What is Information Governance (IG)?

IG is the way organisations process or handle information. It allows organisations and individuals to ensure personal information is handled legally, securely, efficiently and effectively in order to support delivery of the best possible care.

The Data Protection Act was updated in 2018 with the General Data Protection Regulation (GDPR) and the new UK Data Protection Bill. 

DCHS resources to support compliance with GDPR:

Other helpful resources are:

If you have any queries please contact the IG team or Hannah Fletcher our Data Protection Officer.    

For more information on the changes go to the ICO website.   

What is a data protection impact assessment?

A data protection impact assessment (DPIA) is a process to help identify and minimise data protection risks.

We have an obligation to complete a DPIA before carrying out types of processing likely to result in high risk to individuals’ interests.

We need to identify where there is the potential to cause a widespread or serious impact on individuals. A DPIA should help to minimise risks and assess whether or not remaining risks are justified.

If you're unsure whether to complete a DPIA in relation to the processing of personal data you want to undertake please contact the IG team or complete the DPIA template following the guidance.

It's important that all staff are aware of where the 'Fair Processing Notice' is and what it does.

There is also a recently updated information leaflet and accompanying poster that can also be provided to patients to help them understand more about what happens to their information at the Trust.

Fair processing notice - easy read version.

If you have any queries please don't hesitate to contact the IG Team.


Guidance & training

What is a phishing email?

It's very easy to become a victim of a cyber-attack if you don’t know how to manage phishing emails, which are emails that are not genuine and typically ‘fakes’ an authentic email. They try to persuade you to do something, such as, click a link, open an attachment or enter data into a form.

If you suspect the email you receive may be a phishing email:

  • View your emails using the review pane, if you use Outlook, so you don’t have to open the email
  • Think: were you expecting to receive an email or an attachment from this person? You could contact the sender via telephone to check if the email is genuine. Don't use the telephone number in the email to contact the sender
  • Does the link in the email look genuine, do you need to check this out before you click on the link?
  • Are there grammatical errors or spelling mistakes in the email which could point to the email being fake?

You can report suspicious emails using the “Report Phishing” button on the ribbon within Microsoft Outlook, or forward the email as an attachment, to spamreports@nhs.net 

If you do click on any links or images within the email please contact the Arden and GEM IT Helpdesk straight away by telephone on 0300 123 1020

More information can be found by watching this useful Video about Phishing Emails or for further advice, please contact the Data Security Centre by email at cybersecurity@nhs.net

Email disclaimer to use when emailing patients

If a patient wishes to have contact via email you must follow the guidance in the email policy.

Below is a disclaimer that staff can use, and amend as appropriate to their service, to highlight the risks associated with emailing which we would ask the patient to agree to before commencing with email contact.

The agreement to the disclaimer should be retained by the service.

If you wish to contact us from your personal email system e.g. gmail, hotmail etc., the transmission cannot be guaranteed 100% secure or error free, information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Derbyshire Community Health Services NHS Foundation Trust and their employees do not accept liability for any errors or omissions within the detail of the email, which may occur as a result of email transmission.
Please confirm by return email if you are happy to continue communicating information with at Derbyshire Community Health Service via email. If you are not happy to continue communicating via email we can continue to use another method of communication such as by post or telephone.

Email guidance

Mandatory training

It is mandatory for every DCHS staff member to receive annual information governance training. If not completed in a timely manner access to systems may be removed. 

The training is accessed via e-learning.

Please ensure:

  • You have your smartcard as you will need this to access the training
  • You complete 'Data Security Awareness – Level 1’

The pass mark 80% and your employment record is immediately updated on successful completion.

Face to face training

If you would like a member of the team to come and train your team/department, please contact the IG team.

Mobile phones can contain vast amounts of information from contact numbers to door codes. 

You must not write key safe codes and door codes in notebooks or on the back of ID Cards. You should either:

  • Send the codes in an email to yourself
  • Save them as contacts in your phones (only use patient initials in relation to key safe codes)

Mobile phones - guidance

The national data opt-out enables patients to opt out of their personal confidential data being used for research or planning purposes, in line with the recommendations of the National Data Guardian in the review of data security, consent and opt-outs.

When a patient opts out of their information being used for research and planning it's recorded against their NHS number on the national spine. Unless the patient changes their mind, this decision will remain against their NHS number and will remain in place after a patient dies.

Organisations must ensure they do not use a patient’s information for research and planning if the patient has opted out.

Access to information is on a strict need to know basis.

Under no circumstances should you:

  • access information relating to friends, family, colleagues, neighbours or even your own information
  • ask another member of staff to access your records on your behalf

You must only access people's personal records (whether that be employee or patient) if it is in line with your work, for example, if you are treating a patient or are involved with the management of a staff member. If asked to, you must be able to justify why you have accessed someone’s personal information. Access to systems is audited.

Accessing records without being authorised and not having a valid justification for doing so could lead to you:

  • going through disciplinary action
  • losing your job
  • losing your professional registration
  • receiving a fine

Recent examples and subsequent consequences of NHS staff accessing records without authorisation:

A former MDT coordinator at an NHS Trust has been dismissed for the 'unauthorised accessing' of the system to find a patient. A complaint was lodged after the staff member used the system to look up the ward her son’s ex-girlfriend was on. The staff member said, “I looked up what ward she was on, I went and bought her a present from the nursery shop and I just went in” further commenting “My heart went before my head, it was really an act of kindness” A hospital spokesman said they would always investigate any possible breaches and act in line with our Trust procedures to protect patients in our care 

Derbyshire Live (derbytelegraph.co.uk) - 3rd May 2022

A former administrator at an NHS Trust has been prosecuted for accessing medical records without authorisation. An internal investigation found that the staff member had inappropriately accessed the medical records without any business need to do so. The records related to seven family members and seven children known to them. They appeared in court and admitted two offences of unlawfully obtaining personal data, in breach of s55 of the Data Protection Act 1998. She was fined £1000, ordered to pay ​​​costs of £590 and a victim surcharge of £50.

A former doctor’s surgery employee who inappropriately accessed the records of patients and staff members has been prosecuted. They accessed the electronic clinical records of 228 patients and 3 staff members outside of their role as an administration assistant. They appeared in court and admitted 4 offences of unlawfully obtaining personal data, in breach of s55 of the Data Protection Act 1998. She was fined £350, ordered to pay costs of £643.75 and a victim surcharge of £35. 

A staff nurse accessed patients’ medical records outside of their role. They inappropriately accessed the records – including maternity and paediatric records - of five patients, 17 times. It was also heard that they made multiple accesses to the records of some of these individuals including the blood results of a friend 44 times after they had been discharged, as well as foetal scans.  The nurse appeared in court admitted unlawfully obtaining and disclosing personal data, in breach of s55 of the Data Protection Act 1998. She was fined £400 and was also ordered to pay costs of £364.08 and a victim surcharge of £40. 

All staff have a responsibility to ensure they are aware of and follow Information Governance Policies and Procedures.

It's DCHS policy to share legitimate information with the police in a justifiable way which upholds the service user's right to confidentiality and releases sufficient, appropriate information to assist the police in their enquiries.

Before releasing information to the police there are certain things to consider and steps to go through.

  • Don't feel pressurised to give information because the police have requested it
  • Always check the identity of anyone requesting information
  • A document should be presented to DCHS staff requesting the information
  • Please don’t feel you’re alone in making a decision. Seek advice from colleagues and your line manager when making a decision about disclosure and record your reasoning and any decisions made.

Guidance on disclosing personal information to the police.

Staff must not use WhatsApp for sending person identifiable information about patients or staff.

Only NHSmail is approved for this purpose.

The Safeguarding Team has developed guidance regarding the Use of WhatsApp

The IG team endorse this guidance and are asking services to please take it on board and follow it

New functionality is available to ensure a consistent approach with the processing of subject access requests across DCHS, in line with GDPR.

Requests for information may come from patients, carers, next of kin, legal authorities or other areas.

Guidance is available which shows how to record and process the requests using SystmOne functionality click here. This includes how to exclude any consultations owned by other organisations, for instance GPs, ensuring only relevant DCHS information is released.

For further information please read the access to health records policy or contact the informatics team.