights of individual are protected and they are supported to make their own decisions where possible and that any decisions made on their behalf when they lack capacity are made in their best interests and least restrictive of their rights and freedoms.

8.2.1 How this will be met

All individuals involved in the implementation of this policy should do so in accordance with the principles of the Mental Capacity Act (2005).

10 References

  • NHS Code of Practice.
  • Freedom of Information (FOI) Act 2000.
  • Data Protection Act (2018).
  • UK General Data Protection Regulations 2018.
  • Data Protection Impact Assessments (DPIA).
  • NHS Caldicott Principles.
  • Network and Information Systems Regulation.

11 Appendices

11.1 Appendix A Freedom of information Exemptions

11.1.1 Introduction

The Freedom of Information Act 2000 (FOI Act) came into force on 1 January 2005.

It is a new law that means all recorded information held by public authorities is open to the public, unless an exemption applies. Anyone, regardless of age or location, can request information held by public authorities. This includes central government departments, all local authorities, schools, universities, the national health service, the police and many more.

11.1.2 Who can make an information request?

Anyone, regardless of age or location, can make a request for information. An FOI request must be in writing, contain a contact name and address (this can be an email address) and must sufficiently describe the information required. The request must not be vexatious or repeated.

11.1.3 What information can be requested?

Any recorded information held by a public authority is eligible for release. Contracts, letters, faxes, emails, voicemail messages and even scribbles in the margin and on post‐it notes will be covered. However, a number of exemptions may be applied to protect information from being disclosed.

An example of this is if the information requested relates to personal information of a patient. Requests for personal information of a living, identifiable person should be dealt with as subject access requests made under the Data Protection Act 2018 and are covered by an absolute exemption under the FOI Act.

11.1.4 How must the trust respond?

Subject to the exemptions mentioned in paragraph 8 below, the trust must confirm or deny whether it holds the information. If it does hold the information, it must then communicate the information to the applicant. All of this must be completed within 20 working days of receipt of the request.

11.1.5 Can the trust charge a fee?

The FOI act makes provisions for authorities to ascertain if and when they can charge for supplying information in relation to a FOI request. These provisions are known as the Freedom of Information and Data Protection (appropriate limit and fees) Regulations 2004.

The trust will not normally be able to charge a fee except where the cost of meeting a request exceeds £450. If the cost of locating, retrieving or collating the information exceeds £450 the trust has discretion as to whether or not they respond to the request. If they respond, they can pass on the costs to the applicant, but the applicant should be notified beforehand. If the cost of responding to the request does not exceed £450, the trust will be entitled to charge a reasonable sum to cover costs, such as photocopying and postage costs.

A request for fees should be made within the 20 working days. Fees should be paid within three months of the date the fee was asked for otherwise there is no need to respond to the request. Further guidance will follow shortly.

11.1.6 What information is not covered?

The FOI act lists 23 categories of information that are exempt. These are split into absolute exemptions and qualified exemptions.

Absolute exemptions are exemptions where the authority can deny the request without having to make a judgement on whether it would be in the public interest to do so.

Qualified exemptions are exemptions where the authority can only deny the request after having made a judgement as to whether it is in the public interest to do so. This is known as the public interest test.

Generally speaking, anyone making a request for information is entitled to be informed in writing by the trust whether it holds information of the type requested and to have that information supplied, unless an absolute exemption applies or a qualified exemption applies and the public interest in maintaining the exclusion of the duty to confirm or deny outweighs the public interest in disclosure that the trust holds some information.

If an exemption is absolute, there is no general right of access to the information. If an exemption is qualified, the public authority must decide whether, in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information. The trust does not even need to confirm or deny that it holds the information. Below is a full list of the exemptions and a short note is provided on each of the most relevant ones.

Eight of the exemptions are absolute. Even where an exemption is absolute, it does not mean you cannot disclose in all cases. It means that the FOI Act does not require disclosure. You can still disclose, taking into account all the facts of the case.

There is still a legal obligation to provide reasonable advice and assistance to the enquirer.

Section 21, information reasonably accessible to the applicant by other means This could include, for example, information contained already in our publication scheme.

11.1.7 The absolute exemptions are

  • Section 22, information intended for future publication:
    • here there has to be a genuine intention to publish at the time the request is made. It is not necessary to have set a publication date but the exception can be claimed only if it is reasonable in all the circumstances to do so.
  • Section 23, information supplied by, or relating to, bodies dealing with security matters (for example, a warning of a possible terrorist attack).
  • Section 32, court records (for example, care proceedings).
  • Section 34, parliamentary privilege.
  • Section 40, personal information:
    • part (1), personal data. If information is the personal data of the person making the request, it will be exempt under part (1) of section 40. In other words, if a request for information that constitutes personal data is received from the data subject (for example, you), it is exempt from the FOI act. This is in accordance with the Data Protection Act 2018. Any applications for personal data should be treated as a data subject access requests (for example, details about an individual’s own patient records). If information constitutes the personal data of the applicant, the duty to confirm or deny will also be excluded in respect of that information even if confirmation or denial would not in itself have disclosed personal data. The data protection act subject access fee rules will apply if your department require a fee to be paid
    • part (2), personal data of a third party. This relates to information which constitutes the personal data of a third party (which is not at the same time the personal data of the applicant). In the first instance this will be dealt with as a FOI request. However, personal data of a third party will be exempt if its disclosure to a member of the public would:
      • contravene any of the data protection principles (or, in the case of category (e) data would contravene any of the principles if they applied)
      • contravene section 10 of the Data Protection Act
      • not be required to be disclosed in response to a subject access request due to the operation of one of the exemptions in part 4 of the DPA
    • part (3), if the information constitutes the personal data of a third party and its disclosure to a member of the public would contravene one or more of the data protection principles, the information will be exempt under section 40(3)(a)(i) (or section 40(3)(b)), and the FOI Act request must be refused.
  • Section 41, information provided in confidence:
    • this relates to information obtained from a person if its disclosure would constitute a breach of confidence actionable by that, or another person (for example, a contract genuinely containing sensitive commercial information protected by a confidentiality clause).
  • Section 44, prohibitions on disclosure:
    • this relates to disclosure prohibited by court order where it would constitute contempt of court or be incompatible with EU obligations.

11.1.8 The remaining 15 are qualified and subject to the public interest test

The trust need only disclose the information if this is in the public interest (see 10 below on how to apply this test). Qualified exemptions do not justify withholding information unless, following a proper assessment, the balance of the public interest comes down against disclosure.

11.1.9 The qualified exemptions

  • Section 24, national security.
  • Section 26, defence, this likely does not affect NHS trusts.
  • Section 27, international relations, this likely does not affect NHS trusts.
  • Section 28, relations with the United Kingdom, this likely does not affect NHS trusts.
  • Section 29, the economy, this covers the communal economic interests of the UK and the financial interests of any administration in the UK, which do not include local authorities.
  • Section 30, investigations of proceedings conducted by public authorities, this covers information held in connection with prosecutions being brought by the trust. This also covers information held in connection with civil proceedings such as cases of clinical negligence or misconduct.
  • Section 31, law enforcement disclosure, there must be likely to prejudice the prevention or detection of crime, the apprehension or prosecution of offenders or the administration of justice.
  • Section 33, audit functions, generally speaking, public authorities cannot claim the exemption, although there may be other exemptions that would be appropriate to consider. This could, for example, be applicable to auditing of the trust’s accounts by an independent third party.
  • Section 35, formulation of government policy etc.
  • Section 36, prejudice to the effective conduct of public affairs, information can be withheld under this section if, in the opinion of the trust’s qualified person (the chief executive), that its disclosure would inhibit the full and frank provision of advice or exchange of views, or prejudice the effective conduct of public affairs (also see the reference to Section 33 above).
  • Section 37, communications with Her Majesty, etc. and Honours Section 38, health and safety, this is exempt if disclosure would be likely to endanger the safety or physical or mental health of anyone. In this context, the information covered will relate either to physical health and medical matters, or physical safety (for example, the risk of accident and the security of individuals).
  • Section 39, environmental information, this is covered by the Environmental Information Regulations 2004 and is dealt with as a request for information under them. Environmental information relates to any information in written, visual, aural, electronic or any other material form on:
    • factors that affect or are likely to affect the elements of the environment referred to in
    • energy, noise, radiation
    • policies, legislation, plans, programmes etc. affecting or likely to affect the elements and factors referred to in (a) and (b) as well as measures or activities designed to protect those elements
    • reports on the implementation of environmental legislation
    • cost‐benefit and other economic analyses and assumptions used within the framework of the measures and activities referred to in (c)
    • the state of human health and safety (conditions, cultural sites etc.) inasmuch as they are or may be affected by the state of the elements of the environment referred to in (a) or, through those elements, by any of the matters referred to in (b) and (c)
  • Section 42, legal professional privilege, this covers advice given in communications by legal advisers, solicitors or barristers. Legal professional privilege can be:
    • advice privilege (where no litigation is contemplated or pending) or litigation privilege (where it is)
  • Section 43, commercial interests, this information is exempt if it constitutes a trade secret or if disclosure would prejudice the commercial interests of any person or body.

11.1.10 Applying the public interest test

Having established that a qualified exemption definitely applies to a particular case, the trust must then carry out a public interest test to identify if the public interest in applying the exemption outweighs the public interest in disclosing it. In other words, unless it is in the public interest to withhold the information, it has to be released. Although precedent and developed case law will play a part in this, individual circumstances will vary, and each case will need to be considered on its own merits.

11.1.11 Carrying out the test

What is in the public interest is not necessarily the same as what the public are interested in. It may be irrelevant that a matter is the subject of public curiosity. In most cases it will be relatively straightforward to decide where the balance of the public interest in disclosure lies. However, there will inevitably be cases where the decision is a difficult one. Applying such a test depends to a high degree on objective judgement and a basic knowledge of the subject matter and its wider impact. Any public interest test will provide reasons both for and against the disclosure of the information and provide a balanced judgement as to why the information has either been withheld or released.

In applying the public interest test, please note the following:

  • potential or actual embarrassment to or loss of confidence in the trust is not a valid factor
  • the fact that the information is technical, complex to understand and may be misunderstood is not of itself a reason to withhold information
  • the potential harm of releasing information will reduce over time and should be considered at the time the request is made rather than by reference to when the relevant decision was taken originally
  • a decision not to release information may seem unjust, for example, not releasing the information could result in harm or prejudice to public safety, the environment or a third party

11.1.12 Possible factors to consider when weighing the public interest include

11.1.12.1 For disclosure
  • To increase access to information held by the trust?
  • To allow individuals to understand decisions taken that affect their lives or assist them in challenging those decisions?
  • To improve the accountability and transparency of the trust in its use of public funds and or help to show that it obtains value for money?
  • To contribute to public debate and assist the understanding of existing or proposed policy?
  • To increase public participation in decision‐making?
  • To increase public participation in political processes in general?
  • To bring to light information affecting public health or safety?
  • To reduce further enquiries on the topic?
11.1.12.2 Against disclosure
  • To distort public reporting or be misleading because it is incomplete?
  • Is premature disclosure likely to prejudice scrutiny or release sensitive issues still on the internal agenda or evolving?
  • To cause unnecessary public alarm or confusion?
  • To seriously jeopardise the legal or contractual position of the trust
  • To infringe other legislation, for example, the Data Protection Act?
  • To create a controversial precedent on the release of information or impair your ability to obtain information in the future?
  • To adversely affect the trust’s proper functioning and discourage openness in expressing opinions?
  • If a large amount of information on the topic has already been made available, to shed any more

Document control

  • Version: 1.1.
  • Unique reference number: 605.
  • Date approved: 15 January 2024.
  • Approved by: Corporate policy approval group.
  • Name of originator or author: DPO or head of IG.
  • Name of responsible individual: Director of health informatics or SIRO.
  • Date issued: 16 January 2024.
  • Review date: August 2024.
  • Target audience: All staff.

Page last reviewed: April 12, 2024
Next review due: April 12, 2025

Feedback

Report a problem