Information Governance

Author:	Jono Erodotou
Responsibility:	All Staff
Effective Date:	01 June 2024
Review Date:	30th May 2025
Approved By:
Version Number:	01

Amendment / Review History #

Date	Author	Comments

Introduction #

This information governance policy has been developed to give assurances that the Trust will handle all
information in a confidential and secure manner and in accordance with relevant quality and legislation
standards appropriate to operating a modern ambulance service.
K4 Medical Services will establish and maintain policies and procedures to ensure compliance with
requirements contained in the NHS Digital Data Security and Protection toolkit and the Data Protection Act 2018 (DPA) and General Data Protection Regulations (GDPR) and accompanying guidance from the
Information Commissioner’s Office.

Principles of Information Governance #

K4 Medical Services recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. K4 Medical Services also recognises the need to share information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and in some circumstances, the public interest.

Equally important is the need to ensure high standards of data protection and confidentiality to safeguard personal/sensitive and commercially sensitive information. Underpinning this is the integrity need for electronic and paper information to be accurate, relevant, and available to those who need it.

Staff/Contractors must ensure at all times that high standards of data quality, data protection, integrity,
confidentiality and records management are met in compliance with the relevant legislation and NHS
guidance.

Under the GDPR and DPA there are seven principles to govern how person-identifiable information is
processed:
Lawfulness, Fairness and Transparency
Purpose Limitation

Data Minimisation
Accuracy
Storage Limitation
Integrity and Confidentiality (security)
Accountability

This is further supported by the Caldicott Guardian principles, outlined in the 2016 Caldicott report.

Purpose #

The purpose of this policy is to inform all staff/contractors of their responsibility for ensuring that corporate, patient and personal information is safeguarded and used appropriately within K4 Medical Services. It is the responsibility of all staff to familiarise themselves with this policy and adhere to its information governance principles.

All aspects of handling personal and special categories of information are covered by this policy, including paper and electronic structured record systems and the transmission of information via mail,
e-mail, fax and telephone.

Personal data is defined as Information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special category data (formerly known as sensitive data) is more sensitive, and so needs more protection. For example, information about an individual’s:

• race
• ethnic origin;
• politics;
• religion;
• trade union membership;
• genetics;
• biometrics (where used for ID purposes);
• health;
• sex life; or
• sexual orientation.

This policy covers all systems utilised by Medicore and any individual employed, in any capacity, by K4 Medical Services.

The aims of this policy are to maximise the value of K4 Medical Services assets by ensuring:

• Openness
• Legal Compliance
• Information Security
• Quality Assurance

Openness #

Non-confidential information on Medicore and its services will be made available to the public through its
public website.

K4 Medical Services will establish and maintain policies and its publication log to ensure compliance with the Freedom of Information Act 2000.

Patients will be able to exercise their right to access patient care record information relating to their own
clinical care, through K4 Medical Services admin team.

Legal Compliance #

K4 Medical Services regards all identifiable personal information relating to patients as confidential.

K4 Medical Services regards all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise.

K4 Medical Services will establish and maintain policies to ensure compliance with the current data protection legislation, Human Rights Act and common law confidentiality.

K4 Medical Services will establish and maintain policies for the controlled and appropriate sharing of patient information with other agencies, taking account of relevant legislation (e.g. Health and Social Care Act, Crime and Disorder Act, Protection of Children Act).

There must be a valid lawful basis in order to process personal data. There are six available lawful basis for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on the purpose and relationship with the individual.

The lawful basis must be determined and documented before processing. K4 Medical Services privacy notice should include the lawful basis for processing as well as the purposes of the processing. Processing of special category data requires both a lawful basis for general processing and an additional conditions for processing.

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent:
(b) Contract:
(c) Legal obligation:
(d) Vital interests:
(e) Public task:
(f) Legitimate interests:

When processing special category data, both a lawful basis for processing and a special category conditions for processing are required, in compliance with Article 9. You should document both your lawful basis for processing and your special category conditions so that you can demonstrate compliance and accountability.

This type of data could create more significant risks to a person’s fundamental rights and freedoms. For
example, by putting them at risk of unlawful discrimination. The Managerment Team will help determine the legal basis for personal and special category data.

Information and Data Security #

K4 Medical Services will establish and maintain policies for the effective and secure management of its information assets and resources.

K4 Medical Services will promote effective confidentiality and security practice to its staff/contractor through policies and training.

K4 Medical Services will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security.

Information Quality Assurance #

K4 Medical Services will establish and maintain policies and procedures for information quality assurance and the effective management of records.

Managers are expected to take ownership of, and seek to improve, the quality of information within their
departments. Wherever possible, information quality should be assured to the point of collection.

Data standards will be set through clear and consistent definition of data items, in accordance with national standards.

K4 Medical Services will promote information quality and effective records management through policies, procedures/user manuals and training.

Duties #

CQC Manager #

Ultimate responsibility for information governance in K4 Medical Services rests with Ops Manager / CQC Manager who will ensure that the information governance strategy is implemented via this information governance policy and related policies.

Operational Manager #

As the accountable manager for K4 Medical Services, the Operational Manager is responsible for meeting all statutory requirements and required to provide assurance that all information risks to K4 Medical Services are effectively identified, managed and mitigated. Details of Serious Incidents involving data loss or confidentiality breaches must be recorded on IR1. All Serious information Incidents are reported in the annual quality account report.

All Staff / Contractors #

All staff / contractors are responsible for ensuring that they adhere to this policy and implement best practice in relation to information governance wherever possible. They are responsible for raising incidents relating to information governance on the incident reporting system or via their line manager.

Effective Information Governance Management #

Data Security and Protection Toolkit (DSPT) and Internal Audit
K4 Medical Services IG compliance will be measured by a self-assessment process of compliance against the ten standards set out in Data Security and Protection Toolkit. This is and will be complemented by the annual internal audit.

Care Quality Commission Oversight
CQC, as outlined in Safe Data, Safe Care (2016),1, have powers to inspect the K4 Medical Services Information Governance as part of its inspection round. To this end the K4 Medical Services must ensure that robust Information Governance practices are in place. CQC specifically requires that K4 Medical Services Records are accurate, fit for purpose, held securely and held confidential.

Mandatory training and awareness
Fundamental to the ever-developing information governance agenda is the engagement and awareness of staff. This is currently driven by the requirement for 95% of staff to have completed information governance training.

Information Governance is included in the K4 Medical Services induction training and as part of the annual mandatory update training for all staff and a full training needs analysis has been completed in relation to these aspects.
Additional training can also be requested at the discretion of a manager, or by an individual wanting personal development.

Further guidance and information relating to Information Governance issues will be distributed periodically email and staff/contractors portal.

Information Asset Management and Business Continuity
A core Information Governance objective is that information assets and the use of information in them are identified and that the business importance of those assets is established.

Information assets are those that are central to the efficient running of K4 Medical Services and specific departments, e.g. patient, finance, stock control etc, essentially, it is information that is of value to the organisation and would be problematic if it were not accessible.

Information Asset Owner’s are usually senior members of staff who are the nominated owner for one or more of K4 Medical Services identified information assets and it is their responsibility to record their information assets on the K4 Medical Services Information Asset Register; review these at least annually and undertake a Data Flow Mapping exercise.
The Information Asset Register is overseen by the CQC Manager and identified risks will be recorded on the K4 Medical Services Risk Register. All data flows should have a documented legal basis and this should be recorded on the Information Asset Register.

Data Protection Impact Assessments
In line with the Information Commissioner guidance, a data protection impact assessment should be
completed on any new or changing transfer of personal data. This could be the procurement of a new system or changes to how we use information in an existing asset.

These assessments must be completed by the nominated project leads with advice and support provided by the CQC Manager.

Confidentiality
Decisions about any disclosure of personal/sensitive information must be made on a case by case basis
referring to the concepts laid down in this policy.

A duty of confidence arises when a person discloses information to another in circumstances where it is
reasonable to expect that the information will be held in confidence.

It is therefore:
• A legal obligation that is derived from case law – the Common Law Duty of Confidence
• A requirement established within professional codes of conduct – HCPC, MNC, GMC
• A clause within your contract of employment linked to internal procedures such as the disciplinary
procedures.

Never give out information to persons who do not “need to know” in order to provide health care and treatment, or for any other reason. All requests for patient identifiable information should be justified. This applies whether the request comes from within K4 Medical Services or from some outside organisation. Some requests may need to be agreed by the Operational Manager. They should be contacted if you are in doubt about disclosure or if you are aware of poor practice within K4 Medical Services which may be putting patient confidentiality at risk.

Transfer of information into and out of K4 Medical Services #

The Operational Manager will ensure information flows into and outside of K4 Medical Services are appropriately recorded on the K4 Medical Services management system and monitored for review annually. Any risks associated with these information flows will be identified and recorded on the K4 Medical Services risk register.

These information flows will be completed in line with the Caldicott Guardian principles, contractual terms and the current data protection legislation.

Information Sharing Agreements are reviewed by the CQC Manager.

Disclosure of Information #

The disclosure of any personal data outside of the points above will be processed under the Data Protection Policy and disclosure of corporate information will be dealt with under the Freedom of Information Policy.

Data Subject Rights #

Data subjects have increased rights under the new data protection legislation:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling.

Incident and Risk Management #

Any incidents related to information governance should be reported on the K4 Medical Services incident reporting system, IR1. A decision will be taken whether it is necessary to report this as a Serious Incident under the Serious Incident Policy and/or to the Information Commissioner by CQC Manager. The incident will also be processed through the NHS Digital Serious Incident reporting tool to support this decision. A serious breach of any information governance policy could result in action being taken under the K4 Medical Services Disciplinary Policy.

The CQC Manager will identify potential risks to the Trust from the incident investigation process and record these onto K4 Medical Services Risk Register. These risks will be reviewed by the CQC Manager monthly.

Standards/Key Performance Indicators #

The Key Performance Indicator for this Policy is satisfactory compliance with the requirements of the annual NHS Digital Data Security and Protection Toolkit return.

References #

• Data Protection Act 2018
• EU General Data Protection Regulation (GDPR)
• The Common Law Duty of Confidentiality
• Access to Health Records Act 1990
• Freedom of Information Act 2000
• The Human Rights Act 1998 (article 8);
• Computer Misuse Act 1990
• ISO 9000 Information Security Management
• The Crime and Disorder Act 1998 (section 115);
• Civil Contingencies Act 2000
• Protection of Children Act 2010
• Clinical Information Quality Assurance
• Corporate Information Quality Assurance
• Records Management: NHS Code of Practice
• NHS England Contract
• NHS Operating Framework
• Caldicott Guardian seven principles
• Data Security and Protection Toolkit
• Electronic Communications Act 2000
• A Paperless NHS: Electronic Health Records