Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementation of Security and Confidentiality in GP Practices.

Published byPaul Walters Modified over 8 years ago

Similar presentations

Presentation on theme: "Implementation of Security and Confidentiality in GP Practices."— Presentation transcript:

1 Implementation of Security and Confidentiality in GP Practices

2 Security and Confidentiality Definition of Security  Means used to protect against unauthorised use of and access to information Definition of Confidentiality  The protection of information so that someone not authorised to access or use the information cannot do so

3 Security and Confidentiality Human Rights Act (HRA) – Article 8 Right to Privacy  Confidentiality of Person Identifiable Information is a basic human right Common Law Duty of Confidentiality  All personal information given in confidence must be treated with the utmost confidentiality and can only be released without the consent of the person under ‘enactment‘ or if it is deemed to be ‘in the wider public interest’ All named Patient information within the NHS is subject to this definition

4 Legislation and Guidance  Enacted Law The Data Protection Act 1998 The Data Protection Act 1998  NHS Guidance The Caldicott Report The Caldicott Report Acceptable Use Policy/Information Security Management System Acceptable Use Policy/Information Security Management System

5 The Data Protection Act 1998  8 Principles  Personal data of living individuals must be: 1. Fairly and lawfully processed with consent 2. Obtained for specific and lawful purposes 3. Adequate, relevant and not excessive 4. Accurate and up to date 5. Not kept longer than necessary 6. Processed in accordance with the individual’s rights 7. Secure (technical and organisational measures) 8. Not transferred outside the EEA unless a country has adequate protection for the individual

6 Practice DPA Requirements  The Practice creates and processed PII and must notify the Information Commissioners Office annually: This commits the Practice to Principle 7 This commits the Practice to Principle 7 Personal Data of living individuals must be SECURE (technical and organisational measures)Personal Data of living individuals must be SECURE (technical and organisational measures) The notification must include the classes of PII and any disclosures – including the types of organisations to whom it discloses PII The notification must include the classes of PII and any disclosures – including the types of organisations to whom it discloses PII The Practice is the Data Controller of the PII it processes; the Data Protection Officer should be the Senior Partner/Clinician supported by the Practice Manager The Practice is the Data Controller of the PII it processes; the Data Protection Officer should be the Senior Partner/Clinician supported by the Practice Manager

7 The Caldicott Report 1997  The Caldicott Principles for managing Patient Identifiable Data in the NHS 1. Justify the purposes for using confidential information 2. Only use it when absolutely necessary 3. Use the minimum that is required 4. Access should be on a strict need-to-know basis 5. Everyone must understand his or her responsibilities 6. Understand and comply with the law

8  Main recommendations Appoint a Caldicott Guardian to: Appoint a Caldicott Guardian to: Map the flows of Patient Data within the PracticeMap the flows of Patient Data within the Practice Identify PII exchanges into and out of the PracticeIdentify PII exchanges into and out of the Practice Risk assess and question every flow and only allow the flows that meet genuine needRisk assess and question every flow and only allow the flows that meet genuine need Allow access only when there is a genuine needAllow access only when there is a genuine need Set up Information Sharing Protocols with all organisations with whom the Practice shares dataSet up Information Sharing Protocols with all organisations with whom the Practice shares data Develop a Practice annual improvement plan to compliment the LHB planDevelop a Practice annual improvement plan to compliment the LHB plan Accept an audit of the process (LHB and HIW)Accept an audit of the process (LHB and HIW) The Caldicott Report 1997

9 Person Identifiable Information (PII) – A Summary  Uses must be defined, justified and lawful  Consent is needed to use it ‘widely’  Only record what is necessary  Keep it accurate and up-to-date  Keep it secure  Keep it confidential  Restrict access to a ‘need to know’ basis  Control sharing, but share where needed/justified  Don’t keep it longer than necessary  There is a legal right of access

10 Acceptable Use Policy (AUP)  Acceptable Use Policy introduced to Practices in 2000 and updated in 2002 Policies and procedures to support demonstration of Information Security Policies and procedures to support demonstration of Information Security All Practices signed a declaration stating compliance with AUP All Practices signed a declaration stating compliance with AUP

11 Information Security Management System (ISMS)  Model ISMS introduced to support GMPs in 2006/7 ISMS - Ongoing process incorporating policies, procedures and implementation of a support structure to deliver Information Security, along with regular review/audit ISMS - Ongoing process incorporating policies, procedures and implementation of a support structure to deliver Information Security, along with regular review/audit Enables Practices to meet the requirements of AUP Enables Practices to meet the requirements of AUP ISMS includes a revision and update of AUPISMS includes a revision and update of AUP

12 Roles within the Practice  Who is the Practice’s Data Protection Officer?  Who is the Caldicott Guardian within the Practice?  Who is the lead for Information Security and ISMS within the Practice?

13 Information Security Website for GMP Staff  http://howis.wales.nhs.uk/gmsimt/is

Download ppt "Implementation of Security and Confidentiality in GP Practices."

Similar presentations

Identifying Data Protection Issues Developing Lifelong Learner Record Systems and ePortfolios in FE and HE: Planning for, and Coping with, Legal Issues.

Identifying Data Protection Issues Developing Lifelong Learner Record Systems and ePortfolios in FE and HE: Planning for, and Coping with, Legal Issues.
NATIONAL INFORMATION GOVERNANCE BOARD

NATIONAL INFORMATION GOVERNANCE BOARD
Administrative Systems and the Law What you need to know to produce an oral presentation for Unit 7 When the presentations will take place Resources you.

Administrative Systems and the Law What you need to know to produce an oral presentation for Unit 7 When the presentations will take place Resources you.
Information Governance An Introduction. Information Governance Outline What is Information Governance What initiatives does IG cover.

Information Governance An Introduction. Information Governance Outline What is Information Governance What initiatives does IG cover.
Introduction to Information Governance (IG)

Introduction to Information Governance (IG)
Information Governance Peter McKenzie Information Governance Manager NHS Tayside

Information Governance Peter McKenzie Information Governance Manager NHS Tayside
Confidentiality & Records Management. What is Information Governance? What is Records Management?

Confidentiality & Records Management. What is Information Governance? What is Records Management?
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Revised Caldicott Manual- Practice Managers Groups Revised Caldicott Manual – November 2008.

Revised Caldicott Manual- Practice Managers Groups Revised Caldicott Manual – November 2008.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
University of Sunderland Professionalism and Personal Skills Unit 11 Professionalism and Personal Skills Computer Legislation.

University of Sunderland Professionalism and Personal Skills Unit 11 Professionalism and Personal Skills Computer Legislation.
Data Protection Data Protection Acts 1988 & 2003 Directive 95/46/EC Privacy.

Data Protection Data Protection Acts 1988 & 2003 Directive 95/46/EC Privacy.
Www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Information Law Report.

National Smartcard Project Work Package 8 – Information Law Report.
DATA PROTECTION AND PATIENT CONFIDENTIALITY IN RESEARCH Nic Drew Data Protection Manager University Hospital of Wales  2074 6677  2074 5626 

DATA PROTECTION AND PATIENT CONFIDENTIALITY IN RESEARCH Nic Drew Data Protection Manager University Hospital of Wales   
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.

The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
Practical Information Management

Practical Information Management

Similar presentations

Ads by Google