Skip to main content

Information governance employee code of conduct

Contents

1 Introduction

This code of conduct sets out clear guidance and the Information Governance standards expected of colleagues working for Rotherham Doncaster and South Humber NHS Foundation Trust.

All employees working in the trust, including temporary colleagues such as all contractors, voluntary employees, and students are bound by a legal duty of confidence to protect personal information they may come into contact with during the course of their work.

This is not just a requirement of your contractual responsibilities but also a requirement within the Data Protection Act 2018 (see legislation below), the Common Law Duty of Confidentiality and the NHS Confidentiality Code of Practice 2003 and any other appropriate professional codes of conduct.

This means that employees are obliged to keep any personal identifiable information strictly confidential, for example, patient and employee records. It should be noted that employees also come into contact with non-person identifiable information which should also be treated with the same degree of care, for example, business in confidence information such as patient referral letters, discharge summaries, waiting list data, workloads and clinic lists.

Disclosure and sharing of personal identifiable information is governed by the requirements of Acts of Parliament and the Common Law Duty of Confidentiality. There are exceptions where it is sufficient in the public interest to warrant a breach of disclosure, for example in relation to a serious crime or in instances to prevent serious harm or abuse.

Trust responsibilities and accountabilities

Senior information risk owner (SIRO)

The SIRO (Richard Banks, Director of Health Informatics) is accountable for information risk throughout the organisation.

Caldicott guardian

The Caldicott Guardian (Dr Diarmid Sinclair, Deputy Medical Director) is responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing.

Data protection officer (DPO)

The DPO (Caroline Britten, Head of Information Governance) will assist in monitoring internal compliance, inform and advise on data protection obligations, provide advice regarding data protection impact assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.

2 Legislation

The UK General Data Protection Regulations (UKGDPR) and Data Protection Act 2018 (DPA18) dictates when we can use personal data, what we need to tell individuals about what we hold, how we use personal data and how quickly we need to respond in the event of a personal data breach.

The GDPR and DPA18 also requires us to demonstrate how we comply with the Regulation and introduces stricter fines for non-compliance, up to 4% of an organisation’s total income or 20 million euros, whichever is greater.

3 Principles of UK General data protection regulation (GDPR) or Data Protection Act (2018)

Lawful, fair and transparent processing

This principle emphasises transparency for all EU data subjects. When the data is collected, it must be clear as to why that data is being collected and how the data will be used. Organisations also must be willing to provide details surrounding the data processing when requested by the data subject. For example, if a data subject asks who the data protection officer is at that organisation or what data the organisation has about them, that information needs to be available.

Purpose limitation

This principle means that organisations need to have a lawful and legitimate purpose for processing the information in the first place.  Consider all the organisations that require forms with 20 fields, when all they really need is a name, email, shipping address and maybe a phone number. Simply put, this principle says that organisations shouldn’t collect any piece of data that doesn’t have a specific purpose and those who do can be out of compliance.

Data minimisation

This principle instructs organisations to ensure the data they capture is adequate, relevant and limited. In this day and age, businesses collect and compile every piece of data possible for various reasons, such as understanding customer buying behaviours and patterns or remarketing based on intelligent analytics. Based on this principle, organisations must be sure that they are only storing the minimum amount of data required for their purpose.

Accurate and up-to-date processing

This principle requires data controllers to make sure information remains accurate, valid and fit for purpose. To comply with this principle, the organisation must have a process and policies in place to address how they will maintain the data they are processing and storing. It may seem like a lot of work, but a conscious effort to maintain accurate customer and employee databases will help prove compliance and also prove useful to the business.

Limitation of storage in the form that permits identification

This principle discourages unnecessary data redundancy and replication.  It limits how the data is stored and moved, how long the data is stored, and requires the understanding of how the data subject would be identified if the data records were to be breached. To ensure compliance, organisations must have control over the storage and movement of data. This includes implementing and enforcing data retention policies and not allowing data to be stored in multiple places.

For example, organisations should prevent users from saving a copy of a customer list on a local laptop or moving the data to an external device such as a USB.  Having multiple, illegitimate copies of the same data in multiple locations is a compliance nightmare.

Integrity, confidential and secure

This principle protects the integrity and privacy of data by making sure it is secure (which extends to IT systems, paper records and physical security).  An organisation that is collecting, and processing data is now solely responsible for implementing appropriate security measures that are proportionate to risks and rights of individual data subjects.

GDPR also introduces the principle of accountability:

Accountability and liability

This principle ensures that organisations can demonstrate compliance. Organisations must be able to demonstrate to the governing bodies that they have taken the necessary steps comparable to the risk their data subjects face.  To ensure compliance, organisations must be sure that every step within the GDPR strategy is auditable and can be compiled as evidence quickly and efficiently.

For example, GDPR requires organisations to respond to requests from data subjects regarding what data is available about them.  The organisation must be able to promptly remove that data, if desired.  Organisations not only need to have a process in place to manage the request, but also need to have a full audit trail to prove that they took the proper actions.

4 Caldicott principles

In addition to the UK GDPR and DPA18 principles above, colleagues working in the NHS handling patient information, whether you are requesting, using or disclosing confidential patient information should, at all times, be aware of and comply with the Caldicott Principles below, these are:

4.1 Justify the purpose of using confidential information

Every proposed use or transfer of patient-identifiable information within or from an organisation should be clearly defined.

4.2 Only use it when absolutely necessary

Patient-identifiable information should not be used unless there is no alternative.

4.3 Use the minimum necessary personal confidential data

Where use of patient-identifiable information is considered to be essential, each individual item of information should be justified with the aim of reducing identifiability.

4.4 Access should be on a strict need-to-know basis

Only those individuals who need access to patient-identifiable information should have access to it, and they should only have access to the information items that they need to see.

4.5 Everyone must understand their responsibilities

All those who handle patient-identifiable information should be made aware of their responsibilities and obligations to respect patient confidentiality.

4.6 Understand and comply with the law

Every use of patient-identifiable information must be lawful. Every NHS organisation should have someone responsible for ensuring that the organisation complies with legal requirements.

4.7 The duty to share information can be as important as the duty to protect patient confidentiality

Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

4.8 Inform patients and service users about how their confidential information is used

A range of steps should be taken to ensure no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this. These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information – in some cases, greater engagement will be required.

If you have any concerns about disclosing, sharing patient, or colleague information you must discuss this with your manager in the first instance or, if you are uncertain whether disclosure of information can take place, contact the Caldicott guardian or Information Governance team.

5 The common law duty of confidentiality

All colleagues working for the trust also have a common law duty of confidentiality.

Common law is not written out in one document like an Act of Parliament.  It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

  1. where the individual to whom the information relates has consented
  1. where disclosure is in the public interest
  1. where there is a legal duty to do so, for example, a court order

Therefore, under the common law, a healthcare provider wishing to disclose a patient’s personal information to anyone outside the team providing care should first seek the consent of that patient.

Where this is not possible, an organisation may be able to rely on disclosure being in the overriding public interest. However, whether a disclosure is in the public interest is not a decision to be taken lightly.  Solid justification is required before individual rights are set aside, and specialist or legal advice should be sought before the information is disclosed. Any decision to disclose should be fully documented.

If a disclosure is made which is not permitted under common law the patient can bring a legal action not only against the organisation but also against the individual responsible for the breach.

6 Information governance

RDaSH have an information governance policy and management framework that sets out at a high level how we comply with the UK GDPR and DPA18. All colleagues are responsible for complying with the information governance policy and management framework.

Service managers and heads of departments are responsible for ensuring that colleagues follow trust policies, processes and guidance.  In practice, this means managers should make colleagues aware of such documents and, where appropriate, advise colleagues where those processes should be followed.

RDaSH provides a team of information governance and data protection colleagues to help all colleagues to comply with their information governance responsibilities. Specifically, the team will support colleagues through designing training, policies and guidance and offering specialist advice to colleagues in their respective areas.

6.1 Data security and protection (IG) training

Information governance knowledge and awareness is at the core of the organisations objectives, without this the ability of the organisation to meet legal and policy requirements will be severely impaired.

To ensure organisational compliance with the law and central guidelines relating to information governance all colleagues are mandated to complete annual data security and protection (IG) training.

6.2 Collecting and using personal data

6.2.1 Data minimisation

  • Consider whether you need personal data to achieve your objective.
  • Only collect or use the minimum amount of personal data needed for your specific business objective.

6.2.2 Transparency

  • Ensure individuals have been given information about how and why we use their personal data, how long we hold onto their data, who we share it with, the trust’s responsibilities under the DPA18 and their rights in relation to their data under that Act (‘the fair processing information’).

6.2.3 Internal disclosure

  • Only share personal data with other teams where those teams have a genuine business need to access the personal data.
  • Only share the minimum amount of personal data with those teams who need to deliver their business objective.
  • If you are using the data for an entirely new purpose, you should also complete data privacy impact assessment (DPIA) screening questions to identify whether a data privacy impact assessment (DPIA) should be undertaken.

6.2.4 External disclosures

  • Colleagues may receive a broad range of requests from external organisations to disclose personal data, such requests should be passed to the information governance team who will co-ordinate the disclosure.

6.3 Information governance data breaches or incidents

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Data means information in any form papers records, emails, faxes etc.  Examples of personal data breaches can include, forwarding a spreadsheet of patient data to an unintended recipient (external or internal) or a theft of sensitive documents left in an unlocked room.

Personal data breaches must be reported as soon as possible following the incident.

  • If you know or suspect a personal data breach or incident may have occurred complete an incident form or contact a member of the IG team.
  • The IG team member will ask you for detail about the circumstances of the breach, the type of data involved and, who that data relates to and potential impact on individuals affected.
  • Under UK GDPR and DPA18, RDaSH is subject to a strict 72-hour timescale in which to report such breaches to the regulator, the information commissioner’s office. The trust could be subject to a substantial fine for failure to report within this period.
  • It is important to remember that the 72-hour timeframe starts from the moment any individual in the organisation discovers that a personal data breach has occurred.

6.4 Abuse of privilege

Colleagues must not abuse their position by viewing any information regarding, ‘VIPs or celebrities’, unless they are directly involved in their care. Colleagues must not disclose the fact that anyone famous or not is using trust services.

It is strictly forbidden for employees to look at any information relating to their own, family, friends, work colleagues or acquaintances records.

In cases where a close friend, partner, spouse or relative is, or becomes, a service user or patient, it is the responsibility of the employee to inform their line manager that such a relationship exists. The line manager will discuss the situation with the employee and agree an appropriate course of action. It may be appropriate for the service user/patient to be treated by another clinician or team, or, in the case of an inpatient admission, for the employee to be moved to another area for the duration of the service users or patient’s treatment.

Employees must not access the service user records, as this will be classified as non-authorised access to clinical records and will be considered a breach of trust policy, which could result in dismissal in accordance with the disciplinary policy.

If you have concerns about this issue, please discuss with your line manager.

6.5 Social networks and blogs

Social networking sites, such as Facebook, Twitter, TikTok and Instagram, are a very popular way for people to communicate with one another.

What is important to bear in mind is that what you post online is in the public domain. Even if you have made your profile only viewable to friends, what you write can still be seen by others. So, a tirade that may seem harmless to you, might be interpreted differently by others.

Here are some considerations you may wish to apply when using these sites. It is important to remember particularly in the NHS, patient confidentiality is essential!

A guide to help make sure you do not inadvertently break the law, or breach RDaSH policies:

  • do not make disparaging or inappropriate comments about the trust, its patients or your colleagues on a social networking site
  • never identify patients in your care, or post information that may identify a patient
  • if you use sites like Facebook, Twitter, TikTok or Instagram, do make sure that only friends and people you know can see your information. You can also stop your profile or information from appearing on search engines like Google. This way not everyone is going to be able to read what you post
  • If you are a qualified healthcare professional, do read the requirements and, or guidance laid down by your professional body, for example, NMC, GMC etc.
  • if you are required to take photographs or use a video for work purposes, ensure you have permission and do not include any personal identifiable information. These must not be uploaded onto any social media sites.  Inappropriate postings on social networks which are detrimental to other employees or could bring the trust into disrepute may result in disciplinary action being taken

6.6 Carelessness

  • Do not talk about patients or colleagues in public places or where you can be overheard.
  • Do not leave any medical records or confidential information, including diaries, unattended.
  • Make sure that any computer screens, or other displays of information, cannot be seen by the general public.

6.7 Internal and external mail

Best practice with regard to confidentiality requires that all correspondence containing personal information should always be addressed to a named recipient.

This means personal information or data should be addressed to a person, a post holder, a consultant or a legitimate safe haven, but not to a department, a unit or an organisation. In cases where the mail is for a team it should be addressed to an agreed post holder or team leader.

Internal mail containing confidential data should only be sent in a securely sealed envelope, and marked accordingly, for example, “Confidential” or “Addressee Only”, as appropriate. Colleagues should ensure when internal mail is received, they check who this mail is for and that it goes to the correct individual.

External mail must also observe these rules. Special care should be taken with personal information sent, such as patient records on paper, memory stick or other media.  These should be sent by courier or by recorded or registered post, to safeguard that these are only seen by the authorised recipient(s). In some circumstances it is also advisable to obtain a receipt as proof of delivery, for example, copy of patient records sent to a solicitor.

Generally, mail is franked with a return address, but in instances where this does not occur, ensure that a return address is printed on the outside of the envelope to prevent post being inappropriately opened where addresses are incorrect.

6.8 Storing confidential information

Paper-based confidential information should always be kept in a secure environment and preferably in a room that is locked when unattended, particularly at nights and weekends or when the building or office is not occupied for a long period of time.

Electronically held confidential information must not be saved onto local hard drives, but onto secure network drives.  Where confidential information must be stored on removable media, for example, USB memory sticks, then it must be encrypted in line with the minimum Department of Health and Social Care standards, which are supplied by the trust only. For further details please contact the information governance team or the IT service desk.

When information is saved to a network drive then access to that information must be on a strict ‘need to know’ basis.

6.9 Disposal or destruction of confidential information

When disposing of paper-based confidential information always use the confidential waste bins provided. Keep the waste in a secure place until it can be collected for secure disposal.

Removable media containing confidential information must be reformatted or securely destroyed; this can be arranged by contacting the IT service desk.

Computer hard disks must be destroyed or disposed of by the IT department.

6.10 Mobile working

RDaSH understands that colleagues now often work away from their usual work locations, such as home working, for this reason the following principles have been developed which must be adhered to at all times:

  • no person identifiable or commercially sensitive information should be worked on remotely unless connected securely via the virtual private network (VPN)
  • users should connect to the network via the organisation’s VPN.
    A VPN is a computer network that uses the internet to provide individual users with secure access to their organisation’s network.
    The VPN provides a secure communication between the organisation’s owned hardware (for example, laptops) connected to non-NHS networks and the organisation’s network. The capability to utilise VPN is automatically included in the build of all the organisation’s laptops and is comparable to utilising a PC to access information
  • no information should be saved to the hard drive of a laptop, to a USB stick or to any other removable media for the purpose of remote working. This is not an authorised procedure, and this practice should cease with immediate effect
  • emailing work as attachments to either personal accounts or work account is not an approved method of working remotely and must not take place
  • accessing information belonging to the organisation in publicly accessible areas is discouraged, due to the threats of ‘overlooking’ and theft of equipment. Colleagues are responsible for ensuring that unauthorised individuals are not able to see information or access systems
  • computer equipment should never be left unattended when logged in and switched on and must be securely locked away when not in use
  • Records and equipment must always be transported in a secure way, for example, in a sealed container, briefcase, kept in the boot of the car and not visible to the general public. Records must be securely locked as soon as practicable and should not be left in the boot of the car overnight
  • if physical records are taken from their base location to enable mobile working, they should be tracked to ensure their location can be identified

6.11 Home working

When working from home colleagues need to ensure the following are considered and remember that there is personal liability under the law and your contract of employment for breach of these requirements:

Ensure you have authority to take any records away.  This will normally be granted by your line manager.

  • If you are taking manual records, please ensure there is a record that you have these records, where you are taking them to, the purpose for taking them and when they will be returned. This is particularly important for records that may contain sensitive data, for example patient or employee records.
  • Make sure when travelling home that they are put in the boot of the car out of sight (ensuring that the vehicle is locked when unoccupied) or carried on your person while being transported from your workplace to your home.
  • While at home you have personal responsibility to ensure the records are kept secure and confidential. This means that other members of your family and, or your friends and colleagues must not be able to see the content or outside folder of the records.
  • You must not let anyone have any access to the records.
  • When returning the records to work the same procedure must be carried out, as above.
  • Laptops containing personal identifiable information must be secured at all times, especially in transit.
  • Any loss of records or data bearing media, such as laptops, must be reported immediately to your line manager as soon as the loss is known.
  • If appropriate the police should also be informed.

7 Subject access requests (access to personal information)

Every living person (or their authorised representative) has the right to access information or records held about them by an organisation.

The record can be in manual (paper files) or in computerised form and may include such documentation as handwritten notes, letters, reports, imaging records, photographs, DVD and sound recordings.

Under GDPR and DPA18 information requested must be provided without delay and at the latest within one month of receipt.

Failure to comply and provide information requested under GDPR could result in a substantial fine.

The maximum fine that can be issued by the information commissioner’s office (ICO) is 4% of an organisation’s global turnover or 20 million euros, whichever is higher. Individuals also retain the right to pursue a claim in court.

A SAR must be made in writing; however, the requestor does not need to mention the UK GDPR and DPA18 or state that they are making a SAR for their request to be valid. They may even refer to other legislation, for example, the Freedom of Information Act 2000, but their request should still be treated according to this policy.

A SAR can be made via any of, but not exclusively, the following methods:

  • email
  • fax
  • post
  • social media
  • trust website

Requests for information held about an individual must be directed immediately to the IG team.

8 Freedom of information

The Freedom of Information Act (2000) came into effect for all public authorities in January 2005. Since then, all requests for corporate information have had to be answered in accordance with the Freedom of Information (FOI) Act 2000 or the Environmental Information Regulations 2004 (EIR).

The Freedom of Information Act gives a general right of access to all types of corporate recorded information held by public authorities, if you are unsure about a request for information contact the FOI team in the first instance.

A request for information under the general rights of access must be:

  • received in writing
  • state the name of the applicant and an address for correspondence
  • clearly describe the information requested
  • a request can also be made electronically via email

The deadline for a public authority to respond to requests made under the Act is 20 working days, it is therefore vital that all requests are forwarded to the IG team immediately.

9 Information security

Data stored electronically in trust information systems is critical to patient care and vital to the smooth running of the organisation.

It is essential that each of us play our part in protecting the confidentiality, integrity and security of our information.

Everyone who works for the trust have responsibility for protecting the security of our systems.

Colleagues are required to understand the appropriate usage of the systems available to them and their responsibilities regarding the creation and storage of data within those systems. Colleagues are to adhere to the policies and guidance available, such as the information security for starters, movers and leavers policy, and the suite of information governance and records management policies (NHS staff access only) (opens in new window).

Failure to comply with the guidance contained in this document may lead to disciplinary action.

9.1 Your passwords

You will have been provided with passwords to enable you to access systems.

Always keep your passwords secure by:

  • never writing them down
  • never sharing them with others
  • changing them regularly

If you suspect that any of your passwords have become known to any other person or if you lose your smart card, you must report this immediately to the IT service desk.

9.2 Keeping our computers secure

The security of our equipment is one of the keys to the safety of our information.

  • When you leave your computer unattended, even for a short while, always lock it and remove your smartcard.
  • You can lock your computer by pressing the “Ctrl, Alt and Delete keys together” and then selecting “Lock”.
  • Take extra care to keep mobile devices secure at all times. Never leave them unattended in a public place or unsecured office. Data must only be stored on laptops or memory sticks provided by the trust (as these are suitably encrypted) unless an exception has been approved in writing by the senior information risk owner (SIRO).
  • Devices that are not supplied by the trust must not be used to access computers or networks without authorisation from the IT department.
  • Never install any software not provided by the trust onto its systems unless approved by the IT department.
  • Do not allow anyone who doesn’t work for the trust to use our equipment unless approved by the SIRO.

9.3 Smart cards

Your smartcard provides you with the level of access to information you require as part of your role. Smartcards are issued to individual employees and must only be used by the person whose name is on the card.

Accessing information using another person’s smartcard is against the law, even if you are authorised to have access to the information.  Users of smartcards must follow the terms and conditions of use, these can be found on the smartcard application form (RA01).

Care must be taken by everyone issued with a smartcard to keep it secure and protect their pin against discovery, cards should be treated with care and protected to prevent any loss or damage.

9.4 Using electronic mail

Most of us use email to communicate with our colleagues.  This makes communication very easy and quick, but there are risks and you need to be aware of how to ensure that your messages remain secure:

  • only use the email system supported by the trust, NHS.net (NHSmail)
  • always re-read your message before sending, checking that it is addressed to the correct person
  • if you are unsure of where a message has come from or if it contains an unexpected attachment, do not open it, and contact the IT service desk for advice immediately
  • be aware of the dangers of hoax emails and those that request personal details. Always report these to the IT service desk
  • never respond to an email asking for a password
  • never send material that is discriminatory, sexist or contains offensive material (including joke emails)
  • do not write something in an email that you would not write in a letter, email has the same legal status

Whilst we have all experienced the speed of email, it is not always an instant communication, and you should not assume that sent messages are received without further confirmation from the recipient. This is particularly important when sending urgent messages or those with large or unusual attachments.

9.4.1 Emailing personal confidential data (PCD)

You should be particularly careful when emailing PCD. As noted above, emailing from a nhs.net email address to another nhs.net address is secure.

Confidential information or data must never be transmitted over the internet unless the data is encrypted.

9.5 Using the internet

For many of us, the Internet is regularly used to provide a key source of information to help us in our daily work. However, it is important to follow some rules to ensure that our information remains safe and secure:

  • when using the Internet, programs may be automatically downloaded and run. If you are concerned about the way a program is behaving, contact the IT service desk for advice
  • ensure that any material that you download complies with any copyright restrictions and does not contain discriminatory, sexist or offensive material
  • don’t assume that all information found on the internet is necessarily accurate or up to date
  • if you are using a password protected application over the Internet always ensure that you are accessing a secure internet site

9.6 Personal use and social networking

The trust accepts that colleagues may, on occasions, need to deal with pressing personal tasks during working hours and therefore a limited amount of personal use of email and access to the internet is permitted.

You should ensure that you are familiar with the policy on personal use and adhere to the published guidance at all times. Specifically:

  • you should not use this facility for any outside commercial or business activity
  • you should not engage in extensive social activities such as chat rooms, gaming, blogging or auctions
  • personal use of social networking sites should be kept to a minimum and accessed only outside your working hours

Whenever and wherever you engage in computer activity, including outside the trust you must not:

  • reveal confidential information about patients, colleagues or the trust
  • attack or abuse colleagues
  • use defamatory, derogatory or offensive comments especially about colleagues or patients
  • engage in activities that might bring the trust into disrepute

9.7 Specialist applications

You may be using specialist software applications within your work area; in which case you should comply with all specific training and documentation that will have been provided to you.

We need to know where data is stored throughout the trust and therefore you must not set up any independent databases or spreadsheets containing personal confidential data without first consulting the information governance team or your line manager.

9.8 Monitoring computer activity

You should be aware that the trust actively monitors all computer activity to maintain the effective operation of the systems and to comply with any legal obligations.

Electronic documentation and records of activity may be disclosed if required by law.

9.9 Virus protection

Whilst virus protection software is in operation, you can help to prevent an infection by:

  • immediately deleting any spam or chain emails without opening them
  • not opening or forwarding emails or files from unknown sources
  • not opening unexpected attachments received by email

If you suspect that your computer has been infected with a virus, have any doubts about an email attachment or experience unusual system behaviour, you should contact the IT service desk for advice.

For more help or for any further questions please contact the information governance team.

10 Information governance code of conduct sign off form

Acknowledgement of your personal responsibility concerning the security and confidentiality of information relating to patients, employees and the organisation:

Please complete the information governance code of conduct sign off form (staff access only) (opens in new window).

11 Glossary of terms

Definitions
Term Definition
Anonymisation It is the process of either encrypting or removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous
Business continuity plans (BCP) Documented collection of procedures and information that is developed, compiled and maintained in readiness for use in an incident to enable an organisation to continue to deliver its critical activities at an acceptable defined level
Caldicott guardian (CG) A senior person responsible for protecting the confidentiality of patient and service user information and enabling appropriate information sharing
CareCERT NHS England’s Care Computer Emergency Response Team (CareCERT). CareCERT will offer advice and guidance to support health and social care organisations to respond effectively and safely to cybersecurity threats
Code of conduct A set of rules to guide behaviour and decisions in a specified situation
Common law The law derived from decisions of the courts, rather than acts of Parliament or other legislation
Care quality commission (CQC) This is an organisation funded by the government to check all hospitals in England to make sure they are meeting government standards and to share their findings with the public.
Data controller The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data processor A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Data Protection Act 1998 (DPA 1998) An act for the regulation of the processing of information relating to living individuals, including the obtaining, holding, use or disclosure of such information
Data Protection Act 2018 (DPA18) Act replaced DPA 1998 above
Data protection impact assessment (DPIA) A method of identifying and addressing privacy risks in compliance with GDPR requirements
Data protection officer (DPO) A role with responsibility for enabling compliance with data protection legislation and playing a key role in fostering a data protection culture and helps implement essential elements of data protection legislation
Data security and protection toolkit (DSP toolkit) From April 2018, the DSP toolkit will replace the information governance (IG) toolkit as the standard for cyber and data security for healthcare organisations
Data sharing agreement  A contract outlining the information that parties agree to share and the terms under which the sharing will take place
Freedom of Information Act 2000 (FOI) The Freedom of Information Act 2000 provides public access to information held by public authorities
General Data Protection Regulation (GDPR) The General Data Protection Regulation (GDPR)
Information asset owner (IAO) Information asset owners are directly accountable to the SIRO and must provide assurance that information risk is being managed effectively in respect of the information assets that they ‘own’
Information assets Includes records and documents that contain key information to the organisations business
Information commissioner’s office (ICO) The information commissioner’s office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals
Individual funding requests (IFR) Application to fund treatment or service not routinely offered by NHS
Key performance indicators (KPIs) Targets which performance can be tracked against
Pseudonymisation The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person
Record lifecycle Records life-cycle in records management refers to the stages of a records “life span”: from its creation to its preservation (in an archives) or disposal
Senior information risk owner (SIRO) Board member with overall responsibility for:

  • the information governance and data security and protection policies
  • providing independent senior board-level accountability and assurance that information risks are addressed
  • ensuring that information risks are treated as a priority for business outcomes
  • playing a vital role in getting the institution to recognise the value of its information, enabling its optimal effective use
Subject access request (SAR) A subject access request (SAR) is simply a written request made by or on behalf of an individual for the information which he or she is entitled to ask for under the Data Protection Act

Document control

  • Version: 1.
  • Approved by: Corporate policy approval group.
  • Name of originator or author: Head of information governance.
  • Name of responsible individual: Information governance group
  • Date issued: 2019.
  • Target audience: All colleagues, including temporary and contractors, working for or on behalf of Rotherham, Doncaster and South Humber NHS Foundation Trust (RDaSH).
  • Description of change: To outline the standards and expectation of staffs’ compliance and expected code of conduct of all colleagues working for Rotherham, Doncaster and South Humber NHS Foundation Trust (RDaSH).
  • Action required: All colleagues are required to read and sign the declaration at the back of this staff code of conduct. Signing the declaration does not confirm that you are aware of everything but confirms that you have read it and know where to refer back to in the future if required.

Page last reviewed: December 16, 2024
Next review due: December 16, 2025

Problem with this page?

Please tell us about any problems you have found with this web page.

Do not include personal or medical information in your message. For example, your name, NHS number, date of birth or medical history.