The Information Services Division (ISD) works with information collected about patients and the NHSScotland workforce. This information is collated and analysed by ISD to improve understanding about the health of people in Scotland and the NHS workforce so that the best quality health and care services can be provided.
Ensuring the confidentiality and data protection of information
ISD works very hard to ensure the safe and secure storage, use and management of information. We regularly review our confidentiality and security policies and practice to make sure it is kept up to date. If you have any queries about confidentiality or how we look after information, you can email:nss.isdInfoGovernance@nhs.net
We ensure the confidentiality and data protection of confidential information in the following ways.
We provide all staff with confidentiality training
All of our staff undertake specific training in confidentiality. This training helps staff to follow the rules that govern the care and release of confidential data.
When we recruit new staff, they must read those rules and then sign that they understand and accept them. All staff renew this declaration annually. Our staff contracts lay out the need to respect and preserve confidentiality.
We have a Caldicott Guardian
We have individual who is the ‘Caldicott Guardian’ for our organisation. The job of a Caldicott Guardian is to ensure that we take all appropriate steps to protect the confidentiality of patient information. The Caldicott Guardian is responsible for advising on, agreeing and reviewing protocols governing the protection, use and disclosure of patient information. The Caldicott Guardian works as part of a team of Information Governance experts, who specialise in confidentiality and data protection.
We follow the Data Protection Act 1998
Our organisation follows the principles of the Data Protection Act 1998. This Act governs how we use personal data. Our work is included within the entry for NHS National Services Scotland (NSS, our parent organisation) in the register of data controllers maintained by the Information Commissioner. The Information Commissioner's Web site is www.ico.org.uk and the Data Protection Registration Number for NSS is Z5801192.
We have specific policies and procedures
There are a number of policies and procedures that help us to ensure that personal data is kept secure.
- Most of the analysis that we carry out uses anonymised information. This means that information that could identify an individual, for example name, date of birth or address is removed.
- Only a limited number of specially trained staff can access confidential information that could identify a person. Access can only be given with special permission for a set time period
- Statistical Disclosure Control is a way to reduce the risk of disclosing personally identifiable information. We control disclosure by not showing, combining, or modifying data before release. Our Statistical Disclosure Protocol [711Kb] complies with the Information Commissioner’s Anonymisation Code of Practice.
- We undertake Privacy Impact Assessments for all new developments or changes to the way that we use data. The publication ‘Conducting privacy impact assessments code of practice’ by the Information Commissioners Office gives an overview of the process that we follow.
- The Public Benefit and Privacy Panel for Health and Social Care decides when nationally held information about people who use health and care services can be used for research, audit and service improvement whilst upholding legal obligations of data protection and confidentiality. The panel is made up of doctors, lay people, researchers and specialist advisers on confidentiality and data protection. It considers if requests for information strike the right balance between protecting personal data and making data available for research and audit. It makes sure that any information releases are carefully controlled and in the public interest. You can find out more about the panel at http://www.informationgovernance.scot.nhs.uk/pbpphsc/
- Any researcher wishing to use the data that we hold must follow current legal and ethical guidelines. If personal identifiers such as name, date of birth, address etc are required, the researcher must seek specific consent for this.
When we have to use information that could identify an individual
There are times when we have to use information that could identify an individual. For example:
- reviewing samples of health records to make sure the information held is accurate;
- linking information together so that the outcomes of a particular illness or disease can be monitored;
- providing information to an NHS Board about their patients or residents who have had treatment in other locations;
- monitoring health hazards by gathering surveillance information provided by laboratories, hospitals, GPs, NHS Boards and Local Authorities; and
- managing exposure to health hazards and large outbreaks of infectious illness that may affect many people across Scotland, such as large flu outbreaks.
Where there is a requirement for information of this type, only a limited number of trained staff are allowed to access the information and only with special permission for a set time period.
If you would like more information
We have published some of the most frequently asked questions about patient confidentiality - we hope you find these helpful. We have published a leaflet ‘Safe and secure use of personal health information’ [1.3 Mb] which explains how we ensure information is managed, stored and used securely and in accordance with the law.
If you have any queries about confidentiality or how we look after information, please email nss.isdInfoGovernance@nhs.net.