The Information Commissioner’s Office (ICO) requires a clear direction on policy for security of information held within the practice and provides individuals with a right of access to a copy of information held about them.The practice needs to collect personal information about people with whom it deals in order to carry out its business and provide its services. Such people include patients, employees (present, past and prospective) and other healthcare professionals and providers. The information we hold will include personal and health information. In addition, we may occasionally be required to collect and use certain types of such personal information to comply with the requirements of the law – for example:-a) there is a statutory basis for disclosure or court order, or b) there is a public interest justification for disclosure, 6,7 or c) there is another basis in law for disclosure. No matter how it is collected, recorded and used (e.g. on a computer or on paper) this personal information must be dealt with in accordance with ICO regulations.The lawful and proper treatment of personal information by the practice is extremely important to the success of our business and in order to maintain the confidence of our service users and employees. We ensure that the practice treats personal information lawfully and correctly. This policy provides direction on security against unauthorised access, unlawful processing, and loss or destruction of personal information.
1.0 Data Protection Principles
We support and comply fully with the ICO data protection regulations which require that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate is erased or rectified without delay
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the ICO in order to safeguard the rights and freedoms of individuals
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
2.0 Employee Responsibilities
All employees will, through appropriate training and responsible management:
- Comply at all times with the above Data Protection Act principles
- Observe all forms of guidance, codes of practice and procedures about the collection and use of personal information
- Understand fully the purposes for which the practice uses personal information
- Collect and process appropriate information, and only in accordance with the purposes for which it is to be used by the practice to meet its service needs or legal requirements
- Ensure the information is correctly input into the practice’s systems
- Ensure the information is destroyed when it is no longer required
- On receipt of a request from an individual for information held about them to immediately notify the practice manager and respond within 30 days following the Subject Access Code of Practice
- Understand that breaches of this Policy may result in disciplinary action, including dismissal
3.0 Practice Responsibilities
The practice will:
- Maintain its registration with the Information Commissioner’s Office
- Ensure that all subject access requests are dealt with in line with the Subject Access Code of Practice
- Provide training for all staff members who handle personal information
- Provide clear lines of report and supervision for compliance with data protection and also have a system for breach reporting
- Carry out regular checks to monitor and assess new processing of personal data and to ensure the practice’s notification to the Information Commissioner is updated to take account of any changes in processing of personal data
- Take steps to ensure that individual patient information is not deliberately or accidentally released or (by default) made available or accessible to a third party without the patient’s consent, unless otherwise legally compliant
- Maintain a system of “Significant Event Reporting” through a no-blame culture to capture and address incidents which threaten compliance
- Ensure that all aspects of confidentiality and information security are promoted to all staff
- Remain committed to the security of patient and staff records
We need to hold personal information about you or your child on our computer system to help us to look after your /your child’s health needs, and I and my staff are responsible for their accuracy and safe-keeping. Please help to keep your record up to date by informing us of any changes to your circumstances.
Staff in the practice have access to your medical records to enable them to do their jobs. From time to time information may be shared with others involved in your care if it is necessary for which we will request your consent. Anyone with access to your record is properly trained in confidentiality issues and is governed by both a legal and contractual duty to keep your details private.
All information about you is held securely and appropriate safeguards are in place to prevent accidental loss.
In some circumstances we may be required by law to release your details to statutory or other official bodies, for example if a court order is presented, or in the case of public health issues. In other circumstances you may be required to give written consent before information is released – such as for medical reports for insurance, solicitors etc.
To ensure your/your child’s privacy, we will not disclose your or your child’s information over the telephone or fax unless we are sure that we are talking to a parent. Information will not be disclosed to family except parents or those with parental responsibility, friends, or spouses unless we have prior written consent, and we do not leave messages with others.
You have a right to see your records if you wish.
This policy shall be reviewed annually – next review date 25.5.19