Introduction

The Data Protection Act 2018 (DPA) requires a clear direction on policy for the security of information held within the Patient Transport service and provides individuals with a right of access to a copy of the information held about them. As of May 2018, this policy is now referred to as the General Data Protection Regulation (GDPR).

The Patient Transport service needs to collect personal information about people with whom it deals in order to carry out its business and provide its services.  Such people include patients, employees (present, past, and prospective), suppliers and other business contacts.  The information we hold will include personal, sensitive, and corporate information.  In addition, we may occasionally be required to collect and use certain types of such personal information to comply with the requirements of the law.  No matter how it is collected, recorded, and used (e.g. on a computer or on paper) this personal information must be dealt with properly to ensure compliance with the Data Protection Act 2018.

The lawful and proper treatment of personal information by the Patient Transport service is extremely important to the success of our business and in order to maintain the confidence of our service users and employees.  We ensure that the Patient Transport service treats personal information lawfully and correctly.

This policy provides direction on security against unauthorized access, unlawful processing, and loss or destruction of personal information. See also: Access to Medical Records policy ^[*], which covers Subject Access Requests under the Data Protection Act.

1.0      General Data Protection Regulation Principles

We support fully and comply with the eight principles of the Act which are summarised below:

1. Personal data shall be processed fairly and lawfully.

2. Personal data shall be obtained/processed for specific lawful purposes.

3. Personal data held must be adequate, relevant, and not excessive.

4 . Personal data must be accurate and kept up to date.

5. Personal data shall not be kept for longer than necessary.

6 . Personal data shall be processed in accordance with the rights of data subjects.

7 . Personal data must be kept secure.

Who does the GDPR apply to?

• The GDPR applies to ‘controllers’ and ‘processors’.
• A controller determines the purposes and means of processing personal data.
• A processor is responsible for processing personal data on behalf of a controller.
• If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.

• However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

The UK’s DPA 2018 has already enacted the EU GDPR’s requirements into UK law, and with effect from 1 January 2021, the DPPEC (Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit)) Regulations 2019 amended the DPA 2018 and merged it with the requirements of the EU GDPR to form a new, UK specific data protection regime that works in a UK context after Brexit as part of the DPA 2018.

This new regime is known as ‘the UK GDPR’.

UK organisations need to amend their GDPR documentation to align it with the requirements of the UK GDPR. In particular, Article 30 records, privacy notices, DPIAs (data protection impact assessments), DSARs (data subject access requests) and documentation covering international data flows must all reflect the UK’s independent jurisdiction and the specific scope and wording of the UK GDPR.

Any UK organisation that offers goods or services to, or monitors the behavior of, EU residents will also have to comply with the EU GDPR and will reflect this in its process documentation.

What information does the GDPR apply to?

• Personal data

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way Patient Transport services collect information about people.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.

Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

• Sensitive personal data

The GDPR refers to sensitive personal data as “special categories of personal data”

The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.

Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.

2.0 Employee Responsibilities
All employees will, through appropriate training and responsible management:
1.comply at all times with the above General Data Protection Regulation principles
2. observe all forms of guidance, codes of Patient Transport service and procedures about the collection and use of personal information
3. understand fully the purposes for which the Patient Transport service uses personal information

4.collect and process appropriate information, and only in accordance with the purposes for which it is to be used by the Patient Transport service to meet its service needs or legal requirements

5.ensure the information is correctly input into the Patient Transport service’s systems

6.ensure the information is destroyed (in accordance with the provisions of the Act) when it is no longer required

7.on receipt of a request from an individual for information held about them by or on behalf of immediately notify the Registered Manager

8.not send any personal information outside of the United Kingdom without the authority of the Caldicott Guardian / Information Governance Lead

9.understand that breaches of this Policy may result in disciplinary action, including dismissal

3.0 Patient Transport service Responsibilities

The Patient Transport service will:
•Ensure that there is always one person with overall responsibility for data protection. Currently this person is MR RAMESH SUBBIAH should you have any questions about data protection. MR RAMESH SUBBIAH will take on these responsibilities if the first named individual is absent with illness or on annual leave.

•Maintain its registration with the Information Commissioner’s Office

•Ensure that all subject access requests are dealt with as per our Access to Medical Records policy

•Provide training for all staff members who handle personal information

•Provide clear lines of report and supervision for compliance with data protection and also have a system for breach reporting

•Carry out regular checks to monitor and assess new processing of personal data and to ensure the Patient Transport service’s notification to the Information Commissioner is updated to take account of any changes in processing of personal data

•Develop and maintain DPA procedures to include: roles and responsibilities, notification, subject access, training and compliance testing

•Display a Privacy Notice on the website explaining to patients the Patient Transport service policy (see
below) plus a copy of the Information Commissioners certificate

Make available a leaflet and or a poster Access to Medical Records [*] for the information of patients. Also display the certificate of registration with the Information Commissioners office.

•Take steps to ensure that individual patient information is not deliberately or accidentally released or (by default) made available or accessible to a third party without the patient’s consent, unless otherwise legally compliant. This will include training on confidentiality issues, DPA principles, working security procedures, and the application of best practice in the workplace.

•Undertake prudence in the use of, and testing of, arrangements for the backup and
recovery of data in the event of an adverse event.

•Maintain a system of “Significant Event Reporting” through a no-blame culture to capture and address incidents which threaten compliance.

•Include DPA issues as part of the Patient Transport service general procedures for the management of risk.

•Ensure confidentiality clauses are included in all contracts of employment.

•Ensure that all aspects of confidentiality and information security are promoted to all
staff.

•Remain committed to the security of patient and staff records.

•Ensure that any personal staff data requested by public or government bodies such as HMRC i.e. age, sexual orientation and religion etc., is not released without the written consent of the staff member.

Statement

The recording of data within the Patient Transport service is under the management and control of MR RAMESH SUBBIAH, who is the IT lead Clinician for the Patient Transport service.

The quality of data, the use of templates and the use of specific coding is reviewed on an ongoing basis and the findings are discussed at clinical policy meetings.

MR RAMESH SUBBIAH is responsible for data quality issues within the Patient Transport service and will ensure accuracy and consistency in recording data among both the Clinicians and the administrative or casual staff.

MR RAMESH SUBBIAH is the non-clinical manager responsible for audit and exception identification and reporting within the Patient Transport service.

Any queries should be addressed to the lead Clinician, MR RAMESH SUBBIAH

PATIENT POSTER

 DATA PROTECTION ACT – PATIENT INFORMATION

We need to hold personal information about you on our
computer system and in paper records to help us to look after your health needs, and your Clinician is responsible for their accuracy and safe-keeping. Please help to keep your record up to date by informing us of any changes to your circumstances.

Clinicians in the Patient Transport service have access to your medical records to enable them to do their jobs. From time to time information may be shared with others involved in your care if it is necessary. Anyone with access to your record is properly trained in confidentiality issues and is governed by both a legal and contractual duty to keep your details private.

All information about you is held securely and appropriate safeguards are in place to prevent accidental loss.

In some circumstances we may be required by law to release your details to statutory or other official bodies, for example if a court order is presented, or in the case of public health issues. In other circumstances you may be required to give written consent before information is released – such as for medical reports for insurance, solicitors etc.

To ensure your privacy, we will not disclose information over the telephone or fax unless we are sure that we are talking to you. Information will not be disclosed to family, friends, or spouses unless we have prior written consent, and we do not leave messages with others.

You have a right to see your records if you wish.