Information Governance Policy IN-101 - WhatDoTheyKnow · Information Governance Policy June...
Transcript of Information Governance Policy IN-101 - WhatDoTheyKnow · Information Governance Policy June...
Ref No IN-101
INFORMATION GOVERNANCE POLICY
AREA: Trust Wide
POLICY SPONSOR: Director of Finance & Performance Management
IMPLEMENTED: October 2009
REVISED: June 2011
DUE FOR REVIEW: May 2015
Date Approved Audit Committee (as endorsement
delegated minuted by Trust Board) 28 October 2009
CE signed off following Board endorsement
28 October 2009
EMT approval of amendments 21 June 2011
TO BE APPROVED BY:
Staff Side approval November 2011
DISSEMINATED TO:
Added to Intranet by:
Gail Taylor Date added:
1 Dec 11
Directorate: Risk Management
Information Governance Policy June 2011/IN-101Page 2
CONTENTS 1 INTRODUCTION
2 INFORMATION HANDLING & PROCESSING 3 DATA QUALITY 4 PROPOSED INFORMATION SYSTEM PROCUREMENTS 5 TRUST DEFINITION OF PERSONALLY IDENTIFIABLE DATA (PID) 6 CHANGES TO INFORMATION GOVERNANCE/SECURITY
ARRANGEMENTS 7 CHANGES TO SERVICE ACTIVITIES THAT MAY IMPACT ON
SYSTEMS’ AVAILABILITY 8 FREEDOM OF INFORMATION ACT 9 USE OF INFORMATION WITHIN THE TRUST 10 USE OF INFORMATION BETWEEN THE TRUST & ITS PARTNERS 11 INFORMATION GOVERNANCE BREACHES & POLICY MONITORING 12 ORGANISATIONAL PROCESS CHANGE, SERVICES & SYSTEMS
IMPLEMENTATION 13 PRIVACY IMPACT ASSESSMENT (PIA) APPENDICES Appendix A MAJOR CHANGE REQUEST FORM Appendix B MINOR CHANGE REQUEST FORM Appendix C EQUALITY IMPACT ASSESSMENT FORM Appendix D PIA PROCESS MAPS Appendix E PIA TEMPLATES
Information Governance Policy June 2011/IN-101Page 3
1 INTRODUCTION 1.1 This document has been produced to set out the Trust’s general use of
information and the governance surrounding it, in line with NHS Standards for Better Health guidance (evidence of which will be provided annually by the Trust in the Information Governance Toolkit).
1.2 The Trust, through its policies, systems and procedures recognises the need to
ensure that everyone within the organisation understands the need for effective information governance to manage, control or eliminate information risks.
1.3 The Trust recognises the importance of information governance and the necessity to provide guidance and support regarding it in the delivery of care to service users. Various operational aspects of information governance and information use as they relate to specific areas and activities are documented and linked in the relevant Trust policies.
1.4 These principal policies are;
� Integrated Service User Records Policy � Safeguarding Clinical Information Policy � Policy for Consent to Examination or Treatment � Policy on Sharing Information with Service Users and Carers � Dorset Interagency Management of Service User Information (Confidentiality) � Memorandum of Understanding between Dorset Police and Dorset
HealthCare NHS Foundation Trust � Data Protection Act 1998 Access to Health and Social Care Records Policy, � IT Acceptable Use Policy � Removable Media and Secure Email Policy � Laptop, Handheld Personal Computer & Other Portable IT Equipment Policy � Disposal of surplus or condemned / scrap items � NPfIT Smartcard Registration Authority Process Policy � Interim Guidance for staff: Electronic Recording of DHFT Service User Care
Plans currently recorded on Continuum � Code of Practice for making and Showing Photographic Video & audio
Recordings of Patients � Policy for the Production and Management of Information for Service Users
and Carers � Research & Development Policy � Use of CCTV with Dorset HealthCare � Contracts and Contractors
1.5 By ensuring relevant policy is present for staff the Trust is able to provide
assurance to service users & their carers, partner organisations (both current and prospective) and our regulatory bodies that the Trust continues to comply with NHS Standards for Better Health’s information governance requirements & information governance best practice guidelines, (including the annual Information Governance Toolkit framework and requirements).
Information Governance Policy June 2011/IN-101Page 4
2 INFORMATION HANDLING & PROCESSING
2.1 Everyone in the Trust has a responsibility for information risk management, regardless of their job role or position. It is the duty of all staff to be aware of the issues surrounding confidentiality, and to seek advice, in the first instance from line managers, if uncertain how to deal with them appropriately.
2.2 The Trust has a duty, as under some Acts do staff as individuals, to handle data and information in accordance with legal obligations, including the provisions of the Data Protection Act 1998, Common Law Duty of Confidentiality, Human Rights Act 2000, Computer Misuse Act 1990 and Freedom of Information Act 2000.
2.3 Staff can ensure their compliance under the law by following Trust policies and the NHS best practice they incorporate.
2.4 In addition to its legal requirements Trust policies in respect of information governance shall also take heed of NHS best practice in this area e.g. NHS Confidentiality – Code of Practice, NHS Records Management Code of Practice 2006, NHS Litigation Authority Risk Management Standards, Standards for Better Health, Serious Adverse Incidents (SAI’s).
2.5 Trust employs a number of systems to protect data, staff and service continuity. However, it is each staff member’s individual’s responsibility not to undertake any activity on Trust equipment that might compromise data security and/or confidentiality.
2.6 The Trust shall employ effective arrangements to maintain the confidentiality and security of data. These include;
� staff receive appropriate training before being permitted access to computer systems
� ensure application security and password access protections
� provide effective anti-virus and anti-malware software to ensure
system access and data security are maintained
� ensure the secure sending of emails to protect personally identifiable data and prevent the sending of insecure email traffic.
� prevent the unintentional or intentional loss of personally identifiable data and other information from our network, in particular;
o ensure the secure encryption of all electronic removable media and portable computing devices
o restrict the connection of removable media devices to our network to only authorised devices
Information Governance Policy June 2011/IN-101Page 5
� ensure the physical security of the computer equipment and systems
� ensure secure and appropriate storage and access to paper records
� ensure computer network resilience and allow for the disaster
recovery of systems and data 3 DATA QUALITY
3.1 Data quality is the responsibility of all staff handling data. The Trust shall seek to
improve its data quality by exception reporting, where possible, to line managers incidences of known or suspected poor data quality, but any staff who have cause for concern over the reliability or accuracy of the data they are handling or processing shall bring this to the attention of their line manager in the first instance.
4 PROPOSED INFORMATION SYSTEM PROCUREMENTS 4.1 Any system, computerised or manual, that may hold personally identifiable data
(PID), including PID relating to service users, carers or staff, shall be considered by the Executive Management Team (EMT) before its procurement. The definition of PID is set out in section 5 of this Policy.
4.2 Information governance aspects to be considered by EMT for each proposed
system where it is intended, or likely in the future, to contain PID will be that;
� strong access controls are present � audit trails and monitoring of user activity are present � arrangements for data backup and system resilience are
understood � how data is to be considered for continuing relevance & secure final
deletion/archiving is understood � confidentiality clauses are to be present in respect of any third party
services employed in the development, installation or maintenance of the system
� secure access to, rather than transfer of, data is present wherever practicable
� whether, if involving data on large numbers of individuals, penetration testing should occur
� if accreditation applies to the system that this has been obtained prior to procurement
� the system’s forensic investigative readiness procedure is understood
� the system will not adversely impair any other existing system’s availability or the data communications bandwidth between Trust sites
Information Governance Policy June 2011/IN-101Page 6
4.3 The Trust endorses the proactive use of information to improve service delivery and the quality of care it provides. Information within the Trust should be of the highest quality possible (taking into account the cost effectiveness of achieving this standard) in respect of its accuracy, timeliness and relevance.
4.4 In supporting these goals it may not be possible to secure full assurance on the
above points in every case for new systems, but the EMT shall ensure that risk management and mitigation is present for each to an acceptable level.
5 TRUST DEFINITION OF PERSONALLY IDENTIFIABLE DATA (PID)
5.1 Personally identifiable data or information (PID) is anything that contains the
means to identify a person, e.g. name, address, postcode, date of birth, NHS number, National Insurance number, photograph etc.
5.2 The Caldicott Committee: Report on the Review of Patient-identifiable
Information, December 1997 states:
“All items of information which relate to an attribute of an individual should be treated as potentially capable of identifying patients and hence should be appropriately protected to safeguard confidentiality” These items include:
Surname Forename
Initials Address
Date of Birth Other dates (e.g. death, diagnosis)
Postcode Occupation
Gender NHS Number
National Insurance Number Ethnic Group
Local Identifier (e.g. Trust PAS index number, GP practice number)
Telephone Number
or anything else that may be used to identify a service user, carer or staff member directly or indirectly. For example, rare conditions, drug treatments or statistical analyses which have very small numbers within a small population may allow individuals to be identified.
6 CHANGES TO INFORMATION GOVERNANCE/SECURITY ARRANGEMENTS 6.1 Any proposed changes to information governance/security arrangements shall be
assessed by the EMT in respect of their potential impact on service delivery, staff and service users before implementation.
Information Governance Policy June 2011/IN-101Page 7
7 CHANGES TO SERVICE ACTIVITIES THAT MAY IMPACT ON SYSTEMS’ AVAILABILITY
7.1 Any change in service provision activities, e.g. accessing or supply of video
across the Trust network that may adversely impact on the availability of existing service support and/or information systems must be assessed for impact by the EMT.
8 FREEDOM OF INFORMATION ACT 8.1 The Trust will undertake to make non-confidential information widely available in
line with its responsibilities under the Freedom of Information Act. The procedures for staff to follow in the event of a request for information being made under the Act are set out in the trust’s intranet within the Directorate of Quality’s Protocol on Freedom of Information Act 2000.
9 USE OF INFORMATION WITHIN THE TRUST
9.1 The Trust supports the proactive use of information within the organisation and shall maintain an Information Governance Strategy to prioritise its support and development.
9.2 In addition to relevant policy, staff in their day to day use of information shall adhere to the six general Caldicott Principles when considering their use of data
1. Justify the purpose of retaining patient identifiable information. 2. Do not use patient identifiable information unless it is absolutely necessary. 3. Use the minimum necessary patient identifiable information. 4. Only access patient identifiable information on a strict 'need to know' basis. 5. Be aware of your responsibilities regarding patient identifiable information. 6. Understand and comply with the law
9.3 If any member of staff is unclear as to his or her responsibilities in respect to any
of these principles they should seek advice, in the first instance from their line manager.
10 USE OF INFORMATION BETWEEN THE TRUST & ITS PARTNERS
10.1 The usage of service user data between partner organisations is principally
covered within the relevant Trust policies set out in section 1.4.
10.2 The circulation of anonymised data and general performance data outside the Trust shall always be subject to established procedures, normally as provided for within statute, contractual agreements or requirements set down by our regulator Monitor. The Trust supports the proactive use of information to support patient care however any provision of such data, or similar, shall not occur outside the
Information Governance Policy June 2011/IN-101Page 8
Trust without the prior permission of an Operational Director, Chief Executive or Director of Finance & Performance Management.
10.3 To avoid duplication and ensure consistency requests for service delivery
information from our partner organisations should be processed through the Trust’s General Manager Business Development and Corporate Assurance/Board Secretary.
11 INFORMATION GOVERNANCE BREACHES & POLICY MONITORING 11.1 Any breaches of information governance generally, or failure to adhere to the
provisions of this policy, may lead to disciplinary action and shall be subject to the Trust’s normal Adverse Incident Record form reporting process.
11.2 In respect of data loss or confidentiality breaches the Trust shall, in accordance
with NHS Standards for Better Health, comply with the Trust Annual Report disclosure; Serious Untoward Incident reporting processes and disclosure to the Office of the Information Commissioner as appropriate, depending upon the severity of the incident(s) concerned.
11.3 Any breach Adverse Incident system reported that may require reporting under any of these provisions shall be brought to the attention of the EMT in the first instance by the General Manager Business Development and Corporate Assurance/Board Secretary.
11.4 The effectiveness of this Policy, and the information governance provisions of other Trust policies, shall be principally monitored by the extent to which Adverse Incident reported breaches are presented to the EMT.
12 ORGANISATIONAL PROCESS CHANGE, SERVICES, SYSTEMS AND
INFORMATION ASSET IMPLEMENTATION 12.1 The objective of this element of the Information Governance Policy is to have in
place procedures to ensure that prior to the implementation of processes, services, systems and other information assets the change is monitored and risk assessed by the Information Governance Steering Committee (IGSC).
It is vitally important that the impact of any proposed changes to the organisations
processes and/or information assets are assessed to ensure that the confidentiality, integrity and accessibility of personal information is maintained.
12.2 There are two processes for Information Asset changes depending on the scale
and level of risk associated with the proposed implementation:
1. Major Changes: This process encompasses changes which will have a major effect on Information Assets for example:
Information Governance Policy June 2011/IN-101Page 9
� Installing a brand new system (hardware, software etc) � Replacing an existing system (hardware, software etc) � Opening of a new ward/unit � Transfer of premises for an existing ward/unit � Significant changes to the working environment (e.g. An office move
that will result in an increased level of foot traffic in and around sources of confidential information)
2. Minor Changes: This process encompasses changes which will have a minor
effect on Information Assets for example: � Upgrades or updates to a system (hardware, software etc) � Small changes to the working environment (e.g. Temporary change to
working conditions as a result of work undertaken by a third party contractor)
As part of the process if appropriate a privacy impact assessment should be carried out whenever a new process or information asset is likely to involve a new use or significantly change the way in which personal data is handled. See section 13.
12.3 The Change Implementation Process will involve:
� The completion of an appropriate Change Request Form (Appendix A & B)
� Form sent to the IGSC for circulation prior to the next available IGSC meeting
� If required, attendance at the IGSC meeting by the Information Asset Owner or equivalent for discussion with IGSC pending approval
� In the event that the change is not approved feedback will be provided to the requester in order that appropriate action can be taken in the form of resubmission etc.
12.4 It is important that proposed changes to the organisation’s processes and/or
Information Assets are approached in a structured way which ensures that the introductions of such changes are introduced in a secure and considered manner.
Structured project management means managing the project in a logical, organised way, following defined steps e.g. utilising PRINCE2 methodology for major system changes.
13 PRIVACY IMPACT ASSESSMENT (PIA) 13.1 The objective of the Privacy Impact Assessment is for all new project, processes
and systems to comply with confidentiality, privacy and data protection requirements. The purpose of the PIA is to highlight to the organisation any associated privacy risks.
Information Governance Policy June 2011/IN-101Page 10
13.2 A Privacy Impact Assessment is a structured assessment of the potential impact
on privacy for new or significantly changed processes. The PIA should form part of the overall risk assessment of any process or project.
13.3 A PIA should be undertaken at the start of a project, before new processes or
systems are introduced. 13.4 The key deliverable of a PIA is a report that details impacts identified and the
solutions or actions that will deal with them.
13.5 The appointed Information Asset Owner (IAO) for the new information system is required to produce the PIA. The IG Steering Committee is responsible for receiving and reviewing the PIA on behalf of the Trust.
13.6 In order to conduct the PIA process, a decision tree is shown in Appendix D. 13.7 An Initial Assessment needs to be undertaken to determine whether a PIA is
necessary for a project and, if so, what level of PIA is required whether a full-scale PIA, a small-scale PIA or just a check against compliance with the law.
Before adequately answering the Screening Questions, the following information must be gathered:
� Project outline – depending on project status this can range from a single sheet summary to a full business case.
� Stakeholder analysis – this should include the key groups that may have an interest in or be affected by the project or other work activity.
� Environmental scan – this involves benchmarking other similar projects or cases where the intended technology has been utilised. It may also be useful to consider other PIAs which have already been undertaken within the Trust.
A Screening Process can then be carried out to determine which Privacy Impact Assessment to carry out.
13.8 There are 3 types of Privacy Impact Assessments:
� Full-scale PIA � Small-scale PIA � Data Protection Compliance check
Full-Scale PIA
� These require more extensive consultation with stakeholders and the Project Board than small-scale PIA’s
� A PIA consultative group will need to be formed of the project’s stakeholders to discuss the privacy impact in detail.
� The documentation is more formalised for a full-scale PIA.
Information Governance Policy June 2011/IN-101Page 11
� A Privacy and Data Protection Compliance Check will also need to be completed for a full-scale PIA.
Small-Scale PIA
� These are less formalised and require less resources to complete. � It is more likely focused on specific aspects of a large-scale project rather
than a project as a whole. � A Privacy and Data Protection Compliance Check will also need to be
completed for a small-scale PIA.
Data Protection Compliance check
� A Data Protection Compliance check must be completed if a new or significantly changed process that involves person identifiable data is introduced.
The templates in Appendix E should be used as a basis for any full-scale, small-scale PIA and compliance check.
13.9 It is suggested that the five phases of conducting the PIA process are:
� Preliminary phase – review outcomes and documents from the initial assessment; hold preliminary discussions with relevant parts of the organisation, any key participating organisations and advocates for stakeholder groups; prepare project background paper.
� Preparation phase – develop consultation plan; devise communication processes.
� Consultation and analysis phase – implement the consultation plan; identify design issues and privacy problems; document the problems and actions in an issues register.
� Documentation phase – consolidate the mitigation measures into a final version of the issues register; produce a PIA report which documents the PIA process and includes analysis of issues, justification of any privacy intrusion, lessons learned and expected outcomes.
� Review and audit phase - ensure that the design features arising from the PIA are implemented and are effective; prepare a review report to publish.
It is recommended that the PIA Handbook is referred to for guidance. It is available using the following link:
http://www.ico.gov.uk/upload/documents/pia_handbook_html_v2/index.html
Information Governance Policy June 2011/IN-101Page 12
APPENDIX A: MAJOR CHANGE REQUEST FORM
Major Change Request FormVersion control: V1 Mar 2011
Created by: Information Governance Officer
Requester: IGSC Chair: Head of IT/Caldicott Guardian: IGSC Member:
Date: Date: Date: Date:
1. Description of change to information asset and details if necessary of the tool used to approach to the project
2. Why is the change needed?
3. What are the advantages of the change?
8. Timetable for implementation
5. What are the risks of implementing this change?
4. What are the disadvantages of the change?
6. What are the risks of NOT implementing this change?
This form constitutes the formal log of a change and must be kept as a record of that changes history. A copy must be kept by the
Information Asset Owner and also by the Information Governance Steering Committee. Form must be received by the Head of
Information a mimimum of one week before the next IGSC meeting. This date should be a minimum of four weeks before the
proposed implementation date for Major Changes and two weeks before the proposed implementation date for Minor changes.
Reference Number (Completed by IGSC):
Change required to: Information System/Hardware/Ward/Unit/Other
Information asset owner:
Request received from:
Has the IGSC stated that a PIA should be completed prior to
implementation Y/N:
Details:
Process change approved for implementation Y/N:
Details:
Signed and agreed by:
7. What are the potential impacts both positive and negative on the service and its users?
Resource and effort involved in implementation:
Proposed implementation date:
The following section is to be completed at the IGSC meeting where the proposed change is reviewed and assessed prior to
implementation.
Information Governance Policy June 2011/IN-101Page 13
APPENDIX B: MINOR CHANGE REQUEST FORM
Minor Change Request FormVersion control: V1 Mar 2011
Created by: Information Governance Officer
Requester: IGSC Chair: Head of IT/Caldicott Guardian: IGSC Member:
Date: Date: Date: Date:
The following section is to be completed at the IGSC meeting where the proposed change is reviewed and assessed prior to
implementation.
2. Main reason for change
This form constitutes the formal log of a change and must be kept as a record of that changes history. A copy must be kept by the
Information Asset Owner and also by the Information Governance Steering Committee. Form must be received by the Head of
Information a mimimum of one week before the next IGSC meeting. This date should be a minimum of four weeks before the
proposed implementation date for Major Changes and two weeks before the proposed implementation date for Minor changes.
Reference Number (Completed by IGSC):
Request received from:
Information asset owner:
Change required to: Information System/Hardware/Ward/Unit/Other
1. Description of change to information asset
Has the IGSC stated that a PIA should be completed prior to
implementation Y/N:
Process change approved for implementation Y/N:
Details: Details:
Signed and agreed by:
8. Timetable for implementation
Proposed implementation date:
Resource and effort involved in implementation:
Information Governance Policy June 2011/IN-101Page 14
APPENDIX C: EQUALITY IMPACT ASSESMENT FORM
DORSET HEALTHCARE NHS FOUNDATION TRUST EQUALITY IMPACT ASSESSMENT FORM
Department/Service area: Trustwide
Policy Sponsor: Director of Finance & Performance Management
Name of the policy/protocol: (please attach a copy)
Information Governance Policy
Intended Outcome/s of Policy: To set out the Trust’s general use of information and the governance surrounding it, in line with NHS Standards for Better Health guidance
If no evidence of high negative impact has been identified, the Equality Impact Assessment has been completed. A signed hard copy and electronic copy should be kept within your department for audit purposes. Signed by Writer/Reviewer: … R Jackson … Signed by Sponsor: R Jackson Name (print) ………………………………….. Name (print)
Date completed: 27 October 2009
Positive Impact
Negative Impact Groups.
High Low High Low
Evidence / justification for your decision.
Gender and transgender groups.
�
�
policy equally applicable to all staff with no gender sensitive specific aspects
People from Black and Minority Ethnic groups.
�
� policy equally applicable to all staff with no ethnicity sensitive specific aspects
People who have a disability.
�
� Policy equally applicable to all staff with no disability sensitive specific aspects, beyond those already existing in the use of IT and systems with staff with a disability and for which suitable accommodation will already have been made.
People who identify themselves as lesbian, gay or bisexual.
�
� policy equally applicable to all staff with no sexual orientation sensitive specific aspects
People from different age groups.
�
� policy equally applicable to all staff with no age sensitive specific aspects
People who belong to a religion or have particular beliefs.
�
� policy equally applicable to all staff no belief specific aspects
Information Governance Policy June 2011/IN-101Page 15
APPENDIX D: PIA Process Maps PIA Decision Tree
Information Governance Policy June 2011/IN-101Page 16
APPENDIX D: PIA Process Maps
Initial Assessment Process Map
Information Governance Policy June 2011/IN-101Page 17
APPENDIX D: PIA Process Maps
Full Scale and Small Scale PIA Process Map
Information Governance Policy June 2011/IN-101Page 18
APPENDIX E: PIA TEMPLATES
FULL-SCALE PIA QUESTIONS Technology
1) Does the project apply new or additional information technologies that have substantial potential for privacy intrusion?
Identity
2) Does the project involve new identifiers, re-use of existing identifiers, or intrusive identification, identity authentication or identity management processes?
3) Might the project have the effect of denying anonymity and pseudonymity, or converting transactions that could previously be conducted anonymously or pseudonymously into identified transactions?
Multiple organisations
4) Does the project involve multiple organisations, whether they are government agencies (e.g. in ‘joined-up government’ initiatives) or private sector organisations (e.g. as outsourced service providers or as ‘business partners’)?
Data
5) Does the project involve new or significantly changed handling of personal data that is of particular concern to individuals?
6) Does the project involve new or significantly changed handling of a considerable amount of personal data about each individual in the database?
This box will expand as required
Enter the project title here - this box will expand as required
7) Does the project involve new or significantly changed handling of personal data about a large number of individuals?
8) Does the project involve new or significantly changed consolidation, inter-linking, cross-referencing or matching of personal data from multiple sources?
Exemptions and exceptions
9) Does the project relate to data processing which is in any way exempt from legislative privacy protections?
10) Does the project’s justification include significant contributions to public security measures?
11) Does the project involve systematic disclosure of personal data to, or access by, third parties that are not subject to comparable privacy regulation?
Once each of the 11 questions has been answered individually, the set of answers needs to be considered as a whole, in order to reach a conclusion whether a full-scale PIA is warranted. You should also consider, particularly on large projects, whether the whole project or perhaps only key sections should be assessed. If your answers to the above questions indicate that a full-scale PIA is required then you should now undertake compliance checks (see page 20 below) to determine whether these are also required. If your answers indicate that a full-scale PIA is not required then progress to the screening questions for a small-scale PIA.
Information Governance Policy June 2011/IN-101Page 2
SMALL-SCALE PIA QUESTIONS Technology
1) Does the project involve new or inherently privacy-invasive technologies?
Justification
2) Is the justification for the new data-handling unclear or unpublished?
Identity
3) Does the project involve an additional use of an existing identifier?
4) Does the project involve use of a new identifier for multiple purposes?
5) Does the project involve new or substantially changed identity authentication requirements that may be intrusive or onerous?
Data
6) Will the project result in the handling of a significant amount of new data about each person, or significant change in existing data-holdings?
7) Will the project result in the handling of new data about a significant number of people, or a significant change in the population coverage?
Enter the project title here - this box will expand as required
This box will expand as required
Information Governance Policy June 2011/IN-101Page 3
8) Does the project involve new linkage of personal data with data in other collections, or significant changes in data linkages?
Data Handling
9) Does the project involve new or changed data collection policies or practices that may be unclear or intrusive?
10) Does the project involve new or changed data quality assurance processes and standards that may be unclear or unsatisfactory?
11) Does the project involve new or changed data security arrangement that may be unclear or unsatisfactory?
12) Does the project involve new or changed data access or disclosure arrangements that may be unclear or permissive?
13) Does the project involve new or changed data retention arrangements that may be unclear or extensive?
14) Does the project involve changing the medium of disclosure for publicly available information in such a way that the data becomes more readily accessible than before?
15) Will the project give rise to new or changed data-handling that is in any exempt from legislative privacy protections?
Information Governance Policy June 2011/IN-101Page 4
Once each of the 15 questions has been answered individually, the set of answers needs to be considered as a whole, in order to reach a conclusion whether a small-scale PIA is warranted. You should also consider, particularly on large projects, whether the whole project or perhaps only key sections should be assessed. It is important to consider the various perspectives of each of the stakeholder groups involved; this will ensure that potential risks are not overlooked. If your answers to the above questions indicate that a small-scale PIA is required then you should now undertake compliance checks (see below) to determine whether these are also required. If your answers indicate that a small-scale PIA is not required then progress on to the compliance checks. COMPLIANCE CHECKS Privacy and other legal compliance check It is important that the proposed project complies with all relevant privacy-related laws. If
any of the following questions are answered "Yes", then a privacy law compliance check
should be conducted:
1. Does the project involve any activities (including any data handling), that are subject
to privacy or related provisions of any statute or other forms of regulation, other than the
Data Protection Act?
In particular, the following laws and other forms of regulation should be considered, but
the list may not be exhaustive:
• The Human Rights Act 1998
• The Regulation of Investigatory Powers Act 2000 (RIPA) and Lawful
Business Practice Regulations 2000.
• The Privacy and Electronic Communications Regulations 2003
• The Data Retention (EC Directive) Regulations 2007.
• All of the Trust’s relevant policies and procedures.
2. Does the project involve any activities (including any data handling) that are subject to
common law constraints relevant to privacy?
In particular, the following should be considered:
� Confidential data relating to a person, as that term would be understood under
the common law of confidence;
� The tort of privacy as it develops through case law.
Information Governance Policy June 2011/IN-101Page 5
3. Does the project involve any activities (including any data handling) that are
subject to less formal good practice requirements relevant to privacy?
In particular, the following should be considered:
� industry standards, e.g. the BS ISO / IEC 17799:2005 Information Security
Standard;
� Industry codes, e.g. the NHS Code of Practice on Confidentiality.
4. Criteria for Data Protection Act compliance
If the following question is answered ”Yes”, then a Data Protection Act compliance
check should be conducted:
Does the project involve the handling of any data that is personal data, as that term is
used in the Data Protection Act?
‘Personal data’ means data which relate to a living individual who can be identified:
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to
come into the possession of, the data controller, and includes any expression of opinion
about the individual and any indication of the intentions of the data controller or any
other person in respect of the individual (Data Protection Act, s.1).
Note that compliance checking activities are usually conducted reasonably late in the
overall project schedule, once detailed information about business processes and
business rules is available.