Information Governance

A massive thank you to over 800 of you that responded to the Information Governance staff survey during October 2022

The responses have provided the Information Governance (IG) team with an overview of staff understanding of IG, data protection and cyber security. This is assisting the team to tailor guidance and support to cover the most appropriate topics raised.

In summary, the responses received are very positive and show a high level of understanding for staff. For example:

• 95% said that they know how to raise concerns about unsecure or unlawful uses of data
• 97% said that they know how to use and transmit data securely in DCHS
• 99% said that they know when they should and should not share data, and also how to take personal responsibility for handling data securely
• 97% said that the data security training offered to them supports their understanding in how to use data lawfully and securely
• 100% said that they are aware of the consequences of inappropriately accessing staff/patient records

All comments have been read by the IG team with some areas  being identified as requiring follow-up actions. A sample of these are identified below,

• Computers logged on with smart cards left in place
• Staff being logged onto another account as they have no access on their own account.
• Use of mobile phones on car speaker phone where a conversation may be overheard
• A secure method of video transfer
• Difficulty in locating trust policies
• Sending a secure email
• Often not clear cut on what is appropriate to share  
• When a patient requests not to share unsure what to do
• Pass large files to service providers/managers as we have no method to do this e.g. sending large documents with photographs in.

In response to the feedback from the IG staff survey, new IG sessions have been set up for all staff to attend.

The Data Protection Act was updated in 2018 with the UK General Data Protection Regulation (GDPR) and the new UK Data Protection Bill. 

DCHS resources to support compliance with GDPR:

• Data Protection Legislation fact
• GDPR Key Messages
• Data Protection Impact Assessment template
• Guidance for complying with the rights of individuals under UK GDPR

Other helpful resources are:

• Introduction to the Data Protection Bill
• Information Commisioner's Office website
• Guide to the UK General Data Protection Regulation (GDPR)
• Records Management Code of Practice for Health and Social Care

If you have any queries please contact the IG team or Hannah Fletcher our Data Protection Officer.    

For more information on the changes go to the ICO website.   

What is a data protection impact assessment?

A data protection impact assessment (DPIA) is a process to help identify and minimise data protection risks.

We have an obligation to complete a DPIA before carrying out types of processing likely to result in high risk to individuals’ interests.

We need to identify where there is the potential to cause a widespread or serious impact on individuals. A DPIA should help to minimise risks and assess whether or not remaining risks are justified.

If you're unsure whether to complete a DPIA in relation to the processing of personal data you want to undertake please contact the IG team or complete the DPIA template following the guidance.

It's important that all staff are aware of where the 'Fair Processing Notice' is and what it does.

There is also a recently updated information leaflet and accompanying poster that can also be provided to patients to help them understand more about what happens to their information at the Trust.

Fair processing notice - easy read version.

If you have any queries please don't hesitate to contact the IG Team.

• Employee Record Summary Template - Feb 2024
• Employee Personal File Contents Checklist - Sept 2023

As described by the British Medical Association (BMA), patients are increasingly asking to record or video their consultations for a variety of reasons. Please see Patients Recording their Consultations for guidance and information

Data and cyber security is our shared responsibility. To help us understand more about cyber security threats, identified as a risk to the NHS and care organisations, and know what steps we can take to mitigate risk and protect our patients and their data, there are simple steps we can take. Further information can found at From online to offline, Keep I.T. Confidential - NHS Digital.

Phishing Emails -  How to spot them, and what do I do if I receive one.

In August 2023, a simulated phishing exercise was initiated by NHS England with all DCHS staff receiving a phishing email. Please see NHS Digital Cyber Security & Phishing Email exercise August 2023 for more details and the results of the exercise.

Email disclaimer to use when emailing patients

If a patient wishes to have contact via email you must follow the guidance in the email policy.

Below is a disclaimer that staff can use, and amend as appropriate to their service, to highlight the risks associated with emailing which we would ask the patient to agree to before commencing with email contact.

The agreement to the disclaimer should be retained by the service.

If you wish to contact us from your personal email system e.g. gmail, hotmail etc., the transmission cannot be guaranteed 100% secure or error free, information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Derbyshire Community Health Services NHS Foundation Trust and their employees do not accept liability for any errors or omissions within the detail of the email, which may occur as a result of email transmission.
Please confirm by return email if you are happy to continue communicating information with at Derbyshire Community Health Service via email. If you are not happy to continue communicating via email we can continue to use another method of communication such as by post or telephone.

Email guidance

• Guidance on checking you have the correct email recipient 
• E-mail FAQs
• Secure Email and Egress
• Accessing Encrypted Emails Guide for non-NHSmail users

Mandatory training

It is mandatory for every DCHS staff member to receive annual information governance training. If not completed in a timely manner access to systems may be removed. 

The training is accessed via e-learning.

Please ensure:

• You have your smartcard as you will need this to access the training
• You complete 'Data Security Awareness – Level 1’

The pass mark 80% and your employment record is immediately updated on successful completion.

Face to face training

If you would like a member of the team to come and train your team/department, please contact the IG team.

Mobile phones can contain vast amounts of information from contact numbers to door codes. 

You must not write key safe codes and door codes in notebooks or on the back of ID Cards. You should either:

• Send the codes in an email to yourself
• Save them as contacts in your phones (only use patient initials in relation to key safe codes)

Mobile phones - guidance

• Staff Guidance on Mobile Phone Use in line with information governance 
• Further guidance on mobile phones

What is the National Data Opt-Out?

The National Data Opt-Out enables patients to opt out of their personal confidential data being used for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs -

When a patient opts out of their information being used for research and planning it is recorded against their NHS number on the national spine. Unless the patient changes their mind this decision will remain against their NHS number and will remain in place after a patient dies. Organisations must ensure that they do not use a patient’s information for research and planning if the patient has opted out. DCHS have put together a Standard Operating Procedure which must be followed before any information is used for research and planning purposes.  

For further information for patients on how they can opt out follow this link: https://www.nhs.uk/your-nhs-data-matters/

For further information please contact the Information Governance Team at: dchst.info.gov@nhs.net

Access to information is on a strict need to know basis.

Under no circumstances should you:

• access information relating to friends, family, colleagues, neighbours or even your own information
• ask another member of staff to access your records on your behalf

You must only access people's personal records (whether that be employee or patient) if it is in line with your work, for example, if you are treating a patient or are involved with the management of a staff member. If asked to, you must be able to justify why you have accessed someone’s personal information. Access to systems is audited.

Accessing records without being authorised and not having a valid justification for doing so could lead to you:

• going through disciplinary action
• losing your job
• losing your professional registration
• receiving a fine

Recent examples and subsequent consequences of NHS staff accessing records without authorisation:

Former health adviser found guilty of illegally accessing patient recordsH A health adviser unlawfully accessed the records of 14 patients, who were known personally to him, between June and December 2019. He did so without a valid business reason and without the knowledge of the Trust. Stephen Eckersley, ICO Director of Investigations, said:

“This case is a reminder to people that just because your job may give you access to other people’s personal information, especially sensitive data such as health records, that doesn’t mean you have the legal right to look at it. Such behaviour can be extremely distressing for the victims. Not only is it an invasion of their privacy, it potentially jeopardises the important relationship of trust and confidence between patients and the NHS"

Health adviser found guilty of illegally accessing patient records - 5th August 2022

A former MDT coordinator at an NHS Trust has been dismissed for the 'unauthorised accessing' of the system to find a patient. A complaint was lodged after the staff member used the system to look up the ward her son’s ex-girlfriend was on. The staff member said, “I looked up what ward she was on, I went and bought her a present from the nursery shop and I just went in” further commenting “My heart went before my head, it was really an act of kindness” A hospital spokesman said they would always investigate any possible breaches and act in line with our Trust procedures to protect patients in our care 

Derbyshire Live (derbytelegraph.co.uk) - 3rd May 2022

A former administrator at an NHS Trust has been prosecuted for accessing medical records without authorisation. An internal investigation found that the staff member had inappropriately accessed the medical records without any business need to do so. The records related to seven family members and seven children known to them. They appeared in court and admitted two offences of unlawfully obtaining personal data, in breach of s55 of the Data Protection Act 1998. She was fined £1000, ordered to pay ​​​costs of £590 and a victim surcharge of £50.

A former doctor’s surgery employee who inappropriately accessed the records of patients and staff members has been prosecuted. They accessed the electronic clinical records of 228 patients and 3 staff members outside of their role as an administration assistant. They appeared in court and admitted 4 offences of unlawfully obtaining personal data, in breach of s55 of the Data Protection Act 1998. She was fined £350, ordered to pay costs of £643.75 and a victim surcharge of £35. 

A staff nurse accessed patients’ medical records outside of their role. They inappropriately accessed the records – including maternity and paediatric records - of five patients, 17 times. It was also heard that they made multiple accesses to the records of some of these individuals including the blood results of a friend 44 times after they had been discharged, as well as foetal scans.  The nurse appeared in court admitted unlawfully obtaining and disclosing personal data, in breach of s55 of the Data Protection Act 1998. She was fined £400 and was also ordered to pay costs of £364.08 and a victim surcharge of £40. 

All staff have a responsibility to ensure they are aware of and follow Information Governance Policies and Procedures.

It's DCHS policy to share legitimate information with the police in a justifiable way which upholds the service user's right to confidentiality and releases sufficient, appropriate information to assist the police in their enquiries.

Before releasing information to the police there are certain things to consider and steps to go through.

• Don't feel pressurised to give information because the police have requested it
• Always check the identity of anyone requesting information
• A document should be presented to DCHS staff requesting the information
• Please don’t feel you’re alone in making a decision. Seek advice from colleagues and your line manager when making a decision about disclosure and record your reasoning and any decisions made.

Guidance on disclosing personal information to the Police

Under no circumstances must WhatsApp be used for sending person identifiable information about patients or staff.

Guidance regarding the Use of WhatsApp has been developed and we ask that services please read and follow this to ensure they are compliant with policies relating to data protection and staff conduct. 

New functionality is available to ensure a consistent approach with the processing of subject access requests across DCHS, in line with GDPR.

Requests for information may come from patients, carers, next of kin, legal authorities or other areas.

Guidance is available which shows how to record and process the requests using SystmOne functionality click here. This includes how to exclude any consultations owned by other organisations, for instance GPs, ensuring only relevant DCHS information is released.

For further information please read the access to health records policy or contact the informatics team.

For requests for Access to Adult Health Records please contact the Health Records department at: Walton Hospital, Whitecotes Lane,Chesterfield, Derbyshire, S40 3HW or E:dchst.adultaccesstorecords@nhs.net

For requests for Access to Child's Health Records please contact the Chief Executive’s Department, Babington Hospital, Belper  E:dchst.accesstorecords@nhs.net

Access to Records Policy

Capture & Storage of Images Recording of Patients & Clients Policy

Clinical Coding Policy

Confidentiality Code of Conduct Policy

Data Protection Legislation (inc GDPR) Policy

Email Policy

Freedom of Information Policy

Information & Data Quality Policy

Information Governance Policy

Information & Technology (IT) Security Policy

Internet Use Policy

N365 Policy

Pseudonymisation Policy

Records Management Policy

Registration Authority (RA) Policy

Hybrid Working and Mobile Devices Policy

Information Governance Newsletters:

• August 2022
• February 2023
• June 2023
• December 2023

Guidance

Confidentiality Code of Conduct - Nov 2022

DCHS Easy Read Fair Processing Notice

How to check how many patient records you have open on SystmOne 

IG Mobile Phone Guidance for staff

Secure Email and Egress

Managing records for transgender patients

Communications Annex May 2023

Standard Operating Procedures

Archiving of Records

Paper Diaries 

Please find the latest Information Governance handbook here.