GDPR & Data Security Policy

General Data Protection Regulation (GDPR) Privacy Policy

This Practice is a College Health managed GP surgery that operates under an APMS contract. To provide the best quality healthcare to our patients we, like all other GP surgeries, need to hold personal information for all our patients.
In this Privacy Policy, we’ve provided lots of detailed information on when and why we collect your personal information, how we use it, the limited conditions under which we may disclose it to others and how we keep it secure.

Types of Data we collect

At registration with us we record your contact details, including address, phone numbers and email address.
Further information is recorded whenever you come to the practice to see a GP or nurse. All this information is held in your medical record.
We will only use this information in the course of direct patient care. By this we mean that we will send text reminders for appointments and for health campaigns such as flu jabs.
We will send information to you about the practice in the form of newsletters and other communications, such as patient surveys.
We will never share your information with any other organisation other than for a direct healthcare reason such as a referral to a specialist in a hospital or other healthcare provider.

Accessing Your Medical Records

For information on this topic please click on the link to the Accessing Your Medical Records page.

Changes to this Privacy Notice

This policy was introduced on 28th May 2018 and will be reviewed annually or before if legislation or best practice changes.

To view the full College Health GDPR Policy document please click on the link below -

CH-G067 - General Data Protection Regulation (GDPR) Policy March (2)2019

Introduction

This Data Security Policy is (hereafter referred to as “us”, “we”, or “our”) policy regarding the safeguarding and protection of sensitive personal information and confidential information as is required by law (including, but not limited to, the Data Protection Act 2018, Health & Social Care Act 2012, and the Common Law duty of confidentiality).

Purpose

The purpose of this document is to outline how we prevent data security breaches and how we react to them when prevention is not possible. By data breach we mean a security incident in which the confidentiality, integrity or availability of data is compromised. A breach can either be purposeful or accidental.

This Data Security Policy covers:

Physical Access procedures
Digital Access procedures
Access Monitoring procedures
Data Security Audit procedures
Data Security Breach procedures

Scope

This policy includes in its scope all data which we process either in hardcopy or digital copy, this includes special categories of data.

This policy applies to all staff, including temporary staff and contractors.

Physical Access Procedures

Physical access to records shall only be granted on a strict ‘Need to Know’ basis.

During their induction each staff member who requires access to confidential information for their job role will be trained on the safe handling of all information and will be taught the procedures which govern how data is used, stored, shared and organised in our organisation.

Our staff must retain personal and confidential data securely in locked storage when not in use and keys should not be left in the barrels of filing cabinets and doors.

Confidential information is held in locked cabinet in reception admin and the Practice Managers office. All offices, when left unoccupied, must be locked unless all personal and confidential information has first been cleared off workstations/desks and secured in locked storage.

The Information Asset Register (IAR) will contain the location of all confidential and sensitive personal information.

We will risk assess each storage location to ensure that the data is properly secured. This risk assessment forms part of the IAR.

A record will be kept of who has access to each storage location. This record can be requested from the Practice Manager.

An audit will be completed at least annually to ensure that information is secured properly, and that access is restricted to those who have a legal requirement to use the information. The details of this audit are outlined in the Data Security Audit Procedures below.

Digital Access Procedures

Access shall be granted using the principle of ‘Least Privilege’. This means that every program and every user of the system should operate using the least set of privileges necessary to complete their job.

We will ensure that each user is identified by a unique user ID so that users can be linked to and made responsible for their actions.

The use of group IDs is only permitted where they are suitable for the work carried out

During their induction each staff member who requires access to digital systems for their job role will be trained on the use of the system, given their user login details, and they will be required to sign to indicate that they understand the conditions of access.

A record is kept of all users given access to the system by the Practice Manager

In the instance that there are changes to user access requirements, these can only be authorised by the IG Lead or Practice Manager.

The IAR will contain the location of all confidential and sensitive personal information which is digitally stored.

We will follow robust password management procedures and ensure that all staff are trained in password management.

As soon as an employee leaves, all their system logons are revoked. As part of the employee termination process the Practice Manager is responsible for the removal of access rights from the computer system.

The IG Lead and Praice Manager will review all access rights on a regular basis, but in any event at least once a year. The review is designed to positively confirm all system users. Any lapsed or unwanted logons which are identified are disabled immediately and deleted unless positively reconfirmed.

When not in use all screens will be locked, and a clear screen policy will be followed.

Access Monitoring Procedures

The management of digital access rights is subject to regular compliance checks to ensure that these procedures are being followed and that staff are complying with their duty to use their access rights in an appropriate manner.

Areas considered in the compliance check include whether:

Allocation of administrator rights is restricted
Access rights are regularly reviewed
Whether there is any evidence of staff sharing their access rights; staff should know that this can result in disciplinary procedures unless you specifically allow this in your organisation
Staff are appropriately logging out of the system
Our password policy is being followed
Staff understand how to report any security breaches

Data Security Audit Procedures

Confidentiality audits will focus on controls within electronic records management systems and paper record systems; the purpose being to discover whether confidentiality has been breached, or put at risk through deliberate misuse of systems, or as a result of insufficient controls. Audits of security and access arrangements within each area are to be conducted on a six-monthly rolling programme.

Audits will be carried out as required by some or all of these methods:

Unannounced spot checks to random work areas
A series of interviews with management and staff, where a department or area of the organisation has been identified for a confidentiality audit. These audits will be carried out by The Practice Manager/IG Lead.
Based on electronic reports
Based on electronic reports from care planning software or auditing of care plans

The following checks will be made during data security audits:

The Information Asset Register has been reviewed, updated and signed off
The Record of Processing Activities has been reviewed, updated and signed off
Failed attempts to access confidential information
Repeated attempts to access confidential information
Access of confidential information by unauthorised persons
Previous confidentiality incidents and actions, including disciplinary, taken
Staff awareness of policies and guidelines concerning confidentiality and understanding of their responsibilities with regard to confidentiality
Appropriate communications with service users
Appropriate recording and/or use of consent forms
Appropriate allocation of access rights to confidential information, both hardcopy and digital
Appropriate staff access to physical areas
Storage of and access to filed hardcopy service user notes and information
Correct process used to securely transfer personal information by post or email
Appropriate use and security of desktop computers and mobile devices in open areas
Security applied to PCs, laptops and mobile electronic devices
Evidence of secure waste disposal
Appropriate transfer and data sharing arrangements are in place
Security and arrangements for recording access to manual files both live and archive, g. storage in locked cabinets/locked rooms
Appropriate staff use of computer systems, g. no excessive personal use, no attempting to download software without authorisation, use of social media, attempted connection of unauthorised devices etc.

Data Security Breach Procedures

In order to mitigate the risks of a security breach we will:

Follow the Physical Access, Digital Access, Access Monitoring and Data Security Procedures
Ensure our staff are trained to recognise a potential data breach whether it is a confidentiality, integrity or availability breach
Ensure our staff understand the procedures to follow and how to escalate a security incident to the correct person in order to determine if a breach has taken place

In the instance that it appears that a data security breach has taken place:

The staff member who notices the breach, or potential breach, will complete a Significant Event Report without delay and contact the Practice Manager
This form will be completed and handed to the Practice Manager or, if they are not available, to a member of senior management
The IG Lead/Practice Manager will conduct a thorough investigation into the breach
In the instance that the breach is a personal data breach and it is likely that there will be a risk to the rights and freedoms of an individual then the Information Commissioner’s Office (ICO) will be informed as soon as possible, but at least within 72 hours of our discovery of the breach, via the DSPT Incident Reporting Tool (dsptoolkit.nhs.uk/incidents/)

As part of our report we will provide the following details:

The nature of the personal data breach (i.e. confidentiality, integrity, availability)
The approximate number of individuals concerned and the category of individual (e.g. employees, mailing lists, service users)
The categories and approximate number of personal data records concerned
The name and details of our DPO/SIRO and Practice Manager
The likely consequences of the breach
A description of the measures taken, or which we will take, to mitigate any possible adverse effects.
The DPO will inform any individual that their personal data has been breached if it is likely that there is a high risk to their rights and freedoms. We will inform them directly and without any undue delay
A data security breach must be marked on the IAR and will prompt an audit of all processes in order to correct any procedure which led to the breach
A record of all personal data breaches will be kept including those breaches which the ICO were not required to be notified about

Responsibilities

The Practice Manager is responsible for physical security
The IG Lead is responsible for updating and auditing the IAR
The IG Lead/IM&T Digital Programme Manager and Cyber Security Lead is responsible for digital access
The DPO/SIRO is is responsible for managing breaches
The IG Lead/IG Security Officer and Practice Manager are responsible for data security audits.

Approval

This policy has been approved by the Partners/Board of Directors and will and will be reviewed at least annually.