Skip to main content

Information handling and classification policy

Contents

1 Introduction

Rotherham, Doncaster and South Humber NHS Foundation Trust (hereafter referred to as ‘the trust’) is dependent on information in order to conduct its business, be it the delivery of patient care, corporate functions, or other purposes.

2 Purpose

This policy sets out the trust’s approach to information handling and classification, in keeping with legislative, regulatory and other obligations. Different types of information carry varying degrees of sensitivity and need to be handled accordingly. The proper classification of information assets is vital to ensure appropriate and proportionate controls to keep information secure.

Adherence to this policy will provide the trust with assurance that correct information classification and handling methods are being applied in order to facilitate effective patient care.

3 Scope

This policy sets out the defined approach to demonstrate good practice in marking records for all types of information in all media which may be handled, shared, stored, and disposed of. This includes information technology (IT) and electronic communications systems, paper records, phone and voice conversations, photographs, recording tapes, CCTV footage, entry passes and medical records such as X-rays.

All NHS records (including email and electronic documents) are public records under the terms of the Public Records Act 1958; sections 3 (1) – (2) and must be kept in accordance with the following statutory and NHS guidelines:

  • The Public Records Act 1958 and 1967.
  • The Data Protection Act 2018.
  • The Freedom of Information Act 2000.
  • The Common Law Duty of Confidentiality.
  • NHS Code of Practice: Confidentiality.
  • NHSX Records Management Code of Practice 2021.

Guidance on the management of NHS records is provided by the NHSE Records Management Code of Practice (2021) (opens in new window) which sets out a schedule of minimum retention periods for many types of record and is based on legal requirements and professional best practice. This policy adopts the retention and review guidance in that document. Further information on record retention and destruction, including timescales, is detailed in the records management policy.

This policy shall be reviewed every three years or in response to significant changes due to security incidents, variations of law and or changes to organisational or technical infrastructure.

In the event of a national health emergency such as the COVID-19 pandemic, this policy still applies, unless it is superseded by specific clauses mandated by the trust’s business continuity policy.

4 Responsibilities, accountabilities and duties

This policy applies to all those working for the trust in whatever capacity, including the trust’s employees, volunteers, students, temporary workers, contractors, suppliers and third parties. It applies to third party providers who may hold or process information belonging to the trust, including patient information. Suppliers are expected to follow this approach unless specifically excluded or where conditions have been applied within the procurement process. Hereafter, all of the aforementioned are to be collectively referred to as “employees”.

An employee found to have breached this policy may be subject to trust’s disciplinary procedure. If an employee has broken the law, they may be subject to prosecution.

5 Procedure or implementation

5.1 Terminology

Terminology
Term Definition
Shall This term is used to state a mandatory requirement of this policy
Should This term is used to state a recommended requirement of this policy
May This term is used to state an operational requirement of this policy

5.2 Protective markings

Protective marking denotes how a document should be treated, which affects how a document is saved, stored, transferred and whether it may be disclosed.

File markings reflect the level of security measures necessary to protect the information contained within a file or document. It is important that all trust documentation carries the appropriate markings in order to protect privacy and confidentiality. Understanding the status of a file helps readers to make appropriate decisions about distribution and storage.

File markings can be set by the author of a file to ensure that other colleagues are informed of the status of the file. However, such markings will not prevent disclosure of the record under FOI, unless an exemption applies. As a general rule the trust has employed the following classifications for sensitive files:

5.2.1 Strictly confidential

  • Saving: Limited access (personal or restricted drive).
  • Storage: Locked cabinet, locked room.
  • Disclosure: Exempt from public disclosure under FOI. Exempt from personal disclosure under Data Protection Act (DPA).

5.2.2 Confidential

  • Saving: Limited access (personal or restricted access drive).
  • Storage: Locked cabinet, locked room.
  • Disclosure: Exempt from full disclosure under FOI but may be disclosable under DPA.

5.2.3 Private and confidential

  • Saving: Limited access (personal or restricted access drive).
  • Storage: Locked cabinet, locked room.
  • Disclosure: Exempt from full disclosure under FOI but may be disclosable under DPA.

5.2.4 Personal and confidential

  • Saving: Personal drive.
  • Storage: Locked cabinet, locked room.
  • Disclosure: Exempt under FOI. Disclosable to the individual under the DPA.

5.2.5 Sensitive (includes personal information of particularly private nature, commercially sensitive information).

  • Saving: Limited access (personal or restricted access drive).
  • Storage: Locked cabinet, locked room.
  • Disclosure: May be currently exempt under FOI but disclosable at a later date. Disclosable to the individual under DPA (unless exempt).

The overall policy for healthcare on restrictive marking is set by the cabinet office and is called the government security classification scheme (GSCS). It applies across all government, including the NHS and relevant partners. From 2014 onwards, all information below SECRET level is to be classified OFFICIAL. Individuals are expected to take more personal responsibility for thinking about the security of the information they handle.

The trust shall comply with the GSCS. There are four GSCS principles:

5.2.1 GSCS principle 1

  • All information that HMG needs to collect, store, process, generates or share to deliver services and conduct government business has intrinsic value and requires an appropriate degree of protection.
  • The GSCS provides three levels of security classification, these are:
    • OFFICIAL, the majority of information that is created or processed shall be security classified as OFFICIAL. This includes routine business operations and services, some of which could have damaging consequences if lost, stolen or disclosed inappropriately
    • a limited subset of OFFICIAL information could have more damaging consequences (for individuals, the NHS or the Government generally) if it were lost, stolen or published in the media. Where information is identified as such, it shall still be managed within the OFFICIAL classification tier but shall attract additional measures (generally procedural or personnel) to reinforce the ‘Need-to-Know’ (NTK). In such cases where there is a clear and justifiable requirement to reinforce the NTK, assets shall be conspicuously marked OFFICIAL, SENSITIVE
    • SECRET, very sensitive information that justifies heightened protective measures to defend against a higher level of threat shall be marked as SECRET. For example, where compromise could lead to: the disruption or loss of emergency and health care capabilities, loss of public trust in the NHS or significant loss of reputation to the NHS with significant coverage by the national and international press. There is a significant step-up between OFFICIAL and SECRET
    • TOP SECRET, HMG’s most sensitive information requiring the highest levels of protection from the most serious threats shall be marked as TOP SECRET. For example, where compromise could lead to: the complete breakdown of trust by the public in the NHS, a complete loss of emergency and health care capabilities and total loss of reputation in the NHS, with widespread condemnation by both the national and international press or requiring a major government intervention and or a public inquiry
  • It is recognised that only an extremely small number of organisations will produce or have access to any information above OFFICIAL. Guidance relating to SECRET and TOP SECRET is included in this policy for the sake of completeness.

5.2.2 GSCS principle 2

  • Everyone who works with the NHS (including employees, contractors and service providers) has a duty of confidentiality and a responsibility to safeguard any information or data that they access, irrespective of whether it is marked or not, and shall be provided with appropriate training.
  • Accidental or deliberate compromise, loss or misuse of classified information by employees may lead to internal disciplinary action and may constitute a criminal offence. In general, people will face such action only if they have been careless or reckless with information.

5.2.3 GSCS principle 3

  • Access to sensitive information shall only be granted on the basis of a genuine “need-to-know” (NTK) and an appropriate personnel security control.
  • The compromise, loss or misuse of sensitive information could have a significant impact on an individual, the NHS, or on government business more generally. Colleagues shall ensure that access to security classified information is to be no wider than necessary for the efficient conduct of trust business and limited to those with a business NTK.

5.2.4 GSCS principle 4

  • Assets received from or exchanged from external partners must be protected in accordance with any relevant legislative or regulatory requirements, including any international agreements and obligations.
  • Where information is received from external agencies, the trust shall ensure that it is protected in line with its security classification. The trust shall also ensure that all owned or held information is correctly marked with the appropriate security classification in order to ensure that if it is shared with partner organisations and external agencies, it will be afforded the correct level of protection.

There is no requirement to retrospectively reclassify or remark existing information, data or systems with the new security classification markings. Unless specified, colleagues should maintain current levels of control.

It is recommended that as a minimum, the four GSCS principles listed above are included in any security training carried out by the trust.

Under the NHS code of practice all patient information is to be treated as CONFIDENTIAL. All documentation is held to be OFFICIAL; consequently, there is no requirement to explicitly mark routine information with the OFFICIAL classification.

In addition, the NHS Code of Practice defines descriptors applicable to data produced by, or relevant to, the conduct of NHS business and activity, as follows:

  • COMMERCIAL, to identify market-sensitive information, including that which is subject to statutory or regulatory obligations that may be damaging to the trust
  • PERSONAL, to identify personal data defined under the Data Protection Act (2018), the release or loss of which could cause harm, distress or detriment to the individual(s) to whom it relates
  • LOCSEN, to identify information which is locally sensitive to the trust itself or to a recipient trust or other organisation within the NHS

5.3 Roles and responsibilities

All employees with access to the trust’s equipment and information (electronic, paper and other records) are responsible for ensuring the safety and security of trust equipment and the information that they use or manipulate.

All employees shall take personal responsibility to apply the GSCS and the NHS code of practice for the protective marking of the trust’s documentation and other data media. This includes personal information that is required to be protected under data protection or other legislation.

All employees must respect and abide by the relevant statutory obligations and protections, including the Data Protection Act (DPA) 2018 (and therefore the General Data Protection Regulation (GDPR)), Freedom of Information Act 2000, Official Secrets Act, and the Public Records Act.

All employees who handle sensitive assets must understand the impact of these legal frameworks and how it relates to their role. Access to information is limited to a need to know basis in line with the Caldicott principles.

All employees are required to complete annual Information governance training via an online e-Learning package and e-assessment to ensure competence and compliance, as described in the information governance policy. This shall include the importance of handling sensitive information assets correctly and applying document classification and must be completed on an annual basis.

Assets received from or exchanged with external partners or third parties shall be protected in accordance with any relevant legislative or regulatory requirements, including any international agreements and obligations. Where information is received from external agencies, the trust shall ensure that it is protected in line with its security classification.

Where removable media is deployed for the storage or transfer of information, it shall carry a protective marking in keeping with the sensitivity of the data held upon it. Details are contained in the removable media policy.

Accidental or deliberate compromise, loss or misuse of classified information by staff may lead to internal disciplinary action and may constitute a criminal offence. Incidents shall be reported and handled in accordance with the information security incident management policy.

Information asset owners (IAOs) are responsible for identifying any sensitive information within their data holdings and for putting in place appropriate business processes to ensure that information is handled appropriately. The role of the IAO is set out in the Information governance policy. IAOs in turn should receive appropriate training and guidance in order to enable them to discharge these duties and should take into account the potential impact of compromise or loss of data, as well as any specific statutory requirements.

All colleagues shall comply with the policies established by the trust in order to ensure appropriate protection for the data to which they have access. Guidance relating to the DPA and associated legislation is contained in the data protection regulations policy.

5.4 Key controls

Guidelines for the secure handling of information are set out in the code of practice on confidential information.

Key controls shall be applied in accordance with the sensitivity of the information and in keeping with the information risk management policy. Controls may be physical, procedural or technical.

Within the trust these controls are led by the chief information officer (CIO), supported by the head of information governance guided at unit level by the IAO, to include the following:

  • information shall be made available for all authorised purposes and protected from unauthorised access
  • IAOs shall set the appropriate data classification and access as well as retention details, in accordance with the records management policy
  • safeguards shall be deployed to ensure the integrity of information to assure users that information has not been tampered with or otherwise corrupted
  • controls to personal data to safeguard the data privacy rights of all individuals on whom the trust holds personal data, in accordance with the data protection regulation policy
  • support and guidance are made available to enable everyone to manage information securely
  • applicable legal and regulatory requirements are met
  • breaches of information security, actual or suspected, shall be investigated and, if appropriate, suitable cost-effective measures shall be introduced to prevent recurrence of incidents. Deliberate breaches of information security policy may result in disciplinary action being taken
  • where practicable active monitoring of systems shall be undertaken
  • line managers shall implement the policy within their area of responsibility and shall monitor the level of risk within their information systems in support of the compliance process

6 Training implications

6.1 All staff DSA

  • How often should this be undertaken: Upon Commencement of employment and annually thereafter.
  • Length of training: 1 and a half hours.
  • Delivery method: E-learning or face to face.
  • Training delivered by whom: IG or NHS Digital e-learning package.
  • Where are the records of attendance held: ESR.

7 Monitoring arrangements

7.1 Policy

  • How: Review of best practice against the policy will be undertaken annually through auditing.
  • Who by: Head of information governance.
  • Reported to: Information governance group and health informatics group.
  • Frequency: Annually.

There is a mandatory requirement that all trusts and providers to the NHS complete an annual return under the NHS data and security protection toolkit (DSPT). This aims to ensure that the 10 data security standards set out by the national data guardian are being met.

NHS trusts are expected to provide a declaration of maturity regarding information handling to be included in their annual report. This should be supported by regular monitoring led by the chief information security officer (CISO) or CIO with the IAOs and supported or coordinated by the information governance manager.

The trust shall conduct periodic testing of information security handling procedures to maintain and improve employee awareness of the procedures and the actions required. This should include procedures with third parties or suppliers.

8 Equality impact assessment screening

To access the equality impact assessment for this policy, please see the overarching equality impact assessment.

8.1 Privacy, dignity and respect

The NHS Constitution states that all patients should feel that their privacy and dignity are respected while they are in hospital. High Quality Care for All (2008), Lord Darzi’s review of the NHS, identifies the need to organise care around the individual, ‘not just clinically but in terms of dignity and respect’.

As a consequence the trust is required to articulate its intent to deliver care with privacy and dignity that treats all service users with respect. Therefore, all procedural documents will be considered, if relevant, to reflect the requirement to treat everyone with privacy, dignity and respect, (when appropriate this should also include how same sex accommodation is provided).

8.1.1 How this will be met

No issues have been identified in relation to this policy.

8.2 Mental Capacity Act 2005

Central to any aspect of care delivered to adults and young people aged 16 years or over will be the consideration of the individuals’ capacity to participate in the decision-making process. Consequently, no intervention should be carried out without either the individual’s informed consent, or the powers included in a legal framework, or by order of the court.

Therefore, the trust is required to make sure that all employees working with individuals who use our service are familiar with the provisions within the Mental Capacity Act (2005). For this reason all procedural documents will be considered, if relevant to reflect the provisions of the Mental Capacity Act (2005) to ensure that the rights of individual are protected and they are supported to make their own decisions where possible and that any decisions made on their behalf when they lack capacity are made in their best interests and least restrictive of their rights and freedoms.

8.2.1 How this will be met

All individuals involved in the implementation of this policy should do so in accordance with the principles of the Mental Capacity Act (2005).

10 References

  • The Public Records Act 1958 and 1967.
  • The Data Protection Act 2018.
  • The Freedom of Information Act 2000.
  • The Common Law Duty of Confidentiality.
  • NHS Code of Practice: Confidentiality.
  • NHSX Records Management Code of Practice.

Document control

  • Version: 2.
  • Unique reference number: 607.
  • Date approved: 13 August 2024.
  • Approved by: Digital transformation CLE group.
  • Name of originator or author: DPO or head of IG.
  • Name of responsible individual: Director of health informatics or SIRO.
  • Date issued: 14 August 2024.
  • Review date: 31 August 2027.
  • Target audience: All employees.

Page last reviewed: October 29, 2024
Next review due: October 29, 2025

Problem with this page?

Please tell us about any problems you have found with this web page.

Report a problem