Information Governance (IG), is the set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information, supporting an organisation's immediate and future regulatory, legal, risk, environmental and operational requirements.
The GDPR Principles
Under the GDPR, the data protection principles set out the main responsibilities for organisations. The principles are similar to those in the Data Protection Act, with added detail at certain points and a new accountability requirement.
Article 5 of the GDPR requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Information Governance Regulations and Standards
- Confidentiality NHS Code of Practice
- General Data Protection Regulations (GDPR) 2018
- Information Security Management NHS code of Practice
- International standard for Information Security: ISO/IEC 27002:2005
- Health Records Management
- Records Management NHS Code of Practice
- Information Quality
- Payment by Results Code of Conduct
- The Freedom of Information Act 2000
- Corporate Records Management
- Common Law
- Human Rights Act 1998
- Mental Capacity Act 2005
- Mental Health Act 1983
- S251 of the NHS Act 2006
- Access to Health Records Act (AHRA) 1990
- Crime and Disorder Act 1998
- The Children Act 2004
- The Care Act 2014
- The Human Fertilisation and Embryology Act 2008
- The Abortion Regulations 1991
- The Gender Recognition (Disclosure of Information)
- The Road Traffic Acts (RTAs)
Lawful bases for processing data
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.
Everyone working for the NHS has a legal duty to keep information held about you confidential and secure. Information concerning you or your condition can often be of a sensitive nature, which you may not wish to be known by others.
Staff dealing with information are under an obligation by law to make sure it is protected at all times.
Giving patients the best care possible often means sharing personal information with others for example, other Trust departments or GP practices directly concerned with your treatment.
Whenever information is shared, the James Paget University Hospital staffs adhere to strict codes of confidentiality. Guidelines are in place to ensure all staff deal with patient information in the strictest confidence.
The Common Law Duty of Confidentiality
The legal obligation for confidentiality is one of common law, which means it will change as case law evolves. Common law requires there to be a lawful basis for the use or disclosure or personal information that is held in confidence:
- Where the individual has capacity and has given valid informed consent
- Where disclosure is in the overriding public interest
- Where there is statutory basis or legal duty to disclose, e.g. by court order
The Caldicott Principles
- Justify the purpose(s) - Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian
- Do not use personal data unless it is absolutely necessary - Personal confidential data items should not be included unless it is essential for the specified purposes for that flow
- Use the minimum necessary personal confidential data - Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out
- Access to personal confidential data should be on a strict need to know basis - Only those individuals who need access to personal confidential data should have access to it, an d they should only have access to the data items that they need to see.
- Everyone with access to personal confidential data should be aware of their responsibilities
- Comply with the law
- The duty to share information can be as important as the duty to protect patient confidentiality - Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles.
Information Governance Key Roles
Information Governance and Data Protection Officer - Geoff Jones
Health Records – Susan Hood
Information Quality – Ross Pearce
Caldicott Guardian – Hazel Stuart
Senior Information Risk Owner (SIRO) – Mark Flynn
James Paget University Hospital