Information Governance

INFORMATION GOVERNANCE & CONFIDENTIALITY – PATIENT DATA POLICY

Introduction

This document outlines the arrangements in place at the Practice to ensure the confidentiality, integrity, and lawful handling of patient data in accordance with UK GDPR, the Data Protection Act 2018, and NHS Information Governance standards. The Practice is committed to upholding the highest standards of data protection, transparency, and accountability.

Practice Responsibilities

The Practice is responsible for:

• Training & Awareness
  • Ensuring that all staff complete annual mandatory Information Governance training.
  • Requiring staff to sign a Confidentiality Agreement and to acknowledge their data protection responsibilities in their employment contract.
  • Assessing data protection and confidentiality competencies as part of routine appraisal and supervision processes.
• Annual Compliance
  • Completing and publishing the Data Security and Protection Toolkit (DSPT) self-assessment each year, ensuring full compliance with NHS Digital and NHS England requirements.
• Data Disposal
  • Ensuring confidential waste is disposed of securely via an accredited disposal contractor. The Practice retains:
    • Records of contractor registration and compliance.
    • A secure log of confidential waste collections.
• Lawful Access to Information
  • Adhering to the Caldicott Principles and NHS Confidentiality Code of Practice (2003).
  • Only disclosing patient data:
    • With valid, informed consent.
    • Where legally required.
    • When necessary for safeguarding or in the public interest—with proper documentation and clinical authorisation.
• Reference Guidance
  • Following “A Guide to Confidentiality in Health and Social Care” (Health and Social Care Information Centre, September 2013).

Patient Information Leaflet / Poster Wording

Confidentiality of Your Medical Information

We are committed to protecting your privacy. All patient information is treated in the strictest confidence and in line with:

• UK General Data Protection Regulation (UK GDPR),
• The Data Protection Act 2018, and
• The Caldicott Principles.

All staff are trained in data protection and confidentiality. They:

• Only access information necessary for their role.
• Have confidentiality clauses in their contracts.
• Are required to sign a confidentiality agreement.

To ensure safe and effective care, your data may be shared with members of your direct care team. If you do not want your information shared, speak to your GP so this can be recorded in your file.

We will not share your data with any other party without your explicit consent, unless required by law or in an emergency. If any disclosure is made, it will be:

• Proportionate to the purpose.
• Limited to the minimum necessary data.
• Fully recorded and authorised by a clinician.

Summary Care Record (SCR)

The Summary Care Record (SCR) is a national data extraction system that helps emergency care providers access key medical information (e.g. medications, allergies). All patients are included unless they choose to opt out.

To opt out, please request a form from reception or visit:
https://digital.nhs.uk/services/summary-care-records

Online Consultations and Video Conferencing (MS Teams, etc.)

When using video and chat applications (e.g., MS Teams, Zoom, WhatsApp) for consultations or staff meetings, the following applies:

Personal Confidential Data (PCD):

• Should only be shared when necessary and in accordance with NHS guidelines.
• Verbally shared PCD is acceptable during live calls, but do not share PCD in written chats unless absolutely required.

Messaging and Attachments:

• Use NHS mail (nhs.net) for secure communications.
• If sending PCD via Teams, it must be:
  • In an encrypted and password-protected attachment.
  • Sent from a practice-owned or CCG-approved device.

Security Requirements for Personal Devices:
If accessing systems or data from a personal device, the device must:

• Be encrypted.
• Be fully updated and security patched.
• Require authentication (e.g. PIN, password, fingerprint, FaceID).

CCTV Usage

CCTV is used for safety and security in line with:

• ICO’s CCTV Code of Practice (2015).
• The Surveillance Camera Code of Practice (Home Office, 2013).
• A Data Protection Impact Assessment (DPIA) has been completed.
• CCTV is installed in public areas and external perimeters.
• Recordings may be provided to police or official bodies if legally required.
• Image data is stored securely in accordance with the Practice’s data protection registration.

Telephone Recording

All telephone calls are recorded for:

• Staff training and monitoring,
• Patient safety,
• Dispute resolution.

These recordings are handled in accordance with the Data Protection Act and the Practice’s privacy policies.

Virus and Cybersecurity Protection

To safeguard against data loss or corruption, the following cybersecurity measures are enforced:

• All practice systems are protected by centrally managed antivirus software.
• Anti-virus definitions and patches are regularly updated.
• Staff must not download or install software without IT or Practice Manager approval.
• Sensitive documents shared externally must be sent in PDF format where possible.
• Personal mobile phone use is discouraged. Any personal charging equipment must be PAT tested to meet electrical safety requirements.

Resources and Policies

The following documents are available upon request or via the Practice intranet:

• Confidentiality: NHS Code of Practice (2003)
• Caldicott Principles
• Cyber Security Policy
• CCTV Policy and Code of Practice
• Confidentiality Clause – Staff Contracts
• Data Protection Policy
• Privacy Notice
• Staff IG Training Log

Review Date: July 2025
Next Review Due: July 2026
Policy Owner: Information Governance Lead / Practice Manager
Approved By: Christine Bunton