The Data Protection Act 1998 provides conditions that must be met when processing personal information. In addition, where personal information is held in confidence (e.g. details of care and treatment), the common law requires the consent of the individual concerned or some other legal basis before it is used and shared. Staff must be made aware of the right of an individual to restrict how confidential personal information is disclosed and the processes that they need to follow to ensure this right is respected.
The organisation must have a plan of action for identifying all purposes that involve the sharing or use of confidential personal information and for determining the legal basis for such sharing or use.
There is a documented plan for identifying all purposes supported by confidential personal information and for determining the legal basis for each.
The plan has been approved by senior management, an appropriate committee or other established local governance process.
Information Governance Review meeting
All purposes that require confidential personal data to be used or shared have been identified and have a clear and documented lawful basis. All staff engaged in supporting these purposes understand what is lawful and what is not.
There are guidelines for staff that are accessible to them in an appropriate location.
All flows and uses of confidential personal information have been identified and documented and the underpinning legal basis is clearly understood and recorded.
All uses and sharing of confidential personal information that do not have a clear legal basis are treated as data breaches and have been reported to the Board and to the HSCIC via the IG SIRI Incident Reporting Tool.
There have been no such breaches
The organisation ensures that it respects service user objections in respect of the use and sharing of confidential personal information unless there is a legal basis that overrides an individual’s objection.
The organisation must ensure that it has a process in place for managing and responding to any objections made by service users in respect of the use or sharing of confidential personal information.
As an intermidiary, we do not directly provide services to relevant users ourselves.
It is important to ensure that information is shared in compliance with the law and is in line with the expectations of the public. Satisfaction surveys and focus groups are used to check that service users understand their consent choices and feel that their wishes are respected.
As an intermidiary, we do not directly provide services to relevant users ourselves.