INFORMATION GOVERNANCE POLICY

Aims and Objectives

To ensure the maintenance of detailed, accurate and up-to-date records of our clients, vital to the delivery of good quality person-centred care.  To ensure the safe and proportionate storage of information relating to our employees.

Island Healthcare adheres to the eight principles set out in the Data Protection Act 1998 (HM Government, 1998) and its associated regulations in regard to the creation, storage and sharing of any care data maintained by the company.

Contents

Principle One – Fair and lawful handling of data

Principle Two – The purposes for which personal data is processed

Principle Three – The amount of personal data held

Principle Four – The accuracy of information

Principle Five – Retention of data

Principle Six – Rights of the person

Principle Seven – Security

Principle Eight – International

Confidentiality

References

Principle One – Fair and lawful handling of data

(HM Government, 1998, p. 48)

This means we must…

  • Have legitimate grounds for collecting and using the personal data
  • Not use the data in ways that have unjustified adverse effects on the individuals concerned
  • Be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data
  • Handle people’s personal data only in ways they would reasonably expect
  • Make sure you do not do anything unlawful with the data

(Information Commissioner’s Office, 2017)

Client’s data

The information collected by Island Healthcare about our clients is considered by the DPA 1998 to be ‘sensitive’

  1. A signed consent form must be obtained during the assessment stage to ensure compliance with Principle One.
  2. Any changes to the use of personal data will be given consideration as to the effect this may have and will not occur without the consent of the individual or an advocate.
  3. The consent document transparently sets out how the data will be used and who it will be shared with.
  4. All the information collected will be stored appropriately, securely and not shared with any person or organisation not outlined in the consent document without prior consent or a best interest decision.
  5. Island Healthcare will obtain a written agreement with all organisations it shares data with to ensure it is processed fairly.

Staff data

Explicit consent is given by all employees in their employment contract for the processing of their personal information, and it’s sharing with third parties also bound by a duty of confidentiality.

Data Sharing

IHL will not share data with other private organisations, without the expressed consent of the person concerned and will never give information to telemarketers or advertisers.

However, in some instances, it may be important to share personal information in the interest of the person’s health and wellbeing, such as with doctors, or the hospital and can be done in the person’s best interest if consent is not possible.  Each situation must be reviewed on a case by case basis.

Island Healthcare may share data on a systematic or ad-hoc basis, as defined by the ICO in their guidance on Data Sharing (Information Commissioner’s Office, 2016, p. 9 & 10).  The decision to share personal data will be informed by the ‘Data Sharing Checklists’  (Information Commissioner’s Office, 2016, p. 46) following the receipt of a ‘Data Sharing Request Form’

If a decision to share data systematically is taken following the completion of the checklists, a Data Sharing Agreement must be completed and signed by both parties.

In the rare instance where personal data might be requested for research purposes, IHL will look at it on an individual basis and only provide anonymised data.

The company will never sell personal information.

Principle Two – The purposes for which personal data is processed

(HM Government, 1998, p. 48)

This means we must…

  • Be clear from the outset about why you are collecting personal data and what you intend to do with it;
  • Comply with the act’s fair processing requirements – including the duty to give privacy notices to individuals when collecting their personal data;
  • Comply with what the act says about notifying the information commissioner
  • Ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair.

(Information Commissioner’s Office, 2017)

Client’s data

The personal data collected by Island Healthcare is for the sole purpose of the provision of save and effective care to the person and will not be used for any other function.

Information shared with others will only be in connection with the provision of safe and effective care.

IHL is clear in its consent document the purpose for which we are collecting this personal information and how it will be processed.

Staff data

Personal information on staff is collected for the sole purpose of complying with regulatory requirements (DBS applications) and for the processing of wages.

Island Healthcare has notified (registered) the ICO.

Principle Three – The amount of personal data held

(HM Government, 1998, p. 48)

This means we must…

  • Hold personal data about an individual that is sufficient for the purpose we are holding it for in relation to that individual
  • Not hold more information than we need for that purpose.
    (Information Commissioner’s Office, 2017)

Client’s Data

Only data relevant and proportionate to the purpose of providing care and support in a person centred way will be collected and stored.

This data extends to work, social and religious history which informs the provision of good, person centred care.

Employee Data

Only data relevant to the processing of job applications, wages and DBS applications is collected and stored.

Principle Four – The accuracy of information

 

 

 

(HM Government, 1998, p. 48)

This means we must…

  • Take reasonable steps to ensure the accuracy of any personal data we obtain
  • Ensure that the source of any personal data is clear
  • Carefully consider any challenges to the accuracy of information
  • Consider whether it is necessary to update the information

(Information Commissioner’s Office, 2017)

Client’s Data

Care plans must be created in partnership with individuals or their advocates using information from assessment and other health records shared with us to ensure its accuracy.

All care plans are reviewed each month with any additional information added or removed.  All changes are recorded in the Care Plan Review sheet.

Employee Data

Employees have a responsibility to ensure that contact information remains up-to-date and information on recent convictions is disclosed to the company.

IHL will routinely distribute information update forms for this purpose.

Principle Five – Retention of data

(HM Government, 1998, p. 48)

This means we must…

  • Review the length of time you keep personal data;
  • Consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
  • Securely delete information that is no longer needed for this purpose or these purposes
  • Update, archive or securely delete information if it goes out of date.

(Information Commissioner’s Office, 2017)

Individual’s Data

A person’s data is maintained for the duration of their relationship with us in accordance with Principle 7 of the DPA.

Island Healthcare follows guidance from the Information Governance Alliance and NHS Digital for the retention of Adult Health and Social Care records (Information Governance Alliance, 2016, p. 53). Care records must be archived for a period of at least eight years, after which they are to be reviewed prior to destruction considering any “serious incident retention”.

Data on Serious Incidents are to be held for a period of 20 years before being reviewed and non-serious incidents are archived for 10 years (Information Governance Alliance, 2016, p. 69).  Financial records are maintained indefinitely but for at least 10 years.

Employee Data

Employee data is stored on the same basis.  Whilst their relationship with the company exists their data will be stored in accordance with Principle 7 of the DPA.

Once the relationship has ended, employee information is archived until the person is 75 years old or for 6 years at which point a summary of the record is taken which is stored until the person is 75.

Disposal of archived data

Island Healthcare will request that information stored electronically is deleted in accordance with our statutory obligations.

Hard copy data will be shredded in house or using a confidential shredding service.

Principle Six – Rights of the person

 

 

 

The following rights of the ‘data subject’ apply to anyone both employees of the organisation and clients.  The rights are:

  1. A right of access to a copy of the information comprised in their personal data;
  2. A right to object to processing that is likely to cause or is causing damage or distress;
  3. A right to prevent processing for direct marketing;
  4. A right to object to decisions being taken by automated means;
  5. A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and
  6. A right to claim compensation for damages caused by a breach of the act.

1.      Subject access requests

The right of an individual to access their personal data goes further than simply showing them the records.  If the individual makes a formal subject access request (Subject Access Request Form – Appendix 4) IHL has an obligation to respond within 40 days of receipt and provide the following information, we will not charge a fee for this service:

Whether any personal data is being processed
A description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people
A copy of the information comprising the data; and given details of the source of the data (where this is available)
You will receive this information on a Subject Access Response Form (Appendix 5).

Data can be accessed on behalf of another person (for instance a solicitor acting in a person’s interest or a family member).  However, Island Healthcare will only ever provide this information when clear permission is given.  It is the third party’s responsibility to provide this permission and could be either a written authority to make the request or a power of attorney.

2.      Damage or Distress

The second right allows for a person to request, via the Damage or Distress Contact form (Appendix 6), IHL stops processing their data, however this is limited to the following circumstances:

  • When the data is their own
  • When processing the data causes unwarranted and substantial damage or distress
  • When the objection specifies why the processing has this effect

Additionally, the person has no right to object to the processing under the following circumstances:

  • they have consented to the processing;
  • the processing is necessary:
  • in relation to a contract that the individual has entered into; or
  • because the individual has asked for something to be done so they can enter into a contract;
  • the processing is necessary because of a legal obligation that applies to you (other than a contractual obligation)
  • the processing is necessary to protect the individual’s “vital interests”.

3.      Preventing direct marketing

Island Healthcare undertakes no direct marketing.  If in the future, this changes people have a right to request that we not use their data for this purpose which we must action “within a reasonable period”.

4.      Automated decision taking

Island Healthcare operates no processes which involve automated decision making.  Were this to change the policy will be updated her to account for it.

(Information Commissioner’s Office, 2017)

Principle Seven – Security

(HM Government, 1998, p. 48)

Each Home’s Manager, or the Community Care Manager, is responsible for the security of the physical records held at their home.  The Operations Director is responsible for IT Security of the use of Google Drive Cloud service.

Google Account passwords are only available to the Operations Director or the care home manager.  When a manager has changes to their own password they must ensure it is difficult to ‘hack’ and not disclosed.

Breaches in security are treated very seriously and investigated with hast.  Disciplinary action may be taken against employees who breach security, or whose negligence leads to a breach.

Client’s Data

All personal information about clients must be stored in locked offices accessible only to authorised people.

Where data is stored digitally, computers must be password protected and secured with anti-virus software.  Care plans stored electronically can be shared with the Cloud but steps must be taken to ensure only authorised people have access.

Where data is in a person’s home in the community it must be stored in a secure way, and never removed from the premises.  The information remains the property of the client.

Once the person’s relationship with the company has come to an end the data is archived as per Principle 5.

Employee Data

As with client data, information on employees must be stored in a locked filing cabinet in a locked office only accessible by authorised people.

Information stored in and shared via the Cloud must be done so in a way to ensure only authorised people have access.

Principle Eight – International

(HM Government, 1998, p. 48)

IHL does not envisage that there will be a requirement for us to send personal data to countries outside of the European Economic Area (EEA).

However, if such a situation were to arise due consideration will be given and advice taken from the Information Commissioner’s Office (ICO).

(Information Commissioner’s Office, 2017)

Confidentiality

Total respect must be given to confidentiality regarding all aspects of a person’s care.

Matters of health, medication, medical history and all details of a private and personal nature may be entrusted to staff and should be treated with the maintenance of this trust in mind.

Information needed for the safety and well-being of a client should only be passed on to outside agencies following the guidance above.

In an emergency staff will inform the Manager of any information given, the circumstances and to whom.  At no time should such information be passed on during telephone conversations without the consent of the Manager/Deputy.

All information written down of a personal nature remains the property of the client and as such should be filed in a locked cabinet at all times.  Clients will have access to this information at any time.

Staff who breach client confidentiality will be subject to disciplinary procedures.

References

HM Government, 1998. Data Protection Act 1998. [Online]
Available at: http://www.legislation.gov.uk/ukpga/1998/29/pdfs/ukpga_19980029_en.pdf
[Accessed 27 April 2017].

Information Commissioner’s Office, 2016. Data Sharing. [Online]
Available at: https://ico.org.uk/for-organisations/guide-to-data-protection/data-sharing/
[Accessed 28 April 2017].

Information Commissioner’s Office, 2017. Guide to data protection. [Online]
Available at: https://ico.org.uk/for-organisations/guide-to-data-protection/
[Accessed 06 April 2017].

Information Governance Alliance, 2016. Records Management Code of Practice for Health and Social Care. [Online]
Available at: https://digital.nhs.uk/media/1158/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016/pdf/Records-management-COP-HSC-2016
[Accessed 28 April 2017].