Implementation of Security and Confidentiality in GP Practices.

Slides:



Advertisements
Similar presentations
Identifying Data Protection Issues Developing Lifelong Learner Record Systems and ePortfolios in FE and HE: Planning for, and Coping with, Legal Issues.
Advertisements

NATIONAL INFORMATION GOVERNANCE BOARD
Administrative Systems and the Law What you need to know to produce an oral presentation for Unit 7 When the presentations will take place Resources you.
Information Governance An Introduction. Information Governance Outline What is Information Governance What initiatives does IG cover.
Introduction to Information Governance (IG)
Information Governance Peter McKenzie Information Governance Manager NHS Tayside
Confidentiality & Records Management. What is Information Governance? What is Records Management?
The Data Protection (Jersey) Law 2005.
Revised Caldicott Manual- Practice Managers Groups Revised Caldicott Manual – November 2008.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
University of Sunderland Professionalism and Personal Skills Unit 11 Professionalism and Personal Skills Computer Legislation.
Data Protection Data Protection Acts 1988 & 2003 Directive 95/46/EC Privacy.
National Smartcard Project Work Package 8 – Information Law Report.
DATA PROTECTION AND PATIENT CONFIDENTIALITY IN RESEARCH Nic Drew Data Protection Manager University Hospital of Wales   
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview
The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
Data Protection for Church of Scotland Congregations
Practical Information Management
The Information Commissioner’s Office David Evans.
Handling information 14 Standard.
Health & Social Care Apprenticeships & Diploma
Care.Data an ICO Update EMIS National User Group Conference East Midlands Conference Centre Nottingham 3 rd October 2013 Lynne Shackley Lead Policy Officer.
EHRs and the European Union – current legislation and future directions. Dr Richard Fitton.
Patient Group Meeting 3 September WORDS OF WISDOM TELL ME – I WILL FORGET SHOW ME – I WILL REMEMBER INVOLVE ME – I WILL UNDERSTAND.
The Data Protection Act 1998 The Eight Principles.
GEOG3025 Confidentiality and social implications.
Data Protection Act AS Module Heathcote Ch. 12.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
Information Commissioner’s Office Sheila Logan Operations and Policy Manager Information Commissioner’s Office Business Matters 20 May 2008.
What is personal data? Personal data is data about an individual which they consider to be private.
The Data Protection Act - Confidentiality and Associated Problems.
Everyone has a duty to comply with the Act, including employers, employees, trainees, self-employed, manufacturers, suppliers, designers, importers of.
Data Protection Property Management Conference. What’s it got to do with me ? As a member of a management committee responsible for Guiding property you.
CALDICOTT PRESENTATION. History Caldicott report published in 1997 and implemented in 1999 Inquiry chaired by Dame Fiona Caldicott.
Data Protection - Rights & Responsibilities Information Commissioner’s Office Orkney Practice Forum 4 th July 2007.
Data Protection Act The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.
Information Systems Unit 3.
INFORMATION GOVERNANCE AND CONFIDENTIALITY Information Governance Facilitator.
Session 12 Information management and security. 1 Contents Part 1: Introduction Part 2: Legal and regulatory responsibilities Part 3: Our Procedures Part.
Data Protection Philip Reed. Introduction What is data? What is data protection? Who needs your data? Who wants your data? Who does not need your data?
DATA PROTECTION ACT DATA PROTECTION ACT  Gives rights to data subjects (i.e. people who have data stored about them on a computer)  Information.
Session 11 Data protection. 1 Contents Part 1: Introduction Part 2: Applicability and responsibility Part 3: Our procedures on data protection Part 4:
Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.
Partners in improving local health Slide 1 Information Governance & IT Security in the NHS Ian Davison, Director of Business Information Services Alison.
Getting data sharing right for every child Maureen H Falconer Senior Policy Officer Information Commissioner’s Office.
Workshop Understanding your responsibilities under the Data Protection Act 1998 and the Freedom of Information Act 2000 Adele Rhodes Girling.
Uses of brain imaging data: privacy and governance implications Dr. Hester Ward Medical Director, Information Services Division, (ISD) Consultant in Public.
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Information Governance A refresher for all staff who have previously gone through the full course.
General Data Protection Regulation (EU 2016/679)
The Data Protection Act 1998
Preparing for a data protection audit 28 September 2017
Data Protection and Confidentiality
Trevor Ellis Trainee Programmer (1981 – 28 years ago)
Privacy Impact Assessments (PIAs)
General Data Protection Regulation
Museums + Heritage webinar, 30 November 2017
GDPR - Individual’s Rights
Information Governance
G.D.P.R General Data Protection Regulations
Data Protection principles
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
Recording Clinical Data
D3 Confidentiality.
General Data Protection Regulations 2018
Recording Clinical Data
GDPR what do we need to do?
Presentation transcript:

Implementation of Security and Confidentiality in GP Practices

Security and Confidentiality Definition of Security  Means used to protect against unauthorised use of and access to information Definition of Confidentiality  The protection of information so that someone not authorised to access or use the information cannot do so

Security and Confidentiality Human Rights Act (HRA) – Article 8 Right to Privacy  Confidentiality of Person Identifiable Information is a basic human right Common Law Duty of Confidentiality  All personal information given in confidence must be treated with the utmost confidentiality and can only be released without the consent of the person under ‘enactment‘ or if it is deemed to be ‘in the wider public interest’ All named Patient information within the NHS is subject to this definition

Legislation and Guidance  Enacted Law The Data Protection Act 1998 The Data Protection Act 1998  NHS Guidance The Caldicott Report The Caldicott Report Acceptable Use Policy/Information Security Management System Acceptable Use Policy/Information Security Management System

The Data Protection Act 1998  8 Principles  Personal data of living individuals must be: 1. Fairly and lawfully processed with consent 2. Obtained for specific and lawful purposes 3. Adequate, relevant and not excessive 4. Accurate and up to date 5. Not kept longer than necessary 6. Processed in accordance with the individual’s rights 7. Secure (technical and organisational measures) 8. Not transferred outside the EEA unless a country has adequate protection for the individual

Practice DPA Requirements  The Practice creates and processed PII and must notify the Information Commissioners Office annually: This commits the Practice to Principle 7 This commits the Practice to Principle 7 Personal Data of living individuals must be SECURE (technical and organisational measures)Personal Data of living individuals must be SECURE (technical and organisational measures) The notification must include the classes of PII and any disclosures – including the types of organisations to whom it discloses PII The notification must include the classes of PII and any disclosures – including the types of organisations to whom it discloses PII The Practice is the Data Controller of the PII it processes; the Data Protection Officer should be the Senior Partner/Clinician supported by the Practice Manager The Practice is the Data Controller of the PII it processes; the Data Protection Officer should be the Senior Partner/Clinician supported by the Practice Manager

The Caldicott Report 1997  The Caldicott Principles for managing Patient Identifiable Data in the NHS 1. Justify the purposes for using confidential information 2. Only use it when absolutely necessary 3. Use the minimum that is required 4. Access should be on a strict need-to-know basis 5. Everyone must understand his or her responsibilities 6. Understand and comply with the law

 Main recommendations Appoint a Caldicott Guardian to: Appoint a Caldicott Guardian to: Map the flows of Patient Data within the PracticeMap the flows of Patient Data within the Practice Identify PII exchanges into and out of the PracticeIdentify PII exchanges into and out of the Practice Risk assess and question every flow and only allow the flows that meet genuine needRisk assess and question every flow and only allow the flows that meet genuine need Allow access only when there is a genuine needAllow access only when there is a genuine need Set up Information Sharing Protocols with all organisations with whom the Practice shares dataSet up Information Sharing Protocols with all organisations with whom the Practice shares data Develop a Practice annual improvement plan to compliment the LHB planDevelop a Practice annual improvement plan to compliment the LHB plan Accept an audit of the process (LHB and HIW)Accept an audit of the process (LHB and HIW) The Caldicott Report 1997

Person Identifiable Information (PII) – A Summary  Uses must be defined, justified and lawful  Consent is needed to use it ‘widely’  Only record what is necessary  Keep it accurate and up-to-date  Keep it secure  Keep it confidential  Restrict access to a ‘need to know’ basis  Control sharing, but share where needed/justified  Don’t keep it longer than necessary  There is a legal right of access

Acceptable Use Policy (AUP)  Acceptable Use Policy introduced to Practices in 2000 and updated in 2002 Policies and procedures to support demonstration of Information Security Policies and procedures to support demonstration of Information Security All Practices signed a declaration stating compliance with AUP All Practices signed a declaration stating compliance with AUP

Information Security Management System (ISMS)  Model ISMS introduced to support GMPs in 2006/7 ISMS - Ongoing process incorporating policies, procedures and implementation of a support structure to deliver Information Security, along with regular review/audit ISMS - Ongoing process incorporating policies, procedures and implementation of a support structure to deliver Information Security, along with regular review/audit Enables Practices to meet the requirements of AUP Enables Practices to meet the requirements of AUP ISMS includes a revision and update of AUPISMS includes a revision and update of AUP

Roles within the Practice  Who is the Practice’s Data Protection Officer?  Who is the Caldicott Guardian within the Practice?  Who is the lead for Information Security and ISMS within the Practice?

Information Security Website for GMP Staff 

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.