Information Governance. and what it means for you

Transcription

1 Information Governance and what it means for you 1

2 Content Introduction 3 Who are we? 4 What is Information Governance? 4 Purpose of Holding Information 5 Confidentiality and Security 5 Accuracy of Information Types of Information 6 Service User Information 9 Employee Information 10 Corporate Information 11 Access to Personal Information held by the Trust 13 Access to Corporate Information held by the Trust 15 Compliments, Complaints or Appeals 15 Further Information 2

3 Introduction Who are we? KMPT provides a number of different mental health services to people living in Kent and Medway. Our services are more specialised than services provided by General Practitioners. Most of our mental health services are provided through: Community based teams Outpatient clinics Inpatient units Community services and inpatient/outpatient units are generally split into services for adults and services for older people over local areas. In addition to our community and inpatient/outpatient services, we also provide a number of specialist services across the county and mental health services for people with a learning disability. We work as a partnership organisation for mental health services and our partners include: Clinical Commissioning Groups Commissioning Support Units General Practitioners (GPs) Ambulance Services Acute Hospital Trusts Mental Health Social Services More information about our services can be found on our website 3

4 What is Information Governance? Information governance is the term used to describe the principles, processes, legal and ethical responsibilities for managing and handling information. It sets the requirements and standards that health and social care organisations need to achieve to ensure they fulfill their obligations so that information is handled legally, securely, efficiently and effectively. This booklet has been prepared to advise individuals on what information we hold, how it is used by us and the rights available to individuals. Purpose of Holding Information All organisations are obliged to understand and document the purposes for which information is held. These are documented in something called a Data Protection Register Entry which is registered with the Information Commissioners Office (the body with responsibility for overseeing compliance). As an NHS Trust, we keep records relating to the purposes detailed above. These records help us to deliver our services and manage our activities and may be written down (manual/paper records) or be held on a computer in electronic form or as part of an information system. KMPT has identified the following reasons for holding and using information: to provide Healthcare Services to administer staff and employment records to keep Accounts and Records relating to our activities to take part in appropriate research within the Health Sector in Crime Prevention and Prosecution of Offenders in educating and training our staff to provide good quality services in establishing/maintaining membership of our Trust in auditing our services and preparing statistics on NHS performance in reviewing the care provided and ensuring services meet the needs of the users Electronic records will be held in digital form on servers and computers as well as removable media including USB memory stick and CDs. Electronic records include, but are not limited to databases, s, scanned files or images, word processed files, spread sheets, web pages and media clips. The security of electronic records is paramount to providing a confidential service and is controlled and governed on a need-to-know basis by a variety of methods including, but not limited to, passwords, smartcards and security tokens. Some of these reasons will involve using and sharing personal information which may identify individuals either as employees or service users. Some will be met through the use of anonymous or non-identifiable statistics or data. 4

5 Confidentiality and Security of Information Individuals entrust us with, or allow us to gather, sensitive information relating to their health, employment and other matters as part of their contact with our organisation. They do so in confidence and have a legitimate expectation that we will respect their privacy and act appropriately. It is essential that we provide a confidential service. PROTECT The provision of a confidential service is governed by law, policy, procedure and best practice. As an NHS Trust, we have a duty to ensure this confidentiality and the physical/electronic security of your information is maintained at all times. In order to do this we follow the model of confidentiality promoted by the Department of Health: PROTECT - we look after the personal information held by us; INFORM - we ensure individuals are aware of how their information is used; PROVIDE CHOICE - we allow individuals to decide, within the boundaries of the law, whether information can be disclosed or used in particular ways; and IMPROVE - we always look for better ways to protect, inform and provide choice. INFORM IMPROVE PROVIDE CHOICE From: DH/IPU/Patient Confidentiality (2003) Gateway Ref 1656 Confidentiality NHS Code of Practice pg 10 Accuracy of Information We have a duty to ensure your information is accurate and kept up-to-date. To do this, we undertake regular checks on the quality of the data we hold and will ask you at regular intervals to confirm your basic information, such as name, address, date of birth, ethnicity etc. is right. We may also take part in Information Quality Assurance Assessments with our partner organisations to ensure we deliver improvements in the quality of information we record about you. 5

6 Types of Information Service User Information When you make use of any of the Trust s services, it is important we have information about you in order to ensure you get the care and/or treatment appropriate to your needs. This information helps to ensure you receive the best possible care. It may be written down (manual/ paper records) or held on a computer. This will form what is called a health record commonly defined as a record consisting of information about the physical or mental health of an individual made by, or on behalf of, a health/social care professional in connection with the care of that individual. The type of information kept includes: Basic details such as name, date of birth, address, next of kin, ethnicity, disability, sexuality and gender Contacts we have had with you Notes and reports about your health and any treatment and care you need Details and records about the treatment and care you receive Results of any tests or investigations Relevant information from other health professionals, relatives or those who care for you How we use this information to help you Primarily this information is used to guide and administer the care you receive. It ensures that: All healthcare professionals involved in your care have accurate and up-to-date information We can contact you for appointments Information is available if you need to see another health professional within our Trust or be referred to a specialist in another part of the NHS We can assess the type and quality of care you receive Your concerns can be properly investigated if you need to complain 6

7 How we use this information to help the NHS We may also need to use your information to help the NHS. This includes: Looking after the health of the general public Being able to ensure your healthcare is paid for Ensuring our services meet patient needs Preparing statistics of NHS performance Reviewing the care provided to ensure it is of the highest standard Teaching and training healthcare professionals Conducting health research and development Auditing our services Where information is used for these purposes, we always take every care to ensure individuals cannot be identified. Anonymous statistical information may be shared with other organisations such as universities and research institutions where there is a legitimate interest. On some occasions, such as pre-screening for clinical research or the investigation/assessment into the provision of care or management of the Trust, it is not possible to use anonymous information and statutory authorities like the NHS Litigation Authority may want to see your records. Where this is the case and personal identifiable information is likely to be used and/or shared, we will ask your permission, unless the law requires us to share the information, when we will aim to advise you as soon as possible. Occasionally, we are asked to provide information to assist with training, education, research or audit. Any such requests are considered very carefully by the Trust s Caldicott Guardian (the officer with responsibility for safeguarding confidentiality) and information is usually provided in a form that does not identify individuals. If you wish to object to your records being made available during such activities, please notify the Trust. 7

8 Information Sharing We work as a partnership organisation for mental health services and may need to share some clinical information with other groups of professionals involved in the provision of care. Please be reassured, we will only use or pass on information where there is a genuine need for it. Your treatment and care may involve a team, which includes doctors, nurses, therapists, some administrative staff and other health and social care professionals, including your GP. Information about you may be shared to assist those who have an interest in your care or treatment. Your information will only be passed on to those who have a need-to-know and be shared in a secure manner. Your information may also be shared, subject to strict agreements describing how it will be used with: Social Services Local Authorities Voluntary Sector Providers Private Sector Providers We will not disclose your information to any other organisation without your permission unless there are exceptional circumstances, such as when the health or safety of yourself or others is at risk or where the law requires it to be passed on. We are required by law to report certain information to the appropriate authorities and occasions when this is the case include: Where we encounter infectious diseases which may endanger the safety of others such as meningitis or measles (but not HIV/ AIDS) Where a formal court order has been issued Where disclosure is necessary to protect either yourself or someone else from harm Whatever the reason for sharing information, we will ensure it is done so securely and lawfully. 8

9 Employee/Staff Information As an employee, or past employee of the Trust, we are obliged to retain information about you and your employment. This will include information such as your name, date of birth and address as well as more sensitive information such as your ethnicity, salary and bank details. We will also hold a personal file relating to your employment containing information about your absences and performance whilst an employee. These records may be written down (manual/ paper records) or held on a computer (electronic records). The content of your personal file will be retained securely by your Line Manager. However, in order to manage and administer your employment relevant information will be available to other departments such as Human Resources or Payroll. In addition, the Trust is obliged to provide various external bodies with some information such as HM Revenue and Customs, Pensions Agency etc. Your information will only be passed on to those who have a need-to-know and it will be shared in a secure manner, for example in the event of your employment transferring under TUPE regulations information will be shared with your new employer. How we use this information Primarily this information is used to administer your employment with us from recruitment to termination including pay, discipline, superannuation, work management, fitness to practice, professional registrations or other personnel matters. However, we may also need to use this information to help the NHS, including: NHS Reporting to the Department of Health or Strategic Health Authority Auditing our Services Where information is used for these purposes, we always take every care to ensure individuals cannot be identified. 9

10 Corporate Information Corporate records are records which relate to the corporate business of the Trust such as financial accounts, minutes and meeting papers, legal and other administrative documents. Corporate records may contain personal identifiable information, for example staff files or commercially sensitive information about the business of the Trust and such records are treated with the utmost care to their confidentiality and security. What is a Corporate Record? Corporate records can be made up of documents and records. These could be either in written/paper or electronic form. A document is defined as any item of information received or created by the Trust. A document is an evolving item of information which can be changed and is owned and managed by individuals e.g. working documents in draft form. A document or its contents could be held in any form or made up of any type e.g. text, image, video, audio, paper, electronic, physical (audio or video tape, architectural models etc.). Records are those documents which support and provide evidence of the activities of the Trust. They are the final versions of documents (master copy) and do not change e.g. policy documents, minutes of meetings. They are subject to retention periods to ensure information is retained only for as long as is necessary. How we use this information Corporate records are created in order to ensure that the Trust has the necessary information to deliver high quality services and provide evidence of their activities. It is the duty of each NHS body to establish and keep in place arrangements for the purposes of monitoring and improving the quality of health and social care provided by and for that body. 10

11 Access to Personal Information held by the Trust What are my rights? The Data Protection Act 1998, Access to Health Records Act 1990, Human Rights Act and the common law duty of confidence, all protect your privacy and your information. Under the Data Protection Act 1998 you have the right to apply for access to your records; this is known as a Subject Access Request or SAR. This applies to all records kept about you no matter when they were made. The Act relates to all organised identifiable information about living people, in all formats and regardless of how much of it there is. In the event that you wish to access health records relating to an individual who has passed away, the Access to Health Records Act 1990 would apply. The provisions are very similar to those in the Data Protection Act 1998 however, there are regulations surrounding who can make such a request as the information continues to be held under a duty of confidentiality. How do I apply? Applications to access records must be made in writing and sent to the Information Rights Office. You will be asked to provide evidence of your identity. How long will it take? We have an obligation to provide access to records within 40 calendar days, slightly less for those made under the Access to Health Records Act. This time period starts after we have received everything we need to process your request. How will my records be shown to me? When you make your application, you will be asked to confirm whether you want to view your records or receive copies. Viewings will take place at a mutually agreed date/time or photocopies can be sent to you. 11

12 Can someone else ask for my records? Your solicitor/representative, friend or family member can make the request for you. They will be required to provide your written authority/consent for us to liaise with and share this information with them on your behalf. Can I change my records? Where you consider there are inaccuracies on the record, you can ask the Trust to reconsider the entry and either make an amendment or add a note to the records stating your opinion. The Information Rights Department can advise you on this. What will it cost? For access to personal information (not including health records), a small administrative charge of 10 will be applied to each request. For access to health records the cost is dependent on when your records were last added to or an entry made within them and can range from nothing to a maximum of 50. Can I be refused access? It is very unlikely that you would be refused access to information about yourself. However, the Trust is obliged to approach any third parties who may have supplied information, such as relatives, private healthcare providers or other organisations, including those who have given references for employment purposes, and request their permission before passing this information to you. When asking for health records, there is a possibility that access will be refused or limited to only part of the records if: Your health professional thinks you or someone else could be harmed as a result; The information relates to, or was provided by, an identified individual apart from you or a health professional who has not given their permission to its release; or You are applying on behalf of someone who has died or is no longer capable of managing their own affairs but who originally gave the information on the understanding that it wouldn t be revealed later. 12

13 Access to Corporate Information held by the Trust The Freedom of Information Act and other related legislation, such as the Environmental Information Regulations 2000, came into force in 2005 and provides the right to request information from public authorities. The aim of the legislation is to promote trust and confidence in our public services, including the NHS, by providing clear information and being open about what we do. Will I be able to get access to all the Trust s information? The right to obtain information may be limited by some exemptions which are listed within the Act. The effect of the exemptions is that we may not be able to supply all or part of the information requested. If possible, we will supply the information requested with the exemption information removed. What information is already available? Our Publication Scheme is a complete guide to the information we hold and describes what is routinely published by us. It can be found on our website at If you do not have access to the internet, a copy of the Scheme can also be obtained from: Can I get access to information about myself or other patients? The Freedom of Information Act does not change the right of individuals to protect their confidentiality. Maintaining this right is an important commitment for us as an NHS Trust and, therefore, this type of information cannot be released under the Freedom of Information Act and requests received would be considered under the Data Protection Act The FOI Office St Michaels House St Michaels Road Sittingbourne ME10 3DW How can I apply for information under the Freedom of Information Act? You must make your request in writing including your name and a contact address so that we can respond to you. You do not need to tell us why you want the information but we will need enough information from you to correctly identify and find what you are looking for. Your request should be sent to: foi@kmpt.nhs.uk 13

14 How quickly must the information be provided to me? 2 The information must be provided within 20 working days. This time begins on the day your request has been received by the Trust Is there a charge for the information to be supplied? Ordinarily we will not charge to supply you with information however, the Act sets out an appropriate limit on the time spent to respond to a request for information. If we believe that this limit may be exceeded by the work required to retrieve or collate the information requested, we may choose to either refuse to continue with the request or charge for the information to be supplied. We will notify you as soon as possible if this is the case. How do I query any refusal to provide the information I have requested? If the Trust has refused to provide information, it will have also advised you of its reasons for doing so. If you do not agree with these reasons, you may apply to the FOI Office for an internal review of these reasons by an independent person. If you remain dissatisfied, you can also apply to the Complaints Manager to challenge the decision, see the section entitled Compliments, Complaints and Appeals. If you are still unhappy after your internal review and complaint have been concluded, you can contact the Information Commissioner. The Information Commissioner may order the disclosure if he feels that the refusal was not justified. 14

15 Compliments, Complaints and Appeals We are always looking at ways to improve our communication and the services provided by the Trust. As a result, you may find that you are asked to complete or take part in a satisfaction survey. We welcome your feedback and encourage the completion of such surveys if they are received. If you would like to request a decision to be reconsidered or make an appeal against the outcome of a request for information, please write to: The Information Rights Manager St Michaels House St Michaels Road Sittingbourne ME10 3DW If you would like to raise a concern or make a complaint about the way in which your enquiry has been handled or about our Publication Scheme, these should be made in writing and in the first instance addressed to: The Complaints Manager Trust Headquarters Farm Villa Hermitage Lane Maidstone Kent ME16 9PH You are also free to contact the Information Commissioner directly for advice or guidance or to further your concerns. They have responsibility for ensuring organisations comply with the legislation surrounding accessing both corporate and personal information and can be contacted at: The Information Commissioner Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Tel: casework@ico.gsi.gov.uk Further Information If you have any questions that this booklet does not answer for you, or would like to know more about Information Governance and how it affects you please contact the Information Rights Department on or write to us at St Michaels House, St Michaels Road, Sittingbourne ME10 3DW To ensure security and confidentiality, we are unable to give out identifiable information over the telephone and appreciate your understanding of this. KM