NHSScotland Caldicott Guardians: Principles into Practice

9. Appendices - Supplementary Guidance and Advice

9.1 The Guardian as a Gatekeeper

Once a Caldicott Guardian has procedures and systems in place to control access to patient information, the Guardian should have responsibility for agreeing who should have access to what. Although it is necessary to be realistic about the pace at which existing systems and procedures can be changed if there are significant resource implications, the introduction of the new procedures can provide the opportunity to set high standards from the onset.

9.2 Access Control

9.2.1 Access control is essential for ensuring that only authorised persons have:

• Physical access to computer hardware and equipment;
• Access to computer system utilities capable of over-riding system and application controls;
• Access to manual files containing confidential information;
• Access to computer files and databases containing confidential information about individuals.

9.2.2 Whilst the introduction of appropriate procedures and systems is likely to fall to information security officers, facilities management and building security etc, it is important that Caldicott Guardian's are aware of current organisational capacity and intentions, through the management audit. Detailed guidance on access controls can be found on the Caldicott Guardian website and also in the NHSS Information Security Policy.

9.3 Physical Access Controls

Physical security protection should be based on defined physical parameters and achieved through a series of strategically located barriers throughout the organisation. Critical installations should be protected, at the minimum by lock and key with only authorised staff permitted access.

9.3.1 This is primarily a concern for the information security officer and is covered in detail in the NHS Information Security Policy ( NHSHDL (2006) 41).

9.4 Access to Confidential Information about Individuals

9.4.1 Access to person identifiable information should be restricted to those staff who have a justifiable need to know in order to effectively carry out their jobs. The Caldicott Principles underpin the approach that NHS organisations should develop and introduce at a pace that is sustainable locally.

• Principle 1 - Justify the purpose (s) for using confidential information
• Principle 2 - Only use it when absolutely necessary
• Principle 3 - Use the minimum that is required
• Principle 4 - Access should be on a strict need to know basis
• Principle 5 - Everyone must understand their responsibilities
• Principle 6 - Understand and comply with the law

9.4.2 Registered access levels can be used to further limit the access of authorised persons to the minimum information that they need to carry out the task or function. This is particularly relevant to information that is held electronically, but the principles apply to all records, e.g. staff that need access to manual files for filing purposes should not need to access the information already contained within the files.

9.4.3 There are also legal restrictions on those who may see certain patient - identifiable information. Only staff whose responsibilities include treatment of individual patients with such diseases, or those who are involved more widely with the treatment or prevention of disease, such as those employed by public health departments, should be permitted access to such information. Organisations should therefore develop procedures for filtering out and/or anonymising relevant records. (See safe-havens below)

9.5 Information/Data "Ownership"

9.5.1 It is best practice for each physical set of information, e.g. manual files, or logically discrete set of electronically held information e.g. a database, to be assigned to an "owner". The information security officer should keep an up to date register of data "owners" and the Guardian should be provided with a copy. A number of responsibilities should be associated with ownership, including:

• Identifying all the information/data in the set
• Identifying and justifying to the satisfaction of the Guardian, how the information/data can be used
• Agreeing with the Guardian who can access the information/data and what type of access each user is permitted

9.5.2 Details of other responsibilities of "data owners" - e.g. information classification, security measures and compliance with Data Protection legislation can be found within the NHSS Information Security Policy.

9.6 Access Levels and Registration

There should be formal and documented user registration and de-registration procedures, for access to all person-identifiable information held in confidence, where multiple users need access. Again, although this is mainly applicable to electronically held information, the principles extend to manual files.

9.6.2 It is particularly important that it is clear, at any point in time, just who should have access to what information. It should be possible to immediately change or remove the access rights of individuals who have changed jobs or left the organisation and a formal process to regularly review users' access rights should be established. For information held in electronic form, each user should have a unique identifier (user- ID) for their personal and sole use. A unique user- ID ensures that all activities on the system can be traced to the individual responsible and audits of activity undertaken. Each user should also have a password. As long as they are kept secret, passwords are an effective and easily introduced security measure. Detailed guidance on the use and management of passwords, aimed primarily at information security officers, is included within the NHS Information Security Policy.

9.6.3 Ideally, systems should permit users to be given different levels of access, and this requirement should be carefully born in mind when introducing new systems or upgrading old ones. The example given above of the access required by a filing clerk demonstrates that the principle can be applied to manual records as easily as to that held on a computer. Procedures for checking that the level of access granted to an individual is appropriate and justifiable, in the context of the business purpose, should be put in place and the Guardian's approval sought (see Information "Ownership" above).

9.7 Incidents and Security Breaches

Detailed guidance on the management of security incidents is included within the NHSScotland Information Security Policy - NHSHDL (2006) 41 and is largely the responsibility of the Information Security Officer. Guardians should ensure, however, that all security incidents involving the unauthorised disclosure of confidential personal information are reported both to themselves and to their Chief Executive. Where appropriate, advice on the handling of such breaches of confidence should be sought from the Scottish Government eHealth Directorate.

9.8 Safe-Havens

9.8.1 To support the introduction of access controls within an organisation and adherence to legal restrictions on the disclosure of certain information a useful model to adopt for routine flows of information is the use of designated safe-havens. This model requires confidential information to be disclosed or accepted through designated safe-haven contact points.

9.8.2. When information is received, access controls and registered access levels agreed by the Guardian, should then determine which staff within the organisation should have access to what information (see Controlling Access). When information is disclosed by a designated safe-haven point to an equivalent point in another organisation, staff can be confident that agreed protocols will govern the use of the information from that point on.

9.8.3 Where it is not practicable for patient information to be routed in this way, the staff involved must be made aware of any relevant protocols and take responsibility both for adhering to them and for drawing the attention of others to the standards that should apply. This is particularly relevant when information is shared to directly support patient/client care as a perception that another organisation does not adhere to the same rules of confidentiality can put barriers in the way of information sharing and undermine the effective provision of seamless care.

9.8.4 Safe-haven arrangements originated to support contracting procedures, and detailed guidance was provided in MEL(92)42. The safe-haven model should, over time, be extended to cover all procedures for transferring confidential patient/client information between organisations when the purpose is not directly related to the provision of care. Guardians should work with the information security officer and staff familiar with safe-haven procedures to consider how the wider use of these procedures might be promoted across the organisation.

9.8.5 Retention and disposal of information should be in line with the Scottish Government Health Department guidance.

9.8.6 The key principles, updated to incorporate the Guardian role, are that:

• Each organisation should establish safe-haven administrative arrangements to safeguard confidential person-identifiable information. This includes having one designated contact point per physical site. Ideally, all information exchanged between NHS organisations should pass between safe-haven contact points.
• All members of staff (including, for example, switchboard operators and post room staff) should be made aware, at least in general terms, of the policies and procedures surrounding safe-haven access.
• Safe-haven procedures should be fully documented, approved by the Guardian and agreed by senior management.
• Safe-haven procedures should be comprehensive and cover:
  • Management arrangements
  • Staff roles and responsibilities
  • Physical location and security
  • Procedures for handling information
  • Controls on disclosure of information
  • Storage, archiving and disposal of information

9.9 Privacy Impact Assessment

Projects that involve personal information or intrusive technologies inevitably give rise to privacy concerns. The cumulative effect of many such initiatives during recent decades has resulted in harm to public trust and to the reputations of organisations

Where the success of a project depends on people accepting, adopting and using a new system, process or programme, privacy concerns can raise significant risks to organisations. In order to address these risks, it is advisable to use a risk management technique commonly referred to as a Privacy Impact Assessment ( PIA).

Purpose of PIA: to identify at an early stage of project development potential privacy risks so that steps to mitigate these risks can be designed into the project.

When: A PIA should be conducted at an early stage of a project.

Compliance checks, on the other hand, are usually performed later after business processes and rules have been specified sufficiently so that they can be assessed for their compliance with the law.

How: Integrate the PIA within the project plan as a whole, or within broader risk assessment and risk management activities.

How much effort: The scale of effort that is appropriate to invest in a PIA depends on the circumstances. A project with large inherent risks warrants much more investment than one with a limited privacy impact. Other projects may merely need a check of their compliance with privacy laws, and in particular with the provisions of the Data Protection Act.

Who: The PIA is carried out by the Project or Programme Manager, taking advice from the Information Governance specialists within the organisation.

Role of Caldicott Guardian: Needs to be involved in any new projects relating to patient identifiable information:

• establish information flows
• ensure that data quality standards are being met and
• protocols relating to security and information sharing are in place .

Further Information: The ICO Privacy Impact Assessment ( PIA) handbook is available at: http://www.ico.gov.uk/upload/documents/pia_handbook_html_v2/index.html