Data Protection and Confidentiality Compliance in Changes to Business Processes, New or Upgraded Information Systems
Version: Committee Approved by: Date Approved Author: Responsible Directorate: Date issued: Review date:
1.0 Information Governance Group
Corporate Services March 2010 March 2012
Version Control Sheet
Document Title: Version: 0.1 The table below logs the history of the steps in development of the document. Version 0.1
Date March 2010
Senior Draft Confidentiality IM & T Security Officer
Standards for Better Health Map Core standards C9 and C13c NHSLA Risk Management Standards Map 1 â€“ Governance Performance Indicators TBC
Aims and Objectives
Definition of Terms
Equality Impact Assessment
Implementation and dissemination
Monitoring and compliance
Equality Impact Assessment Process Flow Chart Data Protection and Confidentiality Compliance Questionnaire
Appendix 1 Appendix 2 Appendix 3
1. Introduction . 1.1 The introduction of new internal business processes (facilitated by information systems) and new or upgraded information systems could potentially result in NHS Kirklees breaching the principles of the Data Protection Act 1998 and other associated legislation. 1.2 It is essential that any systems (or new business processes) which hold and use person identifiable information (patient or staff information) are tested for data protection and confidentiality compliance before they are procured or implemented. Where necessary small scale or full scale Privacy Impact Assessment may then be recommended (in line with the Information Commissioners Privacy Impact Assessment Handbook).
Aims and Objectives
2.1 Data Protection and Confidentiality assessment is most effective when started at an early stage of a project, when: 2.2
The project is being designed You know what you want to do You know how you want to do it, and You know who else is involved. Ideally it should be started before:
Decisions are set in stone You have procured systems You have signed contracts/Memorandum of Understanding’s/agreements, and While you can still change your mind!
2.3 It is vitally important that all proposed changes to NHS Kirklees’s IT systems and processes are able to maintain the confidentiality, integrity and accessibility of information. 2.4 This document details the actions to be taken before departments, areas or functions implement changes to internal business processes or procure new/upgraded information systems. 2.5 The attached compliance questionnaire will assist you in considering whether a new/upgraded information system or process will:
Allow personal information to be checked for relevancy, accuracy and validity Enable the integrity of personal information to be maintained Incorporate a procedure to ensure that personal information is disposed of through archiving or destruction when it is no longer required
Have adequate levels of security to ensure that personal information is protected from unlawful or unauthorised access and from accidental loss, destruction or damage Enable the timely location and retrieval of personal information to meet subject access requests Transfer personal data outside the European Economic Area (EEA)
3.1 This procedure applies to all staff who work for NHS Kirklees (including those on temporary or honorary contracts, secondments, pool staff and students). It also applies to relevant people who support and use these systems 3.2 This procedure is applicable to all areas of NHS Kirklees (Commissioning and Provider) and adherence should be included in all contracts for outsourced or shared services. There are no exclusions. 3.3 Data Protection and Confidentiality Compliance in Changes to Business Processes within independent contractors’ is the responsibility of the owner/partners. However, the NHS Kirklees is committed to supporting independent contractors and will provide advice, share best practice and provide assistance when appropriate. 4
4.1 Chief Executive The Chief Executive is responsible for ensuring that the necessary support and resources are available for the effective implementation of this procedure. 4.2 The Information Governance Group The Information Governance Group are responsible for the review and approval of this procedure 4.3 Director of Corporate Services The Director of Corporate Services has organisational responsibility for all aspects of Information Governance, including the responsibility for ensuring that NHS Kirklees has appropriate systems and policies in place to maintain the security and integrity of NHS Kirklees’s system’s. . 5.
Definition of terms The words used in this policy are used in their ordinary sense and technical terms have been avoided wherever possible.
6.1 There are five steps to ensuring that data protection and confidentiality issues have been properly considered and managed prior to procurement and implementation of changes to internal business processes and information systems. The five steps are detailed below and also set out in the flow chart at Appendix 2: 6.2 Step 1 – Project Initiation Managers and/or members of staff leading changes to business processes and the procurement of new or upgraded information systems must initially complete the questionnaire: Data Protection and Confidentiality Compliance Questionnaire (Appendix 3), to initiate an assessment of data protection and confidentiality compliance. The need for consultation must be communicated to all staff members who are involved in the procurement of any changes to systems and in the process design. The completed questionnaire should be submitted to the Confidentiality and IM&T Security Service, THIS. 6.3 Step 2 – Review of Completed Questionnaire The Confidentiality and IM&T Security Service, THIS will consult with you in respect to answers given on the questionnaire and help to identify any areas of risk. 6.4 Step 3 – Risk Assessment Any identified risks should be formally assessed and a risk treatment plan put in place to reduce the risk. Risks should be logged on the relevant departmental risk register. It is the responsibility of the Project/Change Initiation lead to ensure risks are assessed, treatment plans put in place and entries made on the relevant risk register. 6.5 Step 4 – Agreement to Proceed Sign off via the Trusts Senior Information Risk Owner/Caldicott Guardian to show that the Trust is satisfied the all data protection and confidentiality issues have been resolved or that proposed actions that would be needed to be put in place to reduce an identified risk, have been outlined via the Trusts risk assessment process. Where a Business Case/Project Initiation Document is to be put together at the outset of the project, ensure this includes details of all risks identified and detail of steps taken to mitigate risks. 6.6 Step 5 – Post Implementation Risk Assessment The Project /Change Initiation lead for the new business process or information system should ensure that following implementation, a post implementation data protection and confidentiality risk assessment is undertaken to ensure that there are no new risks. It is expected this would be conducted as part of the overall evaluation of the project.
All completed questionnaires will be filed as evidence that data protection and confidentiality compliance checks have been undertaken in accordance with requirement 210 of the Information Governance Toolkit. 6.7
Flow Chart Procedure
See Appendix 2 for flow chart procedure. 7
Equality impact assessment NHS Kirklees aims to design and implement services, policies and measures that meet the diverse needs of our service, population and workforce, ensuring that none are placed at a disadvantage over others. NHS Kirklees uses a single equality impact assessment for all of its policies and procedures. The Equality Impact Assessment for this policy is included at Appendix 1.
Implementation and dissemination Following ratification by the Governance Committee this policy will be disseminated to staff via NHS Kirkleesâ€™s intranet, THIS intranet (nww.this.nhs.uk) and communication through in-house newsletters. This procedure will be reviewed every two years or in line with changes to relevant legislation or national guidance.
Monitoring compliance with and the effectiveness of the policy An assessment of compliance with requirements, within the Information Governance Toolkit (IGT), will be undertaken each year. Annual reports and proposed work programme will be presented to the Information Governance Group for approval, prior to submission to CfH.
Disciplinary Procedure Confidentiality Policy
Equality Impact Assessment NHS Kirklees has an Equality Impact Assessment Toolkit which should be used, with the completed proforma enclosed when any procedural document is submitted to the appropriate committee for consideration and approval. An initial assessment using the proforma below should be undertaken. If the initial assessment demonstrates an adverse impact on differing groups, a full impact assessment must be undertaken using the toolkit
Equality Impact Assessment
Proforma for initial assessment/screening of functions, policies, and procedures Person responsible for the assessment
Name of function/policy/procedure
Date of assessment
Data Protection and 22 March 2010 -----------------Confidentiality Compliance in Changes to Business Processes --
-----------------------------1 Who are the main stakeholders intended to benefit from the function/ policy/procedure?
2 How will each stake holder benefit? (what are the aims?)
List for each stakeholder:
This policy must be followed by all staff who work for NHS Kirklees including those on temporary or honorary contracts, secondments, pool staff and students.
Eliminate and outlaw discrimination in relation to age, ethnicity, gender, sexual orientation, religion or beliefs by Promoting equality of opportunity for all stakeholders.
Equip staff with the knowledge to ensure no one is disadvantaged
What forces/factors People not complying with the policy could contribute/detract from the outcomes?
4 Are there concerns that the function/ policy/ procedure could have a differential impact on -
State yes or no
1.1.3. Ethnic groups
Is there any evidence for this?
Score likely risk of impact using grading table (see page 15)
a) physical (including sensory)
c) learning disability
1.1.4. Gender (including marital status)
Socio-economic group e.g. homeless
Appendix 2 Data Protection and Confidentiality Compliance in Changes to: Business Processes, New or Upgraded Software 5 step process for Ensuring Compliance Appendix A
Step 1- Project Initiation
Need for change or purchase of new system identified
Do you need a business case
Complete business case with Risks fully identified and send with questionaire
Consult and communicate with all staff involved
Send Completed questionnaire to IMT Security officer (IMTSO)
Step 2- Review of Completed questionnaire
IMT Security Officer will contact you to agree areaâ€™s of risk and ask any further questions and clarify your answers where necessary
Step 3- Risk Assessment
Risk Assessed Risk treatment plan put in place to reduce risk
Risks logged on departments risk register
Forward copy of written risk treatment plan to IMTSO)
Step 4- Agreement to Proceed
Data Protection Lead/ Caldicott sign off plans
Step 5 -Post Implementation Risk Assessment
Appendix 3 Data Protection and Confidentiality Compliance Questionnaire Please complete the questionnaire below. For assistance in completing the questionnaire please contact the Confidentiality and IM&T Security Service on 0845 1272600. Your name Please print
Contact Tel. Nos
Please detail in the box below a brief explanation of this proposed business change, new/upgraded software
Authorisation to Proceed (official use only) Name of Authorised Lead Signature of Authorised Lead Date Answers to questions should be given by circling the appropriate answer i.e. YES, NO, N/A and/or by giving a descriptive answer in the answer box provided. Purpose, Identification, Relevance and Accuracy 11
1. Does the system hold data that identifies individuals?
YES NO N/A
If â€˜yesâ€™ please identify if these are patients, staff or others and justify why the data has to be obtained and stored in an identifiable format.
2. What purpose does the collection of data serve? Give an overview of the sort of information you will be recording
3. Who will have access to the system? This list need not be exhaustive, but identify the types of staff and roles
4. Are the subjects (patients/clients/staff) of the data informed about the processing? YES NO N/A If Yes, then how are they informed?
5. How will accuracy of the data be maintained?
Access Controls 6. How is the user identified to the system? By unique username or shared access? 12
7. How is the user verified by the system? By password or other means?
8. Once logged in please describe any levels of access/function that are used that will allow different users to access different information and/or functions.
9. Will the system access controls and access rights be described within a documented procedure for staff? YES NO N/A Please explain your answer
Disclosure 10. Who will generally receive output (information) from the system (in addition to the actual system users)?
11. Will the information be transferred (or processed) outside the European Economic Area (EEA)? YES NO N/A If Yes, to which country or territory?
Audits and Reporting 12. Will the system collect audit data on the activity of users (e.g. failed login report)? YES NO N/A If Yes, please give basic details of what is to be recorded. 13
13. Does the system enable retrieval of information with regards to the rights of data subjects when making a Subject Access Request? YES NO N/A Please explain your answer
14. Does the system facilitate automated decision making?
YES NO N/A
If Yes, please elaborate
Staff Training 15. Will staff training in the new business process or system include specific training/guidance in data protection, confidentiality, data quality and good practice in the management of records? YES NO N/A Describe the proposed training provision
Security of Information 16. Will there be a requirement for personal data to be moved/transmitted? YES NO N/A If Yes, please describe how it will be transported/transmitted securely?
17. Will any third party data processors be used by the supplier? YES NO N/A If Yes, please state name of third party and their role
18. Will there be a secure process for disposal/destruction of the data? YES NO N/A Please explain your answer
19. Where relevant, does the design and management arrangements for electronic systems incorporate appropriate controls against malicious code and unauthorised mobile code (computer viruses)? Please explain
20. Where the Trust is working with a contractor to procure a new business process or software, does the contract documentation include clauses relating to information governance (data protection, confidentiality, freedom of information)? NOTE The PASA Terms and Conditions of supply of goods and services should be used
This questionnaire should be returned to: Confidentiality and IM&T Security Service The Health Informatics Service Oak House Woodvale Road BRIGHOUSE West Yorkshire