The Data Protection Act 2018 (DPA) requires a clear direction on policy for security of information within the practice and the practice is also required to annually make a declaration in respect of information governance.
This policy provides direction on security against unauthorised access, unlawful processing, and loss or destruction of personal information.
- The practice is committed to security of patient and staff records, as well as any other information which is deemed to be ‘private’ or potentially sensitive.
- The practice will take steps to ensure that individual patient information is not deliberately or accidentally released or (by default) made available or accessible to a third party without the patient’s consent, unless otherwise legally compliant.
- Comprehensive coverage of up-to-date security, data protection, Caldicott principles and relevant procedural aspects are to be included in the Employee Handbook which forms part of all practice employment contracts. These entries are to clearly confirm the actions and standards required.
- All staff members will undertake appropriate Information Governance training to ensure they are fully conversant with (and mindful of) confidentiality issues, DPA principles, working security procedures and the application of Best Practice in the workplace. They will use their mandated NHS Smartcard when using the practice adopted medical computer system.
- The practice will undertake prudence in the use of, and testing of, arrangements for the backup and recovery of data in the event of an adverse event.
- The practice will maintain a system of “significant event reporting” through a no-blame culture to capture and address incidents which threaten compliance.
- Specific instructions will be documented within confidentiality and security instructions and will be promoted to all staff.
- Patients will be kept informed on Information Governance policies and procedures by the use of relevant mean, eg practice website.
- An Information Asset Register (IAR) is to be collated and maintained. The IAR is to list relevant information and mediums in place to hold or produce information, include potential asset risks and outline the actions to be undertaken in seeking to negate or reduce these risks.
- A practice continuity plan is to be produced and maintained that clearly provides both a first response and a framework under which the practice may be managed and continue to operate under exceptional and adverse circumstances.
- As to be stipulated in the continuity plan, current back-up copies of accounts and payroll systems are to be taken off-site over night by the practice manager (or operations manager in their absence). Medical system back-ups are taken remotely by Health Care Computing.
- We should aim to ensure that only the minimum necessary personal data is processed, that pseudonymisation is used where possible, that processing is transparent.
- The importance of the quality of data being held (especially patient medical information) is absolutely acknowledged. High levels of data completeness and accuracy will be maintained, with suitable resources allocated to such important tasks.
- Subject Access Requests and information sought under the GDPR regulations should be provided with the clearly defined response timescales. Under the GDPR, employers must respond to a SAR ‘without undue delay and in any event within one month of receipt of the request’. This shortens the previous 40 day limit under the DPA. A record of all requests is to be maintained by the practice administration team and these deadlines to be met. Any queries on such matters are to be directed to the practice or operations managers. Freedom of Information requests (required to be made in writing) will similarly be given a suitably high priority and actioned within the set timescales.
- We are fortunate that we are on the secure hospital COIN computer network with an appropriate level of IT support provided. However, practice complacency in maintaining secure network architecture will not be permitted.