GP PRACTICE INFORMATION GOVERNANCE AND DATA PROTECTION POLICY
- Introduction. 4
- Purpose. 4
- The GP Practice’s approach to Information Governance and Data Protection. 4
- Information Handling. 5
- Training. 7
- Incident Reporting. 8
- Non-Compliance. 8
- Monitoring. 8
- Equality Impact Assessment 9
- Legislation and related documents. 9
1.1 Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in clinical governance, service planning and performance management. It is therefore of paramount importance that information is efficiently managed, and that appropriate policies, procedures, management accountability and structures provide a robust governance framework for information management.
1.2 Confidentiality and data protection legislation and guidance provide a framework for the management of all data from which individuals can be identified. It is essential that all staff and any associated staff/contractors/hosted staff etc. are fully aware of their personal responsibilities for information which they may come into contact with.
2.1 This GP Information Governance and Data Protection Policy provides an overview of the GP practice’s approach to information governance and data protection; how information will be handed by the GP practice; staff duties and responsibilities; process for monitoring and incident reporting.
3. The GP Practice’s approach to Information Governance and Data Protection
3.1 The practice undertakes to implement information governance and data protection effectively and will ensure the following:
- The Practice will undertake or commission annual assessments and audits of its compliance with legal requirements
- The Practice will establish and maintain policies for the effective and secure management of its information assets and resources
- The Practice will undertake or commission annual assessments and audits of its information and IT security arrangements
- The Practice will promote effective confidentiality and security practice to its staff through policies, procedures and training
- The Practice will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security
- The Practice will establish and maintain policies and procedures for information quality assurance and the effective management of records
- The Practice will undertake or commission annual assessments and audits of its information quality and records management arrangements
- Wherever possible, information quality should be assured at the point of collection
- Data standards will be set through clear and consistent definition of data items, in accordance with national standards.
- The Practice will promote information quality and effective records management through policies, procedures/user manuals and training
- The GP practice will establish, implement and maintain procedures linked to this policy to ensure compliance with the requirements of the Data Protection Act 2018 and other associated and related legislation and guidance, contractual responsibilities and to support the assurance standards of the Data Security and Protection Toolkit.
4. Information Handling
4.1 Confidentiality / Caldicott
Personal and / or special category data must be kept confidential in accordance with the Data Protection Act 2018 and the Caldicott Principles. The GP’s must appoint a Caldicott Guardian Dr Paul Iyamabo with responsibility to protect patient confidentiality. The Caldicott Guardian is supported by the Practice Manager Sandie Wright. The GP practice will adopt and follow the Caldicott 2 recommendations and the new 7th Caldicott Principle which is the “The duty to share information can be as important as the duty to protect patient confidentiality”.
To view the recommendations from the Caldicott 2 Report, please click on the link below.
The GP Practice’s must ensure it follows its legal obligations for data protection, information sharing, disclosures of personal confidential data and subject access rights. Information sharing must be consistent with the interests of the patient and / or staff. Further information can be found in guidance documents by visiting the Information Governance Alliance pages.
The GP practice provides a privacy / fair processing notice to patients informing them how we use their personal information. This is available on the GP website or hard copies of the leaflet can be requested from the GP Practice. Please note the GP Practice will modify / update the template according to the data sharing activities which the practice participates in. For example data sharing for risk stratification and invoice validation.
The GP Practice promotes confidentiality and protection of data via this policy associated procedures, user manuals and staff training.
4.2 Safe Havens /Secure Transfers of Information
All transfers of personal confidential data must be undertaken securely and in accordance with legislation and guidance:
- Information should only be transferred for a justifiable purpose
- The transfer should only take place when absolutely necessary
- Only the minimum information necessary should be transferred
- The information should be transferred on a need to know basis
4.3 Data / Records Storage
All records whether health or corporate records and held in either paper or electronic format will be stored securely within the GP practice.
For all types of records health professionals must:
- never inappropriately access records
- shut/lock doors, offices and filing cabinets
- wear ID if issued
- query the status of visitors/strangers
- not tell unauthorised personnel how the security systems operate
- advise senior personnel if anything suspicious or worrying is noted
- confirm the identity of telephone callers
Manual records held within the GP Practice will be:
- held in secure storage
- booked out from their normal filing system
- tracked if transferred, with a note of their current location within the filing system
- returned to the filing system as soon as possible after use
- stored closed when not in use so that the contents are not seen by others
- inaccessible to members of the public
- kept on site unless removal is essential.
In the case of electronic records health professionals must:
- Always log out of any computer system or application when work is finished
- Always save documents . If the computer crashes or breaks, you will not be able to retrieve your files as they will be destroyed too. So a back up of documents to be on an encrypted password protected USB stick.
- never leave a terminal unattended and logged in. Always lock your screen.
- never share Smartcards or passwords with others
- change passwords at regular intervals to prevent others using them
- always clear the screen of a previous patient’s information before seeing another
4.4 Data retention and disposal
There is detailed advice about the minimum retention periods applicable to NHS records and about records management in the Records Management: NHS Code of Practice, Part 1 and Part 2. Please refer to the weblink below:
The recommendations apply to both electronic and manual records, and the BMA advises private practitioners to follow the same rules. When health professionals are responsible for destroying health records, they must ensure that the method of destruction is effective and does not compromise confidentiality. Incineration, pulping and shredding are appropriate methods of destroying manual records. Electronic data should be destroyed using appropriate data destruction software – further information can be sought from the IT provider.
4.5 Disclosures of information
The GP practice recognises the need to ensure information remains confidential but also when this information may be required to be disclosed. There is an ever growing list of demands on health professionals to disclose information to third parties such as insurers, the police, social workers, the DVLA and the relatives of deceased patients. There is also growing concern over the implications of increased access to patient information by electronic means and the use of patient information for secondary uses such as audit, commissioning, payment by results, research and teaching. The GP practice follows the practices highlighted in the following documentation.
BMA Confidentiality and Health Records:
IG Alliance Resources page (contains DH Guidance documentation):
General Medical Council – Confidentiality:
BMA Confidentiality and Health Records:
All staff who is employed for or on behalf of the GP Practice including full time, permanent, temporary, agency staff, students or volunteers, must be aware of Information Governance and keep up to date with information governance training. The Level 1 – Data security awareness training module is mandated for everyone working in health and care.
It has been designed to inform, educate and upskill staff in data security and information sharing. It provides an understanding of the principles and importance of data security and information governance. It looks at staff responsibilities when sharing information and includes a section on how to take action to reduce the risk of breaches and incidents.
This training is available as e-learning on Bluestream academy.
Staff with additional IG responsibilities such as Caldicott Guardian, Subject Access Request Lead, Senior Information Risk Owner, Records Management Lead are recommended to complete additional specialist training for these job functions.
6. Incident Reporting
The GP Practice manages and reports information governance incidents / breaches per the NHS Digital IG incident reporting requirements. A new incident reporting tool for data security and protection incidents has been launched within the Data Security and Protection Toolkit (www.dsptoolkit.nhs.uk/incidents).
The new incident reporting tool reflects the new reporting requirements of GDPR, and for relevant organisations the NIS Regulations.
All reportable data security and protection incidents must be notified through the reporting tool. Guidance materials are available to support organisations assess whether incidents should be reported.
All incidents pertaining to information governance / breaches of confidentiality must be reported and managed following the guidance as detailed above and in accordance with NHS England guidance regarding reporting of IG Incidents to them.
Please note you need to login to the DSP Toolkit in order to record incidents.
All incidents will be investigated by the GP practice and scores / actions reviewed and verified with appropriate personnel such as the Caldicott Guardian, SIRO etc.
Third parties and contractors working with or behalf of the GP Practice must inform the GP Practice if an incident occurs.
It is an offence to obtain, disclose, sell or advertise for sale, or bring about the disclosure of
personal data, without the consent of the data controller. It is also an offence to access personal data or to disclose it without proper authorisation.
All staff working for or on behalf of the GP Practice agrees to uphold information governance standards on signing their contract of employment. This agreement continues after employment, where relevant, has ceased. Non-compliance with this code may result in disciplinary action being taken in accordance with Disciplinary Procedures.
This policy will be reviewed on an annual basis, and in accordance with the following as and when required:
- legislative changes
- good practice
- guidance; case law
- significant incidents reported
- new vulnerabilities
- changes to organisational infrastructure.
9. Equality Impact Assessment
The GP Practice aims to design and implement services, policies and measures that are fair and equitable. As part of its development, this policy and its impact on staff, patients and the public have been reviewed in line with legal equality duties. The purpose of the assessment is to improve service delivery by minimising and if possible removing any disproportionate adverse impact on employees, patients and the public on the grounds of race, socially excluded groups, gender, disability, age, sexual orientation or religion/ belief.
10. Legislation and related documents
This policy and a set of procedural document manuals are available on the s:drive.
Staff will be made aware of procedural document updates as they occur via email or staff meetings.
Acts Covered Under Policy:
- Data Protection Act 2018
- Health and Social Care Act 2012
- Human Rights Act 1998
- Computer Misuse Act 1990
- Electronic Communications Act 2000