Information Governance and Data Protection Policy

1.1 The purpose of this policy is to inform Health Services Safety Investigations Body (HSSIB) staff of their Information Governance (IG) and Data Protection (DP) responsibilities and the management arrangements and other policies that are in place to ensure demonstrable compliance.

1.2 This policy is part of a suite of policies which inform staff of their IG and DP responsibilities.

HSSIB can maximise the value of its information assets by ensuring that data is:

• Held securely and confidentially.
• Processed fairly and lawfully.
• Obtained for specific purpose(s)
• Recorded accurately and reliably.
• Used effectively and ethically, and
• Shared and disclosed appropriately and lawfully.

To protect the organisation’s information assets from all threats, whether internal or external, deliberate, or accidental. HSSIB will ensure:

• Information will be protected against unauthorised access.
• Confidentiality of information will be assured.
• Integrity of information will be maintained.
• Information will be supported by the highest quality data.
• Regulatory and legislative requirements will be met.
• Business continuity plans will be produced, maintained, and tested.
• IG training will be available to all staff, and
• All IG breaches, actual or suspected, will be reported to, and investigated by the Board, Governance and Records Manager (BGRM).

2.1 All our staff, including any contracted organisations or individuals and our Board/Committee members, without exception, are within the scope of this policy.

3.1 This policy is supported by a set of IG policies, other relevant IT policies and related procedures to cover all aspects of IG which are aligned with the NHS Digital Data Security and Protection Toolkit requirements.

3.2 Associated IG and IT policies include:

HSSIB is developing an area on SharePoint where all the above policies and procedures will be available. Whilst this is being developed, please contact the Board, Governance and Records Manager on ig@hssib.org.uk.

4.1 Chief Executive Officer

Overall accountability for procedural documents across the organisation lies with the Chief Executive Officer as the Accountable Officer. This includes overall responsibility for establishing and maintaining an effective document management system and the governance of information, meeting all statutory requirements, and adhering to guidance issued in respect of IG and procedural documents.

4.2 Caldicott Guardian

The Director of Investigations is the Caldicott Guardian for HSSIB. The responsibilities of the Caldicott Guardian are:

• Ensure that HSSIB satisfies the highest practical standards for handling patient identifiable information.
• Facilitate and enable appropriate information sharing and make decisions on behalf of HSSIB following advice on options for lawful and ethical processing of information, in relation to disclosures.
• Represent and champion IG requirements and issues at Board level.
• Ensure that confidentiality issues are appropriately reflected in organisational strategies, policies and working procedures for staff.
• Contribute to the arrangements, protocols, and procedures where confidential patient information may be shared with external bodies both within and outside the NHS.
• The Caldicott Guardian is required to be registered on the publicly available National Caldicott Guardian Register.

NB: In the absence of our Director of Investigations, our Chief Executive Officer will deputise for this role.

4.3 Senior Information Risk Owner (SIRO)

The Finance and Performance Director is the Senior Information Risk Owner (SIRO) for HSSIB. The responsibilities of the SIRO are:

• Take overall ownership of HSSIB’s risk management.
• Understand how the strategic goals of HSSIB may be impacted by information risks, and how those risks may be managed.
• Implement and lead the risk management processes within HSSIB.
• Sign off and take accountability for risk-based decisions and reviews in regards to the processing of personal data.
• Advise the Board on the effectiveness of information risk management across HSSIB.
• Receive training as necessary to ensure they remain effective in their role as SIRO.

NB: In the absence of our Finance and Performance Director, our Deputy Director of Investigations will deputise for this role.

4.4 Data Protection Officer

The BGRM is the Data Protection Officer (DPO) for HSSIB. The DPO reports to the SIRO, but also can act independently of the SIRO and report directly to the Board about DP matters. These may include IG risks to the organisation, privacy concerns or recommendations regarding data.

The responsibilities of the DPO are:

• Provide advice to HSSIB and its employees on compliance obligations with DP law.
• Advise on when DP impact assessments (DPIAs) are required.
• Monitor compliance with DP law and organisational policies in relation to DP law.
• Co-operate with and be the first point of contact for the Information Commissioner’s Office.
• Be the first point of contact within HSSIB for all DP matters. The DPO is not pressurised by HSSIB as to how to perform their tasks and is protected from disciplinary action when carrying out those tasks.
• Be available to be contacted directly by data subjects.
• Take into account information risk when performing the above.

NB: In the absence of our BGRM, our Project Manager will deputise for this role.

4.5 Information Asset Owners

Information Asset Owners (IAOs) will:

• Lead and foster a culture that values, protects, and uses information for the benefit of patients and public.
• Know what information comprises or is associated with their asset(s) and understand the nature and justification of information flows to and from the asset.
• Know who has access to the asset, whether system or information, and why, and ensure access is monitored and compliant with policy.
• Understand and address risks to the asset and provide assurance to the SIRO.
• Ensure there is a legal basis for processing and for any disclosures, and
• Refer queries about any of the above to the BGRM on ig@hssib.org.uk.
• Ensure all information assets they are owner for are recorded on the Information Asset Register.
• Undertake specialist information asset training as required.

4.6 Board, Governance and Records Manager

The BGRM will:

• Provide expert advice and guidance to all staff on all aspects of IG.
• Manage the delivery of improvement plans to meet the Data Security and Protection Toolkit assertions.
• Maintain an awareness of IG issues within HSSIB.
• Review and update this IG and DP Policy in line with local and national requirements.
• Review and audit all procedures relating to this policy where appropriate on an ad-hoc basis.
• Develop internal IG and records management (RM) policies and procedures.
• Develop IG awareness and training programmes for staff.
• Ensure compliance with DP, Information Security, and other information related legislation.
• Ensure that line managers are aware of the requirements of this policy.
• Work with the Caldicott Guardian, SIRO and DPO functions to ensure organisational authority and awareness regarding issues relating to DP or confidentiality concerns.

4.7 Line Managers

Line managers will take responsibility for ensuring that the IG and DP Policy is implemented within their team.

4.8 All Staff

It is the responsibility of each employee at HSSIB to adhere to this policy and all associated IG policies and procedures.

Staff will receive instruction and direction regarding the policy from several sources:

• The BGRM.
• Policy/policy and procedure manuals.
• Line manager.
• ESR mandatory training in IG/RM.*
• Other communication methods, for example, team meetings.
• HSSIB intranet/SharePoint

*All staff must undertake mandatory IG training on an annual basis.

HSSIB is required to collect and process personal data in order to carry out its investigations and fulfil its statutory remit under the Health and Care Act 2022.

Personal data held by HSSIB will include, but is not limited to:

• patient data (including medical records)
• employee data (present, past, and prospective)
• supplier data
• education trainee data
• Subject Matter Advisor data.

The data may include personal identifiers such as name, address, email address, data of birth, postcode, NHS Number and National Insurance Number. It may also include private and confidential information, and special categories of personal data (specifically with regards to healthcare or with regards to commercially sensitive data about suppliers).

HSSIB may occasionally be required to collect and use certain types of personal information in order to comply with the requirements of the law. No matter how it is collected, recorded, and used (e.g. on a computer or other digital media, in hardcopy, paper or images) this personal information must be handled properly to ensure compliance with DP legislation – the UK General Data Protection Regulation (UKGDPR) and Data Protection Act 2018 (DPA2018).

The lawful and proper treatment of personal information by HSSIB is extremely important to the success of our organisation and in order to maintain the confidence of our service users and employees. HSSIB must ensure that it processes personal information lawfully and correctly in order to maintain its reputation with the public at large.

NB: it is important to acknowledge here that HSSIB is in unique position in the NHS landscape – under the Health and Care Act 2022 (HCA2022) – see Section 7 for more information.

It is unlawful to disclose protected material, both internally and externally unless there is a lawful exemption. Protected material includes any information, documents, equipment, or any other item which is part of a HSSIB investigation that has not already been lawfully made available to the public. It is a criminal offence for anyone working for, or on behalf of the HSSIB, to knowingly or recklessly disclose protected material, where the person knows or suspects the disclosure to be prohibited, unless a lawful exemption applies. Please refer to the HSSIB Disclosure of Protected Materials Policy for more guidance.

6.1 HSSIB fully supports and must be able to demonstrate, compliance with the six principles of the UKGDPR which are summarised below:

• Personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals.
• Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• Personal data processed must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
• Personal data shall be accurate and, where necessary, kept up to date.
• Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
• Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

6.2 Information covered by data protection legislation

The GDPR definition of "personal data" covers any information relating to an identified or identifiable natural, living person. Pseudonymised personal data is covered, however anonymised or aggregated data is not regulated by the UKGDPR or DPA2018, providing the anonymisation or aggregation has not been done in a reversible way.

Individuals can be identified by various means, such as (but not limited to) including their name, address, telephone number, email address, NHS Number or National Insurance Number.

The UK GDPR defines special categories of personal data as information related to:

• Race or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data
• Health data
• Sexual history and/or sexual orientation

HSSIB holds data which falls into the health data category, and we must be particularly mindful in order to protect this type of data.

The Health and Care Act 2022 (the "HCA 2022") establishes a prohibition on the disclosure of "protected material" which is held as part of an investigation. Protected materials are defined under Section 122 of the HCA 2022 as any information, document, equipment or other item which is held by HSSIB for the purpose of its investigation function and which relate to an incident occurring in England during the provision of health services which has, or may have implications for the safety of patients. It is an offence for a person to disclose protected material except when limited exemptions apply. You should not disclose protected material unless you have the appropriate authority to make a disclosure.

Further information with regards to protected material can be found in the HSSIB Disclosure of Protected Materials Policy. It is important to note that the HCA2022 is a piece of legislation that supersedes DP law; HSSIB are in a unique position in this regard. Where you consider it necessary to disclose protected materials, or you need further guidance on protected materials or the relevant exemptions, you should contact the BGRM on ig@hssib.org.uk who will be able to provide further guidance.

Staff within HSSIB will have access to sensitive, confidential as well as person-identifiable information. All staff are bound by a legal duty of confidentiality to protect personal information they may encounter during the course of their work. This is not just a requirement of contractual responsibilities but also a requirement within the common law duty of confidentiality. DP legislation and the right to respect for private and family life under Article 8 of the European Convention of Human Rights impose additional requirements related to the handling of patient information, including confidential patient information.

The requirements of all of these overlapping legal obligations should be met when the HSSIB is handling patient information.

9.1 All staff must adhere to the following principles when working internally at HSSIB:

• Person-identifiable, confidential information or protected materials must be effectively protected against improper disclosure when it is received, stored, transmitted, or disposed of.
• Access to person-identifiable, confidential information and protected materials must be on a need-to-know basis.
• Disclosure of person identifiable, confidential information or protected materials within HSSIB must be limited to that purpose for which it is required.
• Protected materials in relation to investigations must be placed in the HIMS case file record.
• Staff should double check email addresses when sending person-identifiable, confidential information or protected materials internally. Ensure that the address is correct so that it is sent internally and not accidentally sent to an external address.

9.2 All staff must adhere to the following principles when working with external organisations:

9.2.1 If the decision is taken to disclose person-identifiable or confidential information to an external organisation, that decision must be justified and documented.

9.2.2 Protected materials must not be shared externally unless under extremely limited circumstances which are detailed in the Disclosure of Protected Materials Policy. Staff must contact the BGRM on ig@hssib.org.uk before disclosing anything externally for this particular set of records.

9.2.3 Any concerns about disclosure of information must be discussed with the BGRM.

9.3 Person-identifiable information, wherever appropriate, in line with the DP principles stated in this policy, must be anonymised by removing as many identifiers as possible whilst not unduly compromising the utility of the data in line with the ICO's Anonymisation Code of Practice.

9.4 HSSIB are a fully remote organisation; all staff work from their home environment. The work environment in the home must be treated with the same degree of security as a workplace would be. Access to data, files and records should only be via HSSIB issued devices and should only be accessible and used by HSSIB staff.

9.5 Print outs containing person-identifiable, confidential information or protected materials must be stored in a secure lock box. If the print outs are no longer required, then they must be disposed of using a crosscut shredder in order to not permit identification or malicious re-use.

9.6 HSSIB’s Contract of Employment includes a commitment to confidentiality. Breaches of confidentiality could be regarded as gross misconduct and may result in serious disciplinary action up to and including dismissal.

10.1 Distribution Plan

This document will be made available to all staff via the HSSIB Intranet/SharePoint. A notice will be issued in the staff newsletter notifying of the release of this document and any updates.

10.2 Training Plan

A training needs analysis will be undertaken with staff affected by this document by the BGRM where deemed appropriate. Based on the findings of that analysis appropriate training will be provided to staff, as necessary.

10.3 Monitoring

Compliance with this policy will be monitored via the BGRM.

Revision and update of the document is the responsibility of the BGRM, and this will be done on a two-yearly basis, or sooner if the need arises (e.g. legislation affecting the policy changes).

11.1 Policy Impact Assessment

As part of the development of this policy, its impact on the business has been assessed; no detrimental issues were identified.

11.2 Equality and Health Inequality Analysis

This document forms part of HSSIB’s commitment to create a positive culture of respect for all staff and service users. The intention is to identify, remove or minimise discriminatory practice in relation to the protected characteristics (race, disability, gender, sexual orientation, age, religious or other belief, marriage and civil partnership, gender reassignment and pregnancy and maternity), as well as to promote positive practice and value the diversity of all individuals and communities.

As part of the development of this policy, its impact on equality has been analysed and no detrimental issues were identified.

Section 3.2 identifies IG and IT policies and processes that are related to this policy.

The following types of information are classed as confidential. This list is not exhaustive.

NB: any information gathered in relation to an investigation is classed as ‘protected materials’ – see the Disclosure of Protected Materials Policy for more information with regards to this set of records at HSSIB.

• Some categories of person-identifiable information – which is anything that contains the means to identify a person, e.g. name, address, postcode, data of birth, NHS number, National Insurance number etc… Even a visual image (e.g. photograph) is sufficient to identify an individual. Information may have to be treated as confidential because of (a) the nature of the information itself or (b) the context in which it comes into HSSIB’s possession.
• An example of (a) is information about the state of someone’s physical or mental health which should be treated as confidential by default.
• An example of (b) is information which an individual discloses to HSSIB about safety concerns in hospital where they work, and they ask that they not be named. Their identify should therefore be held in confidence.
• Any data or combination of data and other information, which can indirectly identify the person, will also fall into this definition.
• Special categories of personal information (previously known as ‘sensitive’ personal data) as defined by the Data Protection Act 2018 refers to personal information about:
  • Race or ethnic origin*
  • Political opinions*
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data
  • Health data
  • Sexual history and/or sexual orientation
  • Criminal data

*It is important to note that some people may be very open about their political beliefs or race/ethnic origin and where it is known that this information can be made public/not kept in confidence, then HSSIB shall respond accordingly.

• Non-person-identifiable information can also be classed as confidential such as confidential business information e.g. financial reports; commercially sensitive information e.g. contracts, trade secrets, procurement information, which should also be treated with the same degree of care.