Data Security and Protection - Information Governance Presentation

Data Security and Protection

Information Governance Content

1. CONFIDENTIALITY
2. UK GDPR AND DATA
   PROTECTION ACT
3. FREEDOM OF
   INFORMATION AND SUBJECT
   ACCESS REQUEST
4. DATA SECURITY AND DATA
   PROTECTION
5. SHARING INFORMATION
6. DATA SECURITY AND DATA
   BREACHES

Learning Outcomes

DESCRIBE THE LEGAL AND
ETHICAL BASIS OF PATIENT
CONFIDENTIALITY.
DESCRIBE THE IMPORTANCE OF
DATA PROTECTION IN
HEALTHCARE.
DESCRIBE THE IMPORTANCE OF
DATA SECURITY IN HEALTHCARE.
APPLY THE PRINCIPLES TO
CONFIDENTIALITY, SECURITY AND
DATA SHARING RELEVANT TO
PHARMACY PRACTICE.Confidentiality

Patients and others using the health services are entitled to expect that
their personal information will remain confidential.
Patients must feel that they are able to discuss sensitive matters
without fear that the information may be improperly disclosed.
Health services cannot work effectively without trust and trust depends
on confidentiality.
The duty of confidentiality is a matter of both ethics and law.Confidentiality

However, patients also expect professionals to share information with other members of the healthcare-team
who need to co-operate to ensure the best patient care.
The challenge for health professionals:
is to succeed in both confidentiality AND sharing of information in order to provide the best service for the
patient.
Confidentiality, security and data sharing are not contradictory requirements.
Under the common law duty of confidentiality, confidential information can be used or shared further with
the consent of the individual. This consent can be implied (in relation to sharing for direct care) or expressly
given.
Sharing of information is as important as maintaining confidentiality.

Protecting
information
Disclosing
informationEthics

People trust that their confidentiality and privacy will
be maintained by pharmacy professionals, whether in a
healthcare setting (such as a hospital, primary care of
community pharmacy setting) in person, or online.
The principles of confidentiality still apply after a
person's death.
GPhC Standards of conduct, ethics and performance.
Confidentiality is covered by Standard 7
Consent is covered by Standard 1
2 key concepts to consider to stay within ethical requirements:
. What law(s) apply and what do they require of you?
. The need for consent.GPhC standards for pharmacy
professionals, 2017

GPhC Standard 7

Standard 7:
Pharmacy professionals must respect and maintain a person's
confidentiality and privacy ..
Pharmacy professionals:
· Understand the importance of managing information responsibly and
securely, and apply this to their practice.
· Reflect on their environment and take steps to maintain the person's privacy
and confidentiality.
. Do not discuss information that can identify the person when the discussions
can be overheard or seen by others not involved in their care
. Ensure that everyone in the team understands the need to maintain a
person's privacy and confidentiality.
. Work in partnership with the person when considering whether to share
their information except where this would not be appropriate.GPhC standards for pharmacy
professionals, 2017

GPhC Standard 1

Standard 1:
Pharmacy professionals must provide person-centred care.
· Obtain consent to provide care and pharmacy services
· Involve, support and enable every person when making decisions about their
health, care and wellbeing.
. Listen and understand person's needs and what matters to them.
◦
Give the person all relevant information in a way they can understand, so
they can make informed decisions and choicesThe legislation

Decisions made by the UK courts together with ethical duties of confidentiality placed on
pharmacists and other health professionals have resulted in personal health information being
treated with a much higher degree of sensitivity than most other types of personal information.
There are 4 main areas of law which constrain the use and disclosure of confidential personal
health information:

1. Common Law of Confidentiality
2. Administrative Law
3. Human Rights Act 1998 (HRA98)
4. UK General Data Protection Regulation 2020 (UK GDPR) Data Protection Act 2018Common Law of
   Confidentiality

Common Law of Confidentiality

All NHS staff are subject to a legal
duty of confidentiality.
Common Law of Confidentiality - is
not codified in an Act but built up
from case law where practice has been
established by individual judgements.
A key principle is that information
confided should not be used or
disclosed further, except as
understood by the confider or with
their permission e.g. patient consent.
Judgements have shown that info can
be disclosed 'in the public interest'
but this is very much a case by case
basis in exceptional circumstances,
and confidentiality can be set aside or
overridden by legislation.
Information provided by patients to the NHS is
considered to have been provided in confidence,
and must be confidential so long as it remains
capable of identifying the individual.
Personal health information can only be disclosed
to a third party when:
· The patient provides explicit consent, or
· There is a legal requirement to do so (e.g. a court
order), or
. There is an over-riding public interest (e.g. to prevent
a serious crime taking place).Administrative Law

Administrative Law and Public Authorities

Administrative Law covers the way in which the NHS deals with confidential patient
information in order to carry out specific functions.
In doing so it must act within the limits of its powers.
Where such information is processed outside these powers then the processing may be
unlawful.
Governs actions of public authorities.
. Public authority must possess the power to carry out what it intends to do.
. Power exercised for the purpose for which it was created.
All NHS bodies must be aware of the extent and limitations of their powers,
and act within lawful powers.Human Rights Act 1998

Human Rights Act 1998 and Privacy

Article 8 of European Convention on Human Rights
Everyone has the right to respect for his 'private and family life, his home and his
correspondence'.
Article 8, which is given effect in UK law by the Human Rights Act, establishes a right to
'respect for private and family life'. Creates general requirement to protect the privacy of
individuals and preserve the confidentiality of their health records.
Compliance with Data Protection legislation and the Common Law of Confidentiality satisfies
human rights requirements.
This highlights the duty to protect the privacy of individuals and preserve the confidentiality of
their health records.
Any decision to override a duty of confidence in the public interest must be consistent with the
rights described in Article 8. The public interest served by disclosure must outweigh the public
interest in protecting the confidentiality of information.UK GDPR and
Data Protection
ActGeneral Data Protection
Regulation (GDPR)

UK GDPR and Data Protection Act 2018

The UK GDPR and Data Protection Act 2018 together provide the legal
framework for data protection. Trusts are required by law to provide
training on topics such as the UK GDPR, Data Protection Act 2018 (DPA
2018), and it is mandatory for all staff to evidence their compliance with
this training.
The 1998 Data Protection Act was replaced by the General Data Protection
Regulation in 2018. The increased use of technology using and holding our
personal information over those 20 years meant a review of the legislation
was needed. The Data Protection legislation was very dated and needed to
reflect today's way of living and how we use our data.
There is now more focus on companies, including healthcare organisations,
to evidence how they use and secure personal and patient information.
The DPA 2018 and GDPR were introduced into law in May 2018. The DPA is
our domestic data protection law, and the GDPR applied to us when we
were part of the European Union.
Since leaving the EU, the UK government decided that it still wanted to
adhere to the standards of data protection afforded under GDPR, and so
introduced GDPR as a UK law. Since Dec 2020, we now have the UK GDPR.
New EU law replacing Data
Protection Act 1998
GDPR applicable May 2018
Governs management and use of
personal data
Organisations required to
demonstrate compliance
More extensive rights for data
subjects
Harsher penalties for non-
compliance
Superseded by UK GDPR 2020 and
DPA 2018UK GDPR rights for individuals

UK GDPR Rights for Individuals

The UK GDPR has more extensive rights for individuals (data subjects), as shown by the 8 rights
listed here, and place certain obligations on organisations responsible for processing personal
information.

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• The right not to be subject to automated decision-making including profilingUK GDPR

UK GDPR and Personal Data Processing

Regulates the processing of personal
data.
Personal data
· Information relating to a living individual
who can be directly identified from that
data (or indirectly identified from that
data and other information in the
possession of the data controller).
Processing includes
· Holding, obtaining, recording, using and
disclosing information
· by automatic means, or
The GDPR is the main piece of legislation that
governs the processing of information that
identifies living individuals i.e. personal data.
Processing includes holding, obtaining, recording,
using and disclosing of information and the Act
applies to all forms of media, including paper and
images. It applies to confidential patient
information but is far wider in its scope e.g. it also
covers personnel records.
Data protection legislation is all about personal
data. So we have to be able to define personal
data.
Data protection legislation describes personal
data as data which relates to a living individual
who can be directly or indirectly identified from
that data.
Something that will directly identify a person may
be data such as their name and address. Indirect
identification may be a passport number, hospital
number, or employee assignment number.
manual processing
◦UK GDPR

UK GDPR Exclusions

Generally speaking, the GDPR does not apply to any information relating to a patient who has died (The Access to Health
Records Act 1990 does allow for a personal representative of a deceased patient or anyone who has a claim arising from a
patients death to have access to sensitive personal data).
The GDPR also does not apply to anonymised data (This was resolved in a court case in 1990). A company - Source
Informatics - purchased anonymised information contained on NHS prescriptions for the purposes of market research. The
prescriptions showed where they had been dispensed, the details of the prescription and the details of the prescriber but NO
patient details. The DoH challenged the legal right of Source Informatics to do this and eventually the Court of Appeal ruled
against the DoH. The collation of data from patient records is allowed on condition that it is presented anonymously for the
purposes of research or as information to commercial sources.
Does not apply to a data subject who has died. (Access to Health Records Act 1990)
Does not apply to anonymised data.
Collation of data from patient records is allowed on condition that it is presented
anonymously, for the purpose of research or as information to commercial sources.