Information Governance - 1 Flashcards
What is confidential information?
- generally and professionally
generally – information given to you by someone, with the expectation that you will not pass it on without permission
professionally – personal information about patients that should not be divulged to others except under special circumstances
What type of information is classified as confidential information?
- personal details and patient identifiable data including information that is not directly relevant to a patient’s medical history
= postal code, DOB, videotapes, audiotapes, NHS number - information about a patient’s medication
= both prescribed and non-prescribed - other information about a patient’s medical history, treatment or care
What type of information is not classified as confidential information?
- anonymous information
- coded information which enables information about different patients to be distinguished without identifying them
- information that is already legitimately in the public domain
What are the steps you must take to protect information?
- take all reasonable steps to protect the confidentiality of information you receive, store, send or destroy
- store hard copy and e-documents, records, registers, prescriptions and other sources of confidential information
- take steps to prevent accidental disclosure
- provide privacy in patient consultations so that confidential information is not overheard or accessed
- not disclose information on any websites, internet chat forums or social media that could identify the patient
- raise concerns if you find that the security of personal information where you work is not appropriate
- continue to protect a person’s confidentiality after they have died, subject to disclosures required by law or when it’s in the public interest
- ensure sources of patient identifiable information must be disposed of in a manner that prevents the information being seen by unauthorised persons
How should computer records be protected?
- must be satisfied that any system used is capable of restricting access
= suitable passwords, personal identification number (PIN) or other restricted access systems must be in place - PIN or passwords should be changed at regular intervals
= e.g. if a member of staff terminates employment at the pharmacy - the level of access that various members of the pharmacy team have to a patient’s records should be appropriate to their duties
What is the Data Protection Act?
The Data Protection Act (DPA) 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).
What are the 8 principles set out by the Data Protection Act regarding information?
information must be:
1 - used fairly, lawfully and transparently
2 - used for specified, explicit purposes
3 - used in a way that is adequate, relevant and limited to only what is necessary
4 - accurate and, where necessary, kept up to date
5 - kept for no longer than is necessary
6 - handled in a way that ensures appropriate security
= including protection against unlawful or unauthorised processing, access, loss, destruction or damage
7 - processed in accordance to human rights
= must be able to access them, must be able to request they be deleted
8 - cannot be transferred outside of the EEA
What are the individuals right in the Data Protection Act?
individuals have the right to:
- be informed about how your data is being used
- access personal data
- have incorrect data updated
- have data erased
- stop or restrict the processing of your data
- data portability (allowing you to get and reuse your data for different services)
- object to how your data is processed in certain circumstances
What is the difference between the Data Protection Act (DPA) and the General Data Protection Regulations (GDPR)?
DPA
- applies only in the UK
- has lower fines = up to 500K or 1% annual turnover
- reporting data breaches are not necessary
- no requirement for an organisation to remove all the data they have for an individual
- privacy impact assessments (PIA’s) are not neccesary
- data collection does not necessarily require an ‘opt in’
GDPR
- applies to all EU countries and any global companies who keep EU citizen data
- has higher fines = up £20 million or 4% annual turnover
- breaches must be reported to the ICO within 72 hours of the incident
- individuals have a ‘right to erasure’ which includes all data being permanently deleted
- PIA’s are mandatory and will have to be carried out when there is high risk to individual freedoms
- individuals must ‘opt in’ whenever data is collected and there must be clear privacy notices
What is an
- data subject?
- data processor?
- information commissioner?
- data controller?
data subject
- person on whom data is being kept
data processor
- anyone else processing data
information commissioner
- is the person (and his/her office) who has powers to enforce the Act
= maintains a register of data controllers
data controller
- person in charge of keeping the records, decides what data to process and how
What is the Access to Health Records Act 1990?
the act states who can access a patients health record
- patient can authorise another to have access
= e.g. solicitor - courts can authorise access
= e.g. issues of capacity - no access to records of children/young people without permission
- allows access to records of deceased
Can individuals be charged for requesting access to their health care records?
one of the operational changes brought about by GDPR is the loss of the general ability to charge individuals for making a subject access request
however, when requests are manifestly unfounded or excessive then the data controller may
- charge a reasonable fee = must be non-profit making
- refuse to act on the request
What is Caldicott?
the caldicott principles are fundamentals that organisations must follow to protect information that could identify a patient
- name, address
advises that every NHS organisation should have a guardian of person based clincial information
What are the eight principles of Caldicott?
Principle 1: justify the purpose(s) for using confidential information
Principle 2: use confidential information only when it is necessary
Principle 3: use the minimum necessary confidential information
Principle 4: access to confidential information should be on a strict need-to-know basis
Principle 5: everyone with access to confidential information should be aware of their responsibilities
Principle 6: comply with the law
Principle 7: the duty to share information for individual care is as important as the duty to protect patient confidentiality
Principle 8: inform patients and service users about how their confidential information is used
What is information governance?
is how information is used
- looks at all the different laws, necessary safeguards for the appropriate use of patent and personal information
= data protection act, general data protection regulations, NHS digital data protection, NHS act 2006, Humans Rights Act
- covers the system and process management, records management, data quality, data protection
