Data Protection Legislation is changing on the 25th May…..
The main principles behind GDPR are to ensure that all organisations process personal information in a secure and transparent way so that all patients and staff are aware of, and have confidence in, the way we handle their information.
DCHS explain to patients on our website the reasons for us collecting, recording and sharing information about them to ensure we are being transparent and open. You may have received similar information from companies and organisations about your own information as they prepare for GDPR. You can read DCHS’ notice at: http://www.dchs.nhs.uk/home/about/introduction/your-health-records but please be aware that this is being updated as national guidance is released.
The current Data Protection Principles will be replaced with 6 revised principles that personal data shall be:
- processed lawfully, fairly and in a transparent manner;
b) collected for specified, explicit and legitimate purposes;
c) adequate, relevant and limited to what is necessary;
d) accurate and, where necessary, kept up to date;
e) kept for no longer than is necessary; and
f) processed in a manner that ensures appropriate security of the personal data
Under GDPR, all processing of information must have a legal basis i.e. there must be a clear legal reason for the information being collected, recorded, shared, retain and destroyed. For Health and Social Care, the main legal bases are likely to be covered under the Health and Social Care Act 2015, the Children Acts and the Mental Capacity Act.
All organisations must have a Data Protection Officer – for DCHS this is Hannah Edwards, Information Development & Governance Manager (firstname.lastname@example.org).
More information about the new legislation is detailed in the new Data Protection Legislation (including GDPR) Policy available on Sharepoint.
So, what do I need to do?
- Ensure you are up to date with your IG Training – all staff must complete this every year. The IG training package has been updated and is available through ESR.
- Ensure any IG incidents are reported immediately on Datix – GDPR states that all serious IG incidents must be reported to the Information Commissioner’s Office within 72 hours.
- Be aware that there is no change to the way in which information is shared for the purposes of direct care and Safeguarding of patients.
- Review all the information that you and your team hold – in both paper and electronic formats. Make sure that you are following point 5 below….
- Do not hold information for longer than is necessary – follow the Records Management Policy to ensure you destroy records and information once it has reached the end of its retention period.
- Ensure you can explain to patients why we record and hold information about them, what we do with their information and who we share their information with in order to provide care. We detail this on our website and will continue to update this as more guidance is released: http://www.dchs.nhs.uk/home/about/introduction/your-health-records
- Read through the GDPR Factsheet and other materials on the IG Team webpage – available at https://my.dchs.nhs.uk/Teams/Information-Governance
- If you are setting up a new process, service or system, then a Data Protection Impact Assessment will need to be completed – guidance is being developed and will be available soon.
- Ensure you follow DCHS policies and procedures when handling personally identifiable information. Key policies that are all available on the DCHS SharePoint/intranet site include:
- Data Protection Legislation (including GDPR) Policy
- Records Management Policy
- Confidentiality Code of Conduct
- Access to Records Policy
- IM&T Security Policy
- Email Policy
- Procedures for the Secure Transfer of Information
If you have any questions please visit the IG Team website at https://my.dchs.nhs.uk/Teams/Information-Governance
or email the team at email@example.com