Data subject rights
Under the Data Protection Act 2018,
Confirm the identity of callers before
individuals have increased rights in relation
giving out any sensitive information.
D
to their information. These are:
o not discuss patient-related
issues in a public place.
The right to be informed
The right of access
U nder no circumstances should any
paper records or laptops with person
The right to rectification
The right to erasure
identifiable data be left in Trust or
Information Security
R per
emson
e a
m l v
b e
e h
r ic
! les overnight.
The right to restrict processing
The right to data portability
You must take all reasonable care to protect
& Data Protection
The right to object
confidential information from loss, damage,
Rights in relation to automated decision
unauthorized access or disclosure by:
making and profiling
Keeping all person-identifiable information
securely
If a patient, other staff member or member
Not disclosing person-identifiable
of the public contacts you about these,
information to anyone inappropriately
please refer them to the information
Protecting the Trust
governance department.
The loss or unauthorised disclosure of
Protecting you
personal information (e.g. looking at data you
are not entitled to) can lead to disciplinary
action against the individuals concerned, or
Contacts
even prosecution in cases of malicious or
For further information, please contact a
willful misuse. It is important that any
member of the IG Team:
incidents or data breaches are reported on
xxxxxxxxxxxxxxxxxxxxx@xxxxxxx.xxx.xx
DATIX as soon as possible for an investigation
to take place.
Data Protection Officer: Emma Sears
We can avoid the number of data breaches
reported by ensuring al staff are trained,
please complete your annual information
governance training.
Do not post personal data on any social media
sites.
Pati ents have the right to object to the use and
disclosure of their personal information, and need
to be made aware of this right. Informed consent
must be obtained before personal data is used for
any reason other than the patient’s direct care.
EEAST IG Leaflet v.3
Your legal duty of confidentiality
If you are asked to share person-identifiable
Where is this information held?
Everyone who works for EEAST is bound by the
information and you cannot confirm all Caldicott
Confidential information could be held in many
common law duty of confidentiality. This includes
Principles, you should seek guidance from your
formats and media types, including:
permanent and temporary staff, bank staff,
line manager, the Caldicott Guardian or a
contractors and volunteers.
Medical records (PCRs)
member of the IG Team (see contact on the back
page).
You must treat all person-identifiable and
Personnel records
sensitive information (clinical or non-clinical) as
Computer files and print-outs
Keeping information secure
confidential. This applies to both patient and
Laptops, CDs and memory sticks
staff records.
Be careful who you disclose information to.
Faxes
You should read this leaflet in conjunction with
Do they really need to know? Can you
the Trust’s Confidentiality Code of Conduct,
justify the disclosure? Have you only given
X-Rays and ECGs
which is available in the
out the minimum data required?
Document Library on
Voice mail and message pads
East 24.
Never use anyone else’s log-on ID or
What is person-identifiable and
Smartcard or let them use yours.
special category/sensitive
When you can share person-
Do not send confidential information via
information?
identifiable information
a non-secure email provider (e.g. Hotmail).
The Caldicott Principles stipulate that you can
An
nhs.net mail account must be used!
Person-identifiable information is enough
share person-identifiable data only if you:
information to identify a living individual. This
Only Trust issued encrypted memory sticks
might include:
Can justify the purpose for using the
should be used to store person-identifiable
information
or sensitive information, with the prior
Name, address and postcode
Use the information only if absolutely
approval of your line manager. Never
Date of birth
necessary
transfer Trust data to your home computer!
Telephone numbers
Use the minimum information required for that
Keep paper records and mobile devices (such
National insurance number
purpose
as toughbooks, laptops or USB sticks)
physically secure at all times.
NHS number
Ensure access to the information is on a strict
‘need to know’ basis
Sensitive information in paper format (such
Images such as a photograph
as PCRs) must be kept secure at all times.
Sensitive information includes medical history,
Know that everyone who sees the information
Paper records should never be left in plain
work performance, ethnicity, sexuality, political
understands their responsibility to protect it
view in an open or public area.
affiliation, religious beliefs and criminal records.
Are you confident that recipients will comply
Ensure you log off when you finish using a
with the law?
Trust PC or laptop, and lock it when leaving
it unattended.
The duty to share information can be as
important as the duty to protect confidentiality
EEAST IG Leaflet.V3
05/12/2018