Rough Guide to the
Health Service Work Experience Placements Our Staff
– Who you will meet Recruitment Volunteering Testimonials Health and Safety on Placements Information for Parents
– How They Can Help? How to Apply Competitions

Data Protection & Privacy

Information for Staff

The Data Protection Act 1998 came into force in March 2000 and replaces the 1984 Act. All data users must be aware of this important piece of legislation.

• The changes affect everyone
• The changes are substantial and backed by legal powers
• Individual members of staff can now be held accountable for breaches of the Data Protection Act

This means that YOU are responsible!

What is the Data Protection Act?

The Data Protection Act 1998 now relates to all personal information about living individuals, in paper and electronic format. The principal aim is to strengthen the individual's right to privacy with respect to handling and processing personal data, whether it is computerised or manual.

The Data Protection Act has eight principles, which are the rules of good information handling.

How can we comply with these principles?

• Tell people clearly what NHS Grampian uses their information for, and that special care is taken with sensitive information.
• Ensure that information is used and disclosed only for the purposes for which it was collected.
• Keep only relevant information which is adequate - but not excessive - for the purpose for which it is held.
• Keep information accurate and up-to-date.
• Hold information only as long as is necessary for the purpose.
• Allow individuals access to information held on them, in accordance with their rights.
• Take appropriate security measures to prevent unauthorised or unlawful processing, disclosure, loss, or alteration of information.
• Transfer information only to countries which have adequate levels of data protection law.

What are the Caldicott Principles?

Whereas the Data Protection Act safeguards personal information, the six Caldicott principles ensure the security and confidentiality of patient information. Each Health Board area has a Caldicott Guardian. There are six Caldicott principles for handling patient information, and are the guidelines to which the NHS works:

• Justify the purpose.
• Do not use patient-identifiable information unless it is absolutely necessary.
• Use the minimum necessary patient-identifiable information.
• Access to patient-identifiable information should be restricted to a need-to-know basis.
• Everyone should be aware of their responsibilities.
• Everyone should understand and comply with the law.

It is important that all staff, students, volunteers and contractors have received and read the booklet NHS Code of Practice on Protecting Patient Confidentiality. Copies can be obtained from the Human Resources Department.

Adhering to the law

It is vital that our patients have confidence in our ability to protect their privacy, comply with the law, and safeguard their personal health data.

Data users within the health service must ensure that they obtain information about their patients properly, keep it secure, and handle it in accordance with the well-established rules of medical confidentiality. By doing so, the most important requirements which data protection legislation places on health service staff are likely to be satisfied.

Questions to consider

• What information do you ask a patient/staff member?
• What do you use patient/staff information for?
• Is personal information that is gathered, duplicated in any way?
• Do you act on special requests from a patient e.g. a patient tells you something sensitive but does not want this recorded anywhere?
• Do you have the consent of the patient/staff member to disclose information?

Always ask yourself, if it was information about me, is what I am doing acceptable?

How do I avoid unauthorised disclosure?

• Patient notes lying around? Always leave in a secure place
• Take care when talking to patients or chatting to your work colleagues
• Make sure you can't be overheard

Telephone
Telephone enquiries - are you authorised to give out this information?

Fax
Faxing information - is the receiving fax secure?

e-mail
Be careful about content - obtain confirmation of receipt

If in doubt, STOP and seek advice

Patients' right of access to their personal health records

The Data Protection Act 1998 gives patients the statutory right of access to any health record manual (paper) or computerised. If a patient wishes to learn more about their care, they can discuss this with health service staff during a consultation or treatment, and ask to see the appropriate records at that time. However this does not constitute a formal application under the Act and a member of staff is not obliged to agree at this stage.

A formal application can be made by the patient at any time. Forms for this purpose can be obtained from any Health Records Manager within NHS Grampian, who is also responsible for the processing of such applications. Information needs to be provided within 40 days of a request, so staff must action requests promptly.

Access to the health records of deceased patients is not governed by the Data Protection Act. Any such requests must be also directed to a Health Records Manager. Sometimes patients have specific concerns about the release of health records to their family in the event of their death. They should discuss the matter with nursing/medical staff, and any such instruction must be entered into the patientʼs health record.

Further information

Further information on Data Protection and Caldicott can be found here http://www.knowledge.scot.nhs.uk/caldicottguardians.aspx

Other Contacts

Christopher Morrice
The Information Governance Manager
Department of eHealth
01224 551054
christopher.morrice@nhs.net

The Caldicott Guardian
Dr Roelf Dijkhuizen
Medical Director,
NHS Grampian
01224 553715
Roelf.dijkhuizen@arh.grampian.scot.nhs.uk