Professional Documents
Culture Documents
The Transforming Community Services (TCS) programme includes changes in organisational arrangements and developing the usage of information and the associated infrastructure to focus and improve services. The interaction of the organisational arrangements and the use of, and access to, patient data and records through different models of information management facilities leads to the need to be clear about the associated Information Governance (IG) arrangements. These allow for protecting and enabling effective use of the data of patients or service users or clients (mainly referred to as patients for simplicity throughout the rest of this paper, but is intended to imply service users and clients). A range of organisational models1 are emerging including Community Foundation Trust; Social Enterprise; Vertical Integration i.e. to support different parts of the patient pathway, e.g. with NHS Provider Trust via Joint Venture, Community Interest Company or S75 Agreement; Horizontal integration i.e. to cover same part of pathway, e.g. with similar providers and/or Local Authorities (LA) via S75 partnership agreement and mixtures of the above to provide the full range of services. Patient records and data (in paper or electronic form) have to be included in the formal arrangements and agreements involved in transferring services from Primary Care Trusts (PCTs) to Receiving Organisations in order that the Receiving organisation can perform its functions. It is crucial that the IG aspects of transferring records and data are also considered in such agreements. This paper sets out some of the key IG issues to be considered to enable the informatics aspect of TCS to be undertaken successfully. The legal status of some Receiving Organisations will change during the period that the community services transformation is taking place. The legal status is material in the transfer of responsibility of records and data and should not occur until the Receiving Organisation is a legal entity, which also brings the need to implement the associated IG obligations.
Transforming Community Services: enabling new patterns of provision; see http://www.dh.gov.uk/prod_consum_dh/groups/dh_digitalassets/documents/digitalasset/dh_093196.pdf 64941549.doc Author: Wally Gowing Page 1
means that the information and the system capability may be retained for the local health economy irrespective of the community service provider arrangements.
Page 2
IG Context
IG is concerned with ensuring that person level data and records of Data Subjects can be properly protected whilst productively used to support delivery of care and effective operation of services. IG can also be viewed as a mechanism to manage risks to patient data and to organisations in their management and use of data and records of patients. The legal basis for IG is provided through the Data Protection Act2 and NHS policy, such as the Caldicott Principles. A key concept concerning access to identifiable data is that such access should only take place if it is necessary and can be justified and that identifiable data should only be used in the support of delivery of care, otherwise effectively anonymised data should be used. Key concepts of IG implementation at organisational level are Data Controller and Data Processor (defined in Appendix 1) as legal obligations are vested in organisations, which have to be legal entities to undertake these roles. The Data Controller has responsibility for the use to which the data is put by an organisation and may undertake processing, whilst a Data Processor may be a separate organisation that provides services to the Data Controller organisation. A Data Controller should explicitly state what is expected from its Data Processors and this should be achieved through formal contracts (rather than SLAs) even when between NHS organisations. The contracts should create clarity about the services and provide mutual protection given the liabilities that each are under in delivering services. Given the various combinations of models emerging for organisations and community service provision, together with those for information service provision, it is important to be clear how the IG obligations can be met. For NHS organisations, IG responsibilities are vested in three roles, namely Caldicott Guardian, Senior Information Risk Owner (SIRO) and Information Asset Owner (IAO) (see Appendix 1). Compliance by NHS related organisations with IG requirements is assessed through the Information Governance Toolkit (IGT) which is revised annually to reflect IG legal and policy developments. The Information Commissioner, who is the Independent Regulator and responsible for Data Protection, recommends that a Privacy Impact Assessment (PIA) be undertaken at the outset of any project that might impact on peoples privacy. The aim of the PIA is to assess privacy risks to individuals in the collection, use and disclosure of information. PIAs, which can be run on full-scale or small-scale basis, are intended to help identify privacy risks, foresee problems and bring forward solutions. To assist the Information Commissioners Office (ICO) has produced a PIA handbook3 outlining processes and providing screening questions etc. The use of PIA may be pertinent to all Receiving organisations, particularly newly created organisations. The scope of records and data held by a range of organisations will change as TCS is implemented. The resulting changes will need to be reflected in the many IG policies and procedures that affected organisations to ensure an effective IG regime. In turn, these IG changes may well impact on staff and associated IG training.
2 3
1.2
Under the DPA, Data Controllers have to be legal entities as there is liability for their actions. This means for instance, that GP Commissioning Consortia cannot be Data Controllers until they are legally formed, that is at the time their legal status is attained when the relevant health bill has been passed. It is assumed that there will be legal terms of transfer between a PCT and relevant Receiving Organisations. The transfer of records and data should be included as part of the formal transfer of assets alongside premises, staff and hardware. The fate of records and data should be clearly stated within the schedules supporting the transfer of services, including, for example, Data Protection aspects, the handling of Freedom of Information requests. Reference should be made to the subsequent need for establishing the mechanisms for working between the organisations as issues arise in managing the existing data assets. An example of this is given in Appendix 2, a document setting out sample processes for managing orphaned data. It is important to resolve issues at the outset, especially in relation to any future resource issues that may arise, so that problems due to lack of scope or clarity do not build up against the backdrop of PCTs ceasing to exist in the near future; it would be prudent to include mechanisms to resolve problems in the interim. When services are transferred to significant NHS organisations, responsibility for full records and data should be transferred as the Receiving Organisation is taking on the PCT Community and other Services roles and liabilities. Professional staff will need access to such records and data and it is expected that the ICO would deem that full transfer to the Receiving Organisation is reasonable from the Data Subjects viewpoint. When services are being transferred to emerging Receiving Organisations that are not yet legal entities, then the Data Controller may continue to be the PCT until legal entity status is reached. This may be accompanied in some cases of such organisations being initially limited
64941549.doc Author: Wally Gowing Page 4
in capacity and capability, where the commissioners contracts for services should retain the right to transfer records and data to successor organisations. In such cases, it may be sensible to transfer recent records and data relating to recent activity (e.g. last 2 years) and not to transfer archive data to add to the burdens of the new organisation. Such archive data would continue to be the responsibility of the PCT as Data Controller. However, in general, records and data about individuals whose services are being transferred should not be orphaned, i.e. some part left behind at the PCT or the PCTs Data Processor, as they are clearly the responsibility of the Receiving organisations - see Section 1.7.
1.3
System ownership
The issue of Who owns the system supporting delivery of community services? should not be relevant or have impact for TCS as long as ownership does not assume the right of access to data or data controller rights, for example LSPs are systems owners for much data processed for the NHS. There is an issue with existing community systems where these have been operated by PCTs utilising software made available volume licence agreements with organisations such as Microsoft through Connecting for Health (CFH). It is possible to move forward with the model of the PCT/Commissioner 'owning' or 'licensing' software and systems for use by a new community service provider; this is legitimate from an IG viewpoint as long as relevant IG 'rules'/constraints are met in which the PCT/Commissioner does not have access to the data at individual patient level. CFH can provide copies of the licensing arrangements and forms for any required transfers.
1.4
Data Controller
There must be clarity about who/which organisation is the Data Controller for the transferred records and data in order to exercise the responsibility on which personal data can be processed and how see Appendix 1 for definitions. In effect the Data Controller must be the organisation which determines the purposes for which and the manner in which any personal data are, or are to be, processed4; in this case in support of provision of care or undertaking analysis etc. This means for instance that a PCT can own a system, but the Receiving Trust having the responsibility for patients and their information must be the Data Controller. Any organisation registering with the Information Commissioner as a data controller must assume full responsibility for managing patient information held on relevant systems (e.g. RiO in London), some of which will be in active use and some a historic record of care. Organisations can be data controllers jointly if organisations act together to decide the purpose and manner of any data processing. This can occur within the NHS and may be pertinent in some instances arising from changes associated with TCS.
1.5
Data Processing
There must be clarity about whom/which organisation acts as Data Processors for/on behalf of the Data Controller for data transferred as part of TCS; this may be the same organisation, a shared service or an external contractor (e.g. LSP); there may be more than one Data Processor. A Data Processor must be part of a legal entity as liability for failing to meet the legal obligations of the DPA must be accepted and indemnified against. If the Data Processor is in an organisation separate from the Data Controller, then formal contracts (with schedules for specific services, performance etc) must be used. If a Data Processor is providing services to a consortium of NHS organisations hosted by one of the NHS organisations, contracts must be held with each of the NHS organisations for the relevant Data Processing, for which each NHS organisation is the Data Controller.
1.6
PCTs and the Receiving organisations consequent on TCS must notify the ICO annually of its processing of personal data. The notifications for 2011 will need to include any additional or reduced data processing to be carried out by relevant organisations for the changes occurring because of TCS.
1.7
Transfer of records and data arising from TCS should be included as and be regarded as, a transfer of assets in much the same way as staff or hardware, and such records and data cannot be orphaned this applies to both electronic and paper records. When PCTs transfer responsibility for their services and the legal liability for the care provided, the data and records controlled by the PCTs and the related responsibility also has to be transferred to the new body responsible for delivering the services. If the Receiving Organisation does not want to take all of the historical data then, if the relevant retention period for the type of record has been reached, such data can be securely destroyed prior to transfer or archived if the data remains relevant. If the data are archived, then responsibility for the datas continued existence must be clarified at the point of archiving and must reside with a suitable legal entity. For data which have not reached the retention period expiry date, responsibility for the data should be transferred to the Receiving Organisation along with the other responsibilities passed over by the PCT. If such data were to be destroyed inappropriately it would leave the receiving organisation defenceless in terms of having evidence mitigating its liability. A court could view such destruction as evidence of the body seeking to shirk its responsibilities. If a new body does not want historical data in its records then the data does not need to move but there would need to be a new data processing contract with the current data processor to retain the data as an archive for the prescribed retention period and then either public records archiving or destruction. If orphaned records are to be archived, then there needs to be agreement and clarity between organisations on the specific responsibilities in meeting the various legal obligations that may arise. These responsibilities include the situation where a patient moves from inactive to active through supply of community services; subject access requests under the DPA; where litigation arises or where records are requested by Courts or the police. A sample agreement is attached as Appendix 2 based on an agreement developed in the Liverpool/Sefton area. This followed from the splitting of a PCTs community services between 2 Receiving Organisations and the decision to not transfer inactive records.
http://www.penninecare.nhs.uk/legal/gmigg/ Page 6
ensure they get the best services. This sharing must only happen when it is legal and necessary to do so to provide services to the patients and when adequate safeguards are in place to protect the security of the information. This means that the same rules and restrictions apply to access to identifiable data by an ISP organisation as in the originating organisation. As ISPs can enable access to identifiable data, such ISPs must be signed off by relevant Caldicott Guardians on behalf of the Data Controller organisations. A generic sample ISP for sharing information with other organisations is shown in Appendix 3.
Sample documents are shown in Appendix 4. These documents have been developed by Manchester PCT and reflect the fact that Manchester PCT will continue to operate the Community system for use by a variety of provider Trusts. Whilst this may not be a typical situation, the purpose and principles of the ISPs and confidentiality agreement, especially the Pre-Transfer ISP are relevant wherever data and record transfers are due to take place and whatever organisational change arrangements are planned. The documents provide templates for development of local ISPs and agreements as required. In addition to the ISPs above, there may be Subject Specific Information Sharing Agreements (SSISA) to supplement any overarching ISPs by giving the details of sharing of specific sets of data for specific purposes A particular example of this is that future versions of RIO (used for community and mental health services in London) will include a function for a user of one organisations RIO system to see data held for a patient held on another organisations RIO application (RiO2RiO) as long as the patient has given consent. This will be supported by a SSISA for trusts that use this function, and the SSISA document will spell out the obligations for use of this form of integration.
1.9
Systems that support the delivery of care and record, for example, clinical data as part of the patient record, will largely operate for these primary purposes. The use of data to support analysis of activity or commissioning processes is regarded as for secondary purposes, as are the associated systems. For primary use purposes, data can be accessed in identifiable form. However, secondary use should utilise de-identified data and currently most NHS organisations and systems are unable to meet this basic DPA and Common Law of Confidentiality requirement in respect of secondary use. The NHS currently utilises a Section 251 approval to allow use of identifiable data. This approval is reviewed on an annual basis, but will be withdrawn as the NHS implements de-identification facilities and capabilities, which is IGT Requirement 8-324. Guidance and further information on implementation of de-identification for secondary use is available from CFH and IC websites8.
http://www.connectingforhealth.nhs.uk/systemsandservices/sus/delivery/pseudo Page 7
http://www.connectingforhealth.nhs.uk/systemsandservices/data/sds/user-migration/OMS Process for User Migration FINAL ISSUED V 1.0.docx/view?searchterm=OMS Process for User Migration 64941549.doc Author: Wally Gowing Page 8
instances of software and data for Trusts B and C. However, the result may actually be that staff in Trusts B and C can both access the non-archived Trust A data and possibly access one instance of a system and data being used by both Trusts B and C as there are patients in common for the services supplied by the Trusts, but, in addition, can inadvertently access all records for patients, not only those for which they have clinical or operational responsibility. The above outline may be a worst case scenario (though adding in the complexity of some of the data concerned being about mental health or local authority social services and it could be worse) and should be avoided, but if this (or something similar) does arise, it is vital that Information sharing protocols are put in place that explicitly cover the particular circumstances of accessing each others data Non-maintained data (i.e. the data that should have been archived) is clearly identified as such together with the fact that it cannot be relied upon as a current clinical record Staff in the new service providers are aware of breadth and limitations of accessing data through Information Sharing Protocols and their professional obligations.
For new patients/service users/clients of affected community services a Fair Processing notice can be used. Usually this takes the form of a leaflet entitled How we use your information. The Notices in place at each organisation will need to be reviewed and any gaps identified for a new leaflet that would need to be in place when the services are taken over by the Receiving Trust. The leaflet should be sent out with all first appointments and should be distributed at service points throughout the organisation. In addition, all current patients/service users/clients of affected community services must be informed of relevant changes. Consideration should be given to do this effectively and in a coordinated manner so that the client is not receiving several communications from e.g. the PCT and the Receiving Trust. It is probable that there will be a wider local communications process to inform about changes to services associated with TCS and it would be helpful if the records, data and IG aspects were an integral part of that process.
Page 10
http://www.computerweekly.com/blogs/tony_collins/2010/05/tell-your-gp-a-secret---and-90.html Page 11
Page 12
Key questions
The issues set out above can be restated as a set of key questions and actions that apply to PCTs and Receiving organisations. The impact that these questions and issues have will vary depending on the particular set of organisational changes being implemented, e.g. a Social Enterprise being created with new systems compared with a PCT with Community services moving to an existing Receiving Trust. The questions need answering in the affirmative for the IG aspects of the organisational arrangement and associated systems to be potentially considered as being suitable. There may be other detailed points that prevent the IG arrangements being immediately sufficient and effective, but these should be soluble in the long term. Q1. Are the organisations to which records and data (and responsible for it as Data Controller) being transferred to existing legal entities? (See section 1.2) Q2. Are the datasets included in the formal statements on transfer of assets between organisations? There may be issues on timing about this, but reference to the need to transfer datasets and records should be made in the formal statements with details clearly stated subsequently in related formal schedules. (See section 1.2) Q3. Which organisation owns the system in terms of hardware and software and relevant licences? this organisation is the System Owner. The System Owner for data from transferred PCT provider arms may, for example, be a PCT, a LSP or Trust. (See section 1.2) Q4. Which organisation(s) determines the purposes for which the personal data in the system are used (e.g. what data is held on and what reports and analyses are required to check what is happening to Mrs Smith)? - this organisation is the Data Controller (which may also be the System Owner); there may be more than one Data Controller acting jointly. The Data Controllers for data from transferred PCT provider arms are expected to be the Receiving Organisations. (See section 1.4) Q5. Which organisation is responsible for safeguarding and processing the data? This organisation is the Data Processor (which may also be the Data Controller). The Data Processors for data from transferred PCT provider arms will the organisations undertaking data processing for the Receiving Organisations, such as the Receiving Trusts themselves, shared health informatics services (HIS) or LSPs. (See section 1.5) Q6. Have Privacy Impact Assessments been undertaken for records, data and systems been undertaken? In particular, have PIAs been undertaken in relation to sensitive services? (See section 1.14) Q7. If different organisations are identified in Q1, Q2 and Q3, then are there suitable statements and service level agreements between the organisations to define roles etc? (See section 1.5) Q8. Have the PCT and the receiving organisations notified the ICO of changes to their data controller and data processing responsibilities? (See section 1.6 & 1.16) Q9. Are any data orphaned as a result of the data transfer? If yes, are there appropriate data processing agreements in place? (See section 1.7) Q10. If data and information are shared between organisations or accessed across organisations, are relevant Information Sharing Protocols or Acceptable Use Policies and staff confidentiality agreements in place? Where necessary are these supported by Subject Specific Information Sharing Agreements? (See section 1.8) Q11 Where there is orphaned data and information-sharing protocols are in place, have checks been made that inadvertent unauthorised access cannot be made to orphaned data or to records for patients for which the service provider does not have responsibility? If such access can be made, relevant remedial steps are required. (See section 1.13) Q12. If a social services system is to be used to process health sourced personal data, are there appropriate safeguards on data access in place? If not, has explicit consent for the wider
64941549.doc Author: Wally Gowing Page 13
use of the data been obtained from the Data Subjects? (See section 1.10) Q13. Does the system fully support DPA requirements, Caldicott Principles and the NHS Code of Confidentiality? In particular, can user access be restricted to only those patients that the user should see, either on the basis of organisational responsibility or their care service provision responsibility? (See section 1.11 & 1.12) Q14. If the answer to Q13 is no, then are steps being taken to offset potential inappropriate data access e.g. only nominated social services staff can access health records and vice versa? (See section 1.13 & 1.10) Q15. Are relevant RA and user registration mechanisms in place? (See section 1.12) Q16. Can the receiving organisation meet the DPA requirements of Subject Access requests and DPA S10 enquiries? (See section 1.15) Q17. Have patients been informed that their data has been transferred and (where appropriate) that additional staff may now access their records? Have Fair Processing notices been modified to reflect TCS induced changes? (See section 1.17) Q18. Have the organisations IG policies and procedures been created/amended to reflect the new responsibilities resulting from implementing TCS? (See section 1.16 and for a checklist of policies and procedures see Appendix 5). Q19. Is additional IG training required for staff as part of TCS implementation? (See section 1.16)
Page 14
Appendix 1
Appendix 2
Sample - Records Management Procedure for accessing records following the Transfer of Community Services
Active & Inactive records All records for active patients who at the time of transfer (e.g. 1st April 2011) are receiving treatment by a service that was formerly provided by NHS AA Community Health services and are transferring to either BB NHS Trust or CC Community Health services will transfer to these Receiving Organisations. Responsibility for the transferred records is also transferred to the Receiving Organisation. All records that are inactive (for example if the patient has been discharged from the service or has died prior to the 1st April 2011) have been stored in an off-site document storage facility. These archived records and responsibility associated with them remain with NHS AA Commissioners. Records required when a patient is re-admitted to a transferred service If after the transfer date a patient, who had been previously discharged from a service, is rereferred to the community service, the receiving organisation may wish to access the patients records from their previous treatment. Under these circumstances, a request for the records must be made to the responsible department at NHS AA Commissioners who will locate the records in the archive and transfer them securely to the Receiving Organisation. The time limit for this process will be no longer than 14 working days.
Information must not be released without the consent of the patient or their representative unless instructed by the courts. Records requested for Litigation Records that have been transferred to Receiving Organisations
Page 16
If a letter of claim is received by NHS AA commissioners and relates to treatment provided to the patient whilst the service was provided by NHS AA Community Health services but the records have been transferred to one of the Receiving Organisations then the Receiving Organisation must make the original records available to NHS AA Commissioners within 14 working days of request. Requests should be directed to: BB NHS Trust: , (e.g. Senior Risk Manager) or CC Community Health Services: .., (e.g. IG & Records Manager) Records that are retained by NHS AA Commissioners If a letter of claim is received by one of the Receiving Organisations and the historic records had not been transferred to the receiving origination or subsequently requested when the patient is re-admitted into the service but are required for litigation then NHS AA Commissioners will make the original records available to the Receiving Organisation within 14 working days of the request: Requests should be directed to at NHS AA Commissioners.
Page 17
Appendix 3
By signing this agreement, non-NHS organisations are agreeing to meet the Caldicott requirements with regards to the agreed dataset. All organisations have to comply with the eight principles of the Data Protection Act:
1. Personal data shall be processed fairly and lawfully 2. Personal data shall be obtained only for one or more specified and lawful purposes and shall not be processed in any matter incompatible with those purposes 3. Personal data shall be adequate, relevant and not excessive 4. Personal data shall be accurate and up to date 5. Personal data shall not be kept for any longer than is necessary for the purpose 6. Personal data shall be processed in accordance with the rights of data subjects 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data 8. Personal data shall not be transferred outside the EEA without adequate protections
Page 18
Evidence as to how either party is meeting the requirements of the seventh principle must be produced on reasonable notice. If the party providing information becomes aware of inaccuracies contained within information that has already been shared, they will inform the other party so that all records can be amended. Is a protocol required? The table below sets out when a protocol is always required and when it is optional. Sharing for care purposes Recipient organisation Sharing protocol is is achieving the optional. required level of information governance performance Recipient organisation is unable to demonstrate the required information governance performance Sharing for non-care purposes Sharing protocol that focuses on the secondary uses in question, i.e. the purpose, constraints on re-use of information, retention periods and destruction policies is necessary.
Sharing protocol that Sharing protocol that addresses the required addresses the required information governance standards in the information governance recipient organisation, the legal principles that standards in the apply and the additional standards associated recipient organisation with the secondary uses in question, (i.e. the and the legal principles purpose, constraints on re-use of information, that apply is necessary. retention periods and destruction) is necessary.
Responsibilities and standards for participating organisations The signatory organisations listed below will formally adopt this information sharing protocol. Each organisation will take responsibility for dissemination and implementation of this agreement. In respect of any confidential information received from the other party, each party agrees to keep the information secret and strictly confidential and will not disclose any such confidential information to a third party, unless: Disclosure is authorised by the prior written consent of the discloser; The disclosure is required to make sure the Trust complies with the Freedom of Information Act 2000 (FOIA); The information is already in the public domain other than by breach of contract or other act or omissions of the recipient.
Public authorities are subject to the Freedom of Information Act 2000. Both parties will act in line with the FOIA and assist the other with requests where necessary. Each organisation signing this protocol shall have appointed a responsible officer who will ensure the protection of personal identifiable information e.g. Caldicott Guardian or senior manager responsible for data protection. A list of information flows for this instance of data sharing is attached. NHS organisations are required to review all transfers of personal identifiable information annually. Each organisation is committed to ensuring staff are appropriately trained in data protection / Caldicott procedures.
Page 19
Security of information Personal identifiable information saved to removable devices such as laptops or usb drives must be encrypted. Email will only be used to send sensitive information when both the sender and recipient use nhs.net accounts. Fax must only be used when the recipient has a fax machine in a secure area. Multiple copies of the information shared should not be made as this compromises security. Termination of this agreement Any changes to this agreement must be agreed by both parties in writing. If the party which is the recipient of information should use that information in any way which is outside of the terms of this agreement or any addition confirmed by both parties, this agreement will be terminated and information sharing will cease. If, on review of this agreement, it is clear that the necessity to share information has ceased, termination must be agreed in writing by both parties. Each organisation will assist in any review carried out.
Page 20
Appendix 4
Sample - TCS Pre-transfer Information Sharing Protocol Declaration of acceptance and participation
Information will be shared between: XXXX PCT and o o o o AA NHS Foundation Trust, BB Health and Social Care NHS Trust, CC Acute Hospitals NHS Trust, DD NHS Foundation Trust
Data to be shared Before a transfer of XX PCT Community Services takes place, patient identifiable data held on paper records and on systems detailed in the XXXX PCT Systems Catalogue v5.0 will be accessed by a strictly limited number of staff from the above named Trusts. Reason for sharing information To develop an understanding of how the systems work. Access The following staff will have access to the information: Community Services Choose & Book Human Resources IM&T Any other authorised user
Destruction details Once the purpose for information sharing has ended, and where appropriate to do so, information will be disposed of in accordance with NHS and legal requirements (NHS Code of Practice and NHS Retention & Disposal Policy). Signed by Signed . . . . . . . . . . . . . . . . . . . . . . . Print Name . . . . . . . . . . . . . . . . . . . . Date . . . . . . . Position . . . . . . . . . . . . . . . . . . . . . . . On behalf of XX PCT Signed . . . . . . . . . . . . . . . . . . . . . . . Print Name . . . . . . . . . . . . . . . . . . . . Date . . . . . . . Position . . . . . . . . . . . . . . . . . . . . . . . On behalf of recipient Trust
Data to be shared Following the transfer of community services, patient identifiable data held on paper records and on systems detailed in the XX PCT Systems Catalogue v5.0 will be accessed by a strictly limited number of staff from the above named Trusts. Reason for sharing information To provide community services, each of the above Trusts needs access to the above systems formerly controlled by XX PCT. Each Trust must ensure that staff are reminded they must only access information for work purposes and in relation to patients they are involved in the care of. Each Trust is responsible for the data relating to their own patients. The accuracy and security of the information must be maintained by the individual Trust. Staff having access to these systems must sign a confidentiality agreement. Access The following staff will have access to the information: Community Services Choose & Book Human Resources IM&T Any other authorised user
Destruction details Once the purpose for information sharing has ended, and where appropriate to do so, information will be disposed of in accordance with NHS and legal requirements (NHS Code of Practice and NHS Retention & Disposal Policy). If a system is to be replaced this will be discussed jointly with each Trust represented. Signed by Signed . . . . . . . . . . . . . . . . . . . . . . . Print Name . . . . . . . . . . . . . . . . . . . . Date . . . . . . . Position . . . . . . . . . . . . . . . . . . . . . . . On behalf of <recipient Trust>
Page 22
Page 23
Appendix 5
Page 24