Page 1

Data Protection and Confidentiality Compliance in Changes to Business Processes, New or Upgraded Information Systems

Version: Committee Approved by: Date Approved Author: Responsible Directorate: Date issued: Review date:

1.0 Information Governance Group

Corporate Services March 2010 March 2012

Version Control Sheet

Document Title: Version: 0.1 The table below logs the history of the steps in development of the document. Version 0.1

Date March 2010




Senior Draft Confidentiality IM & T Security Officer

Standards for Better Health Map Core standards C9 and C13c NHSLA Risk Management Standards Map 1 – Governance Performance Indicators TBC

Contents Section






Aims and Objectives









Definition of Terms






Equality Impact Assessment



Implementation and dissemination



Monitoring and compliance



Associated Documents


Equality Impact Assessment Process Flow Chart Data Protection and Confidentiality Compliance Questionnaire

5 11


Appendix 1 Appendix 2 Appendix 3


1. Introduction . 1.1 The introduction of new internal business processes (facilitated by information systems) and new or upgraded information systems could potentially result in NHS Kirklees breaching the principles of the Data Protection Act 1998 and other associated legislation. 1.2 It is essential that any systems (or new business processes) which hold and use person identifiable information (patient or staff information) are tested for data protection and confidentiality compliance before they are procured or implemented. Where necessary small scale or full scale Privacy Impact Assessment may then be recommended (in line with the Information Commissioners Privacy Impact Assessment Handbook).


Aims and Objectives

2.1 Data Protection and Confidentiality assessment is most effective when started at an early stage of a project, when:     2.2

The project is being designed You know what you want to do You know how you want to do it, and You know who else is involved. Ideally it should be started before:

   

Decisions are set in stone You have procured systems You have signed contracts/Memorandum of Understanding’s/agreements, and While you can still change your mind!

2.3 It is vitally important that all proposed changes to NHS Kirklees’s IT systems and processes are able to maintain the confidentiality, integrity and accessibility of information. 2.4 This document details the actions to be taken before departments, areas or functions implement changes to internal business processes or procure new/upgraded information systems. 2.5 The attached compliance questionnaire will assist you in considering whether a new/upgraded information system or process will:   

Allow personal information to be checked for relevancy, accuracy and validity Enable the integrity of personal information to be maintained Incorporate a procedure to ensure that personal information is disposed of through archiving or destruction when it is no longer required


  


Have adequate levels of security to ensure that personal information is protected from unlawful or unauthorised access and from accidental loss, destruction or damage Enable the timely location and retrieval of personal information to meet subject access requests Transfer personal data outside the European Economic Area (EEA)


3.1 This procedure applies to all staff who work for NHS Kirklees (including those on temporary or honorary contracts, secondments, pool staff and students). It also applies to relevant people who support and use these systems 3.2 This procedure is applicable to all areas of NHS Kirklees (Commissioning and Provider) and adherence should be included in all contracts for outsourced or shared services. There are no exclusions. 3.3 Data Protection and Confidentiality Compliance in Changes to Business Processes within independent contractors’ is the responsibility of the owner/partners. However, the NHS Kirklees is committed to supporting independent contractors and will provide advice, share best practice and provide assistance when appropriate. 4


4.1 Chief Executive The Chief Executive is responsible for ensuring that the necessary support and resources are available for the effective implementation of this procedure. 4.2 The Information Governance Group The Information Governance Group are responsible for the review and approval of this procedure 4.3 Director of Corporate Services The Director of Corporate Services has organisational responsibility for all aspects of Information Governance, including the responsibility for ensuring that NHS Kirklees has appropriate systems and policies in place to maintain the security and integrity of NHS Kirklees’s system’s. . 5.

Definition of terms The words used in this policy are used in their ordinary sense and technical terms have been avoided wherever possible.




6.1 There are five steps to ensuring that data protection and confidentiality issues have been properly considered and managed prior to procurement and implementation of changes to internal business processes and information systems. The five steps are detailed below and also set out in the flow chart at Appendix 2: 6.2 Step 1 – Project Initiation Managers and/or members of staff leading changes to business processes and the procurement of new or upgraded information systems must initially complete the questionnaire: Data Protection and Confidentiality Compliance Questionnaire (Appendix 3), to initiate an assessment of data protection and confidentiality compliance. The need for consultation must be communicated to all staff members who are involved in the procurement of any changes to systems and in the process design. The completed questionnaire should be submitted to the Confidentiality and IM&T Security Service, THIS. 6.3 Step 2 – Review of Completed Questionnaire The Confidentiality and IM&T Security Service, THIS will consult with you in respect to answers given on the questionnaire and help to identify any areas of risk. 6.4 Step 3 – Risk Assessment Any identified risks should be formally assessed and a risk treatment plan put in place to reduce the risk. Risks should be logged on the relevant departmental risk register. It is the responsibility of the Project/Change Initiation lead to ensure risks are assessed, treatment plans put in place and entries made on the relevant risk register. 6.5 Step 4 – Agreement to Proceed Sign off via the Trusts Senior Information Risk Owner/Caldicott Guardian to show that the Trust is satisfied the all data protection and confidentiality issues have been resolved or that proposed actions that would be needed to be put in place to reduce an identified risk, have been outlined via the Trusts risk assessment process. Where a Business Case/Project Initiation Document is to be put together at the outset of the project, ensure this includes details of all risks identified and detail of steps taken to mitigate risks. 6.6 Step 5 – Post Implementation Risk Assessment The Project /Change Initiation lead for the new business process or information system should ensure that following implementation, a post implementation data protection and confidentiality risk assessment is undertaken to ensure that there are no new risks. It is expected this would be conducted as part of the overall evaluation of the project.


All completed questionnaires will be filed as evidence that data protection and confidentiality compliance checks have been undertaken in accordance with requirement 210 of the Information Governance Toolkit. 6.7

Flow Chart Procedure

See Appendix 2 for flow chart procedure. 7

Equality impact assessment NHS Kirklees aims to design and implement services, policies and measures that meet the diverse needs of our service, population and workforce, ensuring that none are placed at a disadvantage over others. NHS Kirklees uses a single equality impact assessment for all of its policies and procedures. The Equality Impact Assessment for this policy is included at Appendix 1.


Implementation and dissemination Following ratification by the Governance Committee this policy will be disseminated to staff via NHS Kirklees’s intranet, THIS intranet ( and communication through in-house newsletters. This procedure will be reviewed every two years or in line with changes to relevant legislation or national guidance.


Monitoring compliance with and the effectiveness of the policy An assessment of compliance with requirements, within the Information Governance Toolkit (IGT), will be undertaken each year. Annual reports and proposed work programme will be presented to the Information Governance Group for approval, prior to submission to CfH.



Disciplinary Procedure Confidentiality Policy


Appendix 1

Equality Impact Assessment NHS Kirklees has an Equality Impact Assessment Toolkit which should be used, with the completed proforma enclosed when any procedural document is submitted to the appropriate committee for consideration and approval. An initial assessment using the proforma below should be undertaken. If the initial assessment demonstrates an adverse impact on differing groups, a full impact assessment must be undertaken using the toolkit


Equality Impact Assessment

1.1.1. 1.1.2.

Proforma for initial assessment/screening of functions, policies, and procedures Person responsible for the assessment



Corporate Services

IM&T -----------------------------------------

Name of function/policy/procedure

Date of assessment

-------------------------------------------------------New policy/function/procedure

Data Protection and 22 March 2010 -----------------Confidentiality Compliance in Changes to Business Processes --

Existing policy/function/procedure

(please tick)


-----------------------------1 Who are the main stakeholders intended to benefit from the function/ policy/procedure?


2 How will each stake holder benefit? (what are the aims?)

List for each stakeholder:

This policy must be followed by all staff who work for NHS Kirklees including those on temporary or honorary contracts, secondments, pool staff and students.

Eliminate and outlaw discrimination in relation to age, ethnicity, gender, sexual orientation, religion or beliefs by Promoting equality of opportunity for all stakeholders.


Equip staff with the knowledge to ensure no one is disadvantaged


What forces/factors People not complying with the policy could contribute/detract from the outcomes?

4 Are there concerns that the function/ policy/ procedure could have a differential impact on -

State yes or no

1.1.3. Ethnic groups


Faith group

Is there any evidence for this?

Score likely risk of impact using grading table (see page 15)



Disability No

a) physical (including sensory)


b) mental


c) learning disability

Sexual orientation




1.1.4. Gender (including marital status)

Socio-economic group e.g. homeless

Human Rights






Appendix 2 Data Protection and Confidentiality Compliance in Changes to: Business Processes, New or Upgraded Software 5 step process for Ensuring Compliance Appendix A

Step 1- Project Initiation

Need for change or purchase of new system identified


Do you need a business case

Complete business case with Risks fully identified and send with questionaire

Complete Questionnaire


Consult and communicate with all staff involved

Send Completed questionnaire to IMT Security officer (IMTSO)

Step 2- Review of Completed questionnaire

IMT Security Officer will contact you to agree area’s of risk and ask any further questions and clarify your answers where necessary

Step 3- Risk Assessment

Risk Assessed Risk treatment plan put in place to reduce risk

Risks logged on departments risk register

Forward copy of written risk treatment plan to IMTSO)

Step 4- Agreement to Proceed

Data Protection Lead/ Caldicott sign off plans

Step 5 -Post Implementation Risk Assessment

LP 2007


Appendix 3 Data Protection and Confidentiality Compliance Questionnaire Please complete the questionnaire below. For assistance in completing the questionnaire please contact the Confidentiality and IM&T Security Service on 0845 1272600. Your name Please print

Job Title

Contact Tel. Nos


Please detail in the box below a brief explanation of this proposed business change, new/upgraded software

Authorisation to Proceed (official use only) Name of Authorised Lead Signature of Authorised Lead Date Answers to questions should be given by circling the appropriate answer i.e. YES, NO, N/A and/or by giving a descriptive answer in the answer box provided. Purpose, Identification, Relevance and Accuracy 11

1. Does the system hold data that identifies individuals?


If ‘yes’ please identify if these are patients, staff or others and justify why the data has to be obtained and stored in an identifiable format.

2. What purpose does the collection of data serve? Give an overview of the sort of information you will be recording

3. Who will have access to the system? This list need not be exhaustive, but identify the types of staff and roles

4. Are the subjects (patients/clients/staff) of the data informed about the processing? YES NO N/A If Yes, then how are they informed?

5. How will accuracy of the data be maintained?

Access Controls 6. How is the user identified to the system? By unique username or shared access? 12

7. How is the user verified by the system? By password or other means?

8. Once logged in please describe any levels of access/function that are used that will allow different users to access different information and/or functions.

9. Will the system access controls and access rights be described within a documented procedure for staff? YES NO N/A Please explain your answer

Disclosure 10. Who will generally receive output (information) from the system (in addition to the actual system users)?

11. Will the information be transferred (or processed) outside the European Economic Area (EEA)? YES NO N/A If Yes, to which country or territory?

Audits and Reporting 12. Will the system collect audit data on the activity of users (e.g. failed login report)? YES NO N/A If Yes, please give basic details of what is to be recorded. 13

13. Does the system enable retrieval of information with regards to the rights of data subjects when making a Subject Access Request? YES NO N/A Please explain your answer

14. Does the system facilitate automated decision making?


If Yes, please elaborate

Staff Training 15. Will staff training in the new business process or system include specific training/guidance in data protection, confidentiality, data quality and good practice in the management of records? YES NO N/A Describe the proposed training provision

Security of Information 16. Will there be a requirement for personal data to be moved/transmitted? YES NO N/A If Yes, please describe how it will be transported/transmitted securely?

17. Will any third party data processors be used by the supplier? YES NO N/A If Yes, please state name of third party and their role


18. Will there be a secure process for disposal/destruction of the data? YES NO N/A Please explain your answer

19. Where relevant, does the design and management arrangements for electronic systems incorporate appropriate controls against malicious code and unauthorised mobile code (computer viruses)? Please explain

20. Where the Trust is working with a contractor to procure a new business process or software, does the contract documentation include clauses relating to information governance (data protection, confidentiality, freedom of information)? NOTE The PASA Terms and Conditions of supply of goods and services should be used

This questionnaire should be returned to: Confidentiality and IM&T Security Service The Health Informatics Service Oak House Woodvale Road BRIGHOUSE West Yorkshire