Use of information Flashcards
Review of duty security: three categories
- People: ensure staff are equipped to handle information respectfully and safely
- Process: proactively prevent data security breaches and respond to incidents
- Technology: ensure its secure and up to date
National Data Guardian standards
Advises the health and care system to ensure citizens’ confidential information is safeguarded and used properly. 10 standards:
- Mandatory training- annual
- Confidentiality- ensure personal data is always handled in confidence
- Staff Responsibilities- ensure staff understand their responsibilities
- Data Handling- Personal Data must be handled, stored, transmitted securely and only shared for lawful purposes
- Accountable Suppliers- accountable via contracts for protecting personal data
- Data Breaches- Cyber-attacks identified/resisted, all breaches are identified, reported and actioned
- Process Reviews- at least annually
- Continuity Planning- in place to respond to threats to data security
- IT estate- no unsupported operating systems, software or internet browsers
- IT strategy- strategy in place for protecting IT systems from cyber threats
Data Security and Protection (DSP) toolkit
NHS Operating Framework 2009/10-NHS providers must assure the Information Commissioner on the management of personal information within their organisation:
ICO Upholds the following laws
Information comissioners office
Data Protection Act
Freedom of Information Act
Privacy and Electronic Communications Regulations
General Data Protection Regulation
Environmental Information Regulations
INSPIRE Regulations
eIDAS Regulation
Re-use of Public Sector Information Regulations
Types of Information in Pharmacies
Personal Information- identifies a person (living or deceased, including patients, customers, staff). Personal Data is a subset of this
Anonymised Information- does not identify an individual. Anonymisation requires the removal of name, address, postcode and any other detail or combination of details that might support identification
Pseudonymised Information- individuals are distinguished by using a unique identifier (a pseudonym). Allows linking of different data sets to the person.
What is ‘special category’ personal data
- Race/ethnicity
- Religion
- Trade union
- Sexual orientation
- Health
Legal basis of cofidentiality: three types of law
- The EU general data protection regulation
Rights of individual under GDPR/DPA (data protection act)
THE RIGHT:
TO BE INFORMED- what data is being used for, who it is shared with (fair processing
-privacy notice/information
- OF ACCESS- able to get a copy of information free of charge, within a month of the request (subject access request)
- TO RECTIFICATION- to get inaccurate data corrected
- TO ERASURE- to ask for data to be destroyed-not an absolute right
- TO RESTRICTPROCESSING- to object to the use/sharing of information held in confidence-not an absolute right
- TO DATA PORTABILITY-individuals can obtain and reuse their data for their own purposes across different services-transmitted electronically from one controller to another
- TO OBJECT- to data processing where they claim they are suffering unwarranted distress or damage as a result-Individuals have an absolute right to stop their data being used for direct marketing
- TO AUTOMATED DECISION MAKING (NO HUMAN INVOLVEMENT) AND PROFILING-need consent
Under GDPR Organisations must:
- Report data-related incidents deemed serious to the Information Commissioner’s Office (ICO) within 72 hours (for NHS using the DSP Toolkit incident reporting tool)
- Only use processors who provide ‘guarantees’ of GDPR compliance
- Maintain internal records of your processing activities for accountability
- Ensure data protection by design and default (a ‘built-in’ rather than ‘bolted-on’ approach).
- Conduct Data Protection Impact Assessments (DPIA) for projects likely to result in a high risk to individuals. Perform a DPIA prior to new systems, projects or processes
How to protect information in a pharmacy
- Dont disclose info on websites
- Make sure all staff are trained
- Continue to protect someones confidentiality after death
- Passowrds on computer records
What should you do if theres a data breach in pharmacy?
- Apologise to patient
- Investigate
- Assess risk to patient
- Pharmacy must report DSP incident
- Deal with as a complaint
- Learn lessons
- Take action to prevent a recurrence
- Contact Information Commissioner if necessary- fill in DSP Toolkit incident reporting form WITHIN 72 HOURS
Name the steps by law which need to be taken to process personal data (GDPR)
- Consent provided by individual
- Contract:the processing is necessary for a contract with the individual
- Legal obligation:the processing is necessary to comply with the law (not including contractual obligations).
- Vital interests:to protect someone’s life.
- Performance of a duty in the public interest:processing is necessary to perform a task in the public interest or for official functions
- Legitimate interests:the processing is necessary for your legitimate interests
Define implied and explicit consent
- Implied consent - patient indicates their consent by their action (indirectly)
- Explicit consent – the patient actively indicates their consent e.g. by saying yes or no, or writing
For consent to be valid, the patient must:
- Have capacity – in England and Wales, a person lacks capacity if ‘they are unable to make or communicate the decision because of an impairment or disturbance that affects the way their mind or brain works’ Mental Capacity Act 2005
- Be acting voluntarily: not under pressure
- Be provided with enough, balanced information to make the decision (benefits/risks)
- Be capable of using and weighing up the information provided in the decision-making process
- Understand the consequences of not giving consent
Mental capacity act 2005 , a patient must be able to:
- retain and understand information provided
- understand implications of their decision
- communicate their decision to you (by any means)
