Tavistock and Portman NHS FT

Tavistock and Portman NHS FT Privacy policy

This notice tells you why we collect information about you and how you can expect us to use it.

The information we collect about you is called personal information. This privacy policy also supports Tavistock Consulting activities.

What is personal information?

Personal information is any data that directly or indirectly identifies you. Directly means the data on its own, and indirectly means when combined with other data.  For example, your age on its own wont identify you, but when combined with, say, your school, ethnicity or religion, it may be possible to identify you.

Is my information safe?

Our patient records are held electronically and securely.

Only staff who are involved in your care, or who provide support to our clinical teams, can access your records, using secure access methods. We know who has looked at your records and who has made any changes. We only process the minimum personal data needed and we only hold it for as long as necessary.

Our staff are subject to a duty of confidentiality and must complete information security and data protection training.   

Our security controls protect your confidentiality and ensure that relevant and reliable information is always available to your clinician.

Health Information Exchange (HIE)

Information is shared with local health and social care partners under the Health Information Exchange (HIE). The HIE includes patients who live in or whose GP is based in North Central London. The following services are not part of the project, so if you use the below services your information will not be made available through the HIE:

• Gender Identity Clinic (GIC)
• Forensic Child and Adolescent Mental Health Services (FCAMHS) based at the Portman Clinic
• Mentalization-Based Therapy (MBT) service based at the Portman Clinic
• Portman Assessment and Psychotherapy Service
• Family Assessment Service (FAS), Family Drug and Alcohol Court (FDAC)
• Complex Assessment, Camden CAMHS

Information laws

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 make sure we protect your information. Under the GDPR we must have a lawful basis to process your information.   

The Information Commissioner’s Office (ICO) upholds people’s information rights. 

What personal information do you process about me?

Patients and Carers

Purpose (why do we collect the information?)	What data do we collect?	Who might we share your data with?	What is the lawful basis for the processing?	How long do we keep your information for?
To provide you with services and treatments.	Your full name* and contact details, date of birth, age, gender information, ethnicity, religion, next of kin, immigration status, referral and treatment information, care and health information, forensic information related to your care needs.	Your GP, informal carer, NHS hospital or social care staff involved in your care, ambulance services (the above may share data under the Health Information Exchange). We may also share information with the police and probation services. If you view or manage your appointments via the NHS App, your data will be shared with NHS England who operate the NHS App and provide this functionality, known as NHS Wayfinder services. View the NHS App privacy policy.	Article 6(e): Public task. Article 9(2)(h): preventive or occupational medicine, the provision of health or social care or treatment	Adult mental health records: Most records are held for 8 years after end of service. Records made under the Mental Health Act are held for 20 years after end of service or 10 years after death. Adult gender dysphoria records are held for 30 years after end of service (subject to review). Children’s records are held until the patient’s 25/26th birthday (depending on age at discharge). If a patient transfers to adult services the full record is transferred and the above retention periods then apply. NB: Closed adult mental health case files originally created in paper format may be held for up to 20 years.
Research where you have agreed to take part (Interventional or clinical research)	This will depend on the nature and purpose of the research.  We will tell you what data we will be processing about you.	We will tell you who we will be sharing your information with.  Some of our research is carried out  jointly with other NHS Trusts or universities.	Article 6(e): Public task. Article 9(2)(g): for reasons of substantial public interest, on the basis of Union or Member State law. and the interests of the data subject	20 years
Research (observational, for data analyses and service planning)	This will also depend on the nature and purpose of the research.  We will use only the minimum personal data needed.	NHS and academia See NHS National Data Opt Out:  https://www.nhs.uk/your-nhs-data-matters/	Article 6(e): Public task. Article 9(2)(j): for archiving purposes in the public interest, scientific or historical research purposes or statistical purpose,) based on Union or Member State law	20 years

 

Students

	What data do we collect?	Purpose (why we collect it)	Who might we share your data with?	What is the lawful basis for the processing?	How long do we keep your information for?
Prospective students	Your name and contact details	Application process	N/A	Article 6(e): Public task	Current admission cycle plus 1 year
Students who apply for a place	Your contact details (name, address, phone number(s), email, date of birth, gender, ethnicity, religion, relevant health or disability information, next of kin, details of your previous education and qualifications, financial information, ID/passport, visa or immigration information if you are a non-UK citizen. For regulated courses, we will check for criminal offences.	Verification checks, course planning, equalities monitoring, immigration status and DBS clearance.	Regulators and government agencies, student loan companies, student sponsors and employers.	Article 6(e): Public task	End of student relationship plus 6 years
Enrolled/current students	In addition to the above, we hold information about your course, classes and attendance, exam results, placements, accommodation. You will be given a student number which our staff will use to identify you.	Course delivery and recording	As above	Article 6(e): Public task	End of student relationships plus 6 years (except where permanent retention is a legal or historical requirement, e.g. record of certificates and awards
Past students (alumni)	Your contact details, post graduate course information and results.	Your post graduate qualification with us, your next employment, education or training.	Future employers (e.g. references), other educational institutions	Article 6(e): Public task	As above

 

Staff

	What data do we collect?	Purpose (why we collect it)	Who might we share your data with?	What is the lawful basis for the processing?	How long do we keep your information for?
Prospective staff	As per application form.	Recruitment	Referees	Article 6(e): Public task	12 months
Current staff	As per application form, references, contract information, training, absence details, occupational health data, bank details	Performance of contracted duties, payroll, training and development	Future/prospective employers, accreditation bodies, mortgage lenders (upon request), occupational health provider.	Article 6(e): Public task Article 9(2)(b) Employment, social security and social protection (if authorised by law)	6 years from last day of employment or 75th birthday (whichever is soonest). Salaries and pensions:  10 years
Current staff	Location of Trust mobile devices: laptops and mobile phones	Cyber security	This is not shared outside the Trust	Legitimate interests	Until the mobile device is returned to the ICT team
Past staff	Not applicable	As above	As above	Article 6(e): Public task, Article 6(c): Legal obligation or Article 6(a): Consent	As above

 

Partners and Third Parties

	What data do we collect?	Purpose (why we collect it)	Who might we share your data with?	What is the lawful basis for the processing?	How long do we keep your information for?
Agencies and contractors	Contact details	Recruitment	Recruitment agencies and managed providers	Article 6(e): Public task	3 years from end of contract
NHS Trusts	Contact details	Workforce development projects	Project stakeholders	Article 6(f): Legitimate interests	End of project plus up to 6 years

Keeping your information accurate and up to date

It is important for you to tell us if your name or contact details change.

Please also tell us if you notice any incorrect or out of date information on your records. 

We will take the opportunity to share information with you when you attend appointments, so you can tell us if there is anything you don’t agree with. We will always record your comments.

When we may ask for your consent

If we wish to process your personal information in a way that you may not reasonably expect (i.e. that is not related to your care or treatment (service users), your education (students) or employment (staff), and where you can expect a duty of confidence to apply, we will ask for your consent to process your information for that purpose. This consent is called ‘common law’ consent. Common law is not a written law but is based on previous case law.

Adult gender patients

We will protect your privacy when you change your name.

Our Gender Identity Clinic (GIC) will ask you to change your name at your GP practice, if you have not already done so. If you have been issued with a new NHS Number in your new name and gender, we will amend our records to match your personal details against your new NHS Number.

You may be asked for ID to confirm your identity, and as evidence that you are using your new name.

If you have a Gender Recognition Certification (GRC), by law we must ask for your consent to continue to process your previous name. If you do not consent, we will shield your previous identity on your record.

If you don’t have a GRC you can still ask us to shield your previous identity on your care record.

For further information, please contact the GIC at GIC.administration@nhs.net, or you can contact our Data Protection Officer at nlft.information.governance@nhs.net

Your communication preferences

We will ask you what information you would like to receive from us and how you would like to receive it. You can update your communication preferences at any time.

Social media

The Trust has official accounts on Twitter, Facebook and LinkedIn. These are controlled by our communications and marketing teams. The communications team monitors public content across social networks and generates reports based on this content.

We use information posted publicly on social media so that we can make information available where it may be relevant or of interest. We never attempt to access private social media accounts.

Cookies

Cookies are small files that are placed on your computer or mobile device by websites that you visit. Our cookies help us to improve user experience on our website and monitor web traffic to our pages. We will recognise your IP address, but we will not know who you are. You can find out more about cookies at www.allaboutcookies.org.uk.

How to report a data protection breach

If you become aware of data protection breach or potential breach, please tell us about it by emailing nlft.information.governance@nhs.net

Please include as much information as you know about the circumstances of the incident and the personal data involved.

How to make a data protection complaint

If you have a complaint or concern about data protection, please email our Data Protection Officer at nlft.information.governance@nhs.net

Alternatively, you can address your complaint to our Patient Advice and Liaison Service (PALS).

Education and Learning

Please see Tavistock Education and Training - A pioneer in mental health, social care and management and leadership

Research and Development 

Please see the Trust individual research and development pages.

F urther information

Lawful basis for processing (ICO)

Special category data (ICO)

Criminal offence data (ICO)

Guide to PECR (ICO)

Read or download our Data protection policy

Information Governance and Data Protection and confidentiality are consolidated frameworks for handling personal information in a confidential and secure manner to appropriate ethical and quality standards in a modern health service. They provide a consistent way for employees to deal with the many different information handling requirements including:

• Information Governance Management;
• Clinical Information assurance for Safe Patient Care;
• Confidentiality and Data Protection assurance;
• Corporate Information assurance;
• Information Security assurance;
• Secondary use assurance; and
• Respecting data subjects’ rights regarding the processing of their personal data.

Under the primary data protection legislation (General Data Protection Regulation (GDPR)) and Data Protection Act 2018 (DPA18), organisations that process personal data are accountable for and must be able to demonstrate their compliance with the legislation. The arrangements set out in this and related policies and procedures are intended to achieve this demonstrable compliance.

Purpose

The purpose of this policy is to inform Trust staff (permanent or otherwise) and students of their responsibilities related to information governance and data security, as well as the management arrangements and other policies that are in place to ensure demonstrable compliance.

This is a central policy in a suite of procedures that informs staff/students of what they should do to ensure that Trust data is:

• Held securely and confidentially;
• Processed fairly and lawfully;
• Obtained for specific purpose(s);
• Recorded accurately and reliably;
• Used effectively and ethically; and
• Shared and disclosed appropriately and lawfully.

To protect the Trust’s information assets from all threats, whether internal or external, deliberate or accidental, the Trust will ensure:

• Information is protected against unauthorised access;
• Confidentiality of information is assured;
• Integrity of Information is maintained;
• Information is supported by the highest quality data;
• Regulatory and legislative requirements are met;
• Business continuity plans are produced, maintained and tested;
• Information Governance awareness training is available and mandated for all staff and students; and
• All information governance breaches, actual or suspected, are reported to, and reviewed by Information Governance team in conjunction with the Data Protection Officer (DPO)

Scope

• All Trust staff and students are within the scope of this policy, including staff or students working in or on behalf of the Trust. For the avoidance of doubt, this includes contractors, temporary staff, embedded staff, secondees and all permanent employees

 

Definitions

Term	Definition
Consent	An indication of data subjects’ wishes that is given freely and is specific, informed and unambiguous. This is a way for data subjects to signify agreement to the processing of personal data that relate to them and this can be done by a statement or by a clear affirmative action. (Article 4(11) GDPR)
Data Controller	A person who determines the purposes for and the means by which personal data are, or are to be, processed.  This may be an individual or an organisation and the processing may be carried out jointly or in common with other persons.
Data Processor	Any person (other than an employee of the data controller), who processes personal information on a data controller’s behalf.  Anyone responsible for the disposal of confidential waste is also included under this definition.
Data Protection Act 2018 (“DPA”)	The Data Protection Act aims to give protection to all information relating to a living individual.  This includes information both processed by computers and held, stored manually in hard copy.
General Data Protection Regulation (“GDPR”)	The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) unifies legislation across the European Union, strengthens the data protection legislation that exists within the Data Protection Act 1998 (“DPA”) and is expected to replace that Act via the new Data Protection Bill.
Data Subject	An identified or identifiable natural person who is the subject of the personal information (data).
EEA	European Economic Area.
Freedom of Information Act (2000)	The Freedom of Information Act is law giving people the general right to see recorded information held by public authorities.
Information Commissioner	The Information Commissioner is an independent official appointed to oversee the DPA and GDPR, the Freedom of Information Act 2000 and the Environmental Information Regulations 2004.
Notification	Notification is the process by which a data controller’s processing details are added to a register.  Under the DPA every data controller who is processing personal data needs to notify unless they are exempt.  Failure to notify is a criminal offence.  Even if a data controller is exempt from notification, they must still comply with the principles.
Personal Information or Personal Confidential Information	Data which relates to a living individual who can be identified- from those data, or from those data and other information which is in the possession of, or likely to come into the possession of the data controller.  It includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Processing	Processing means obtaining, recording or holding the data or carrying out any operation or set of operations on data.
Sensitive Personal Information	Sensitive personal data is information about a data subject’s racial or ethnic origin, political opinions, religious beliefs or beliefs of a similar nature, trades’ union membership, physical or mental health condition, sexual life, offences or alleged offences and information relating to any proceedings for offences committed or allegedly committed by the data subject, including the outcome of those proceedings.
Subject Access Request	Under the DPA18 and GDPR, individuals can see the information about themselves that is held in electronic or physical form.  If an individual wants more information on the personal data held about them, they can write to the person or organisation that they believe is processing the data, whether the data is obtained directly from data subjects or indirectly from somewhere else.

Policy statements

This policy aims to ensure that all Trust staff are aware of their responsibilities regarding data protection and confidentiality.

All incidents involving near misses or breaches of data protection or confidentiality are subject to local and/ or corporate review and investigation.

Data protection and confidentiality risks are managed in accordance with the Trust Risk Management Procedure.

Duties and responsibilities

Chief Executive

Overall accountability for procedural documents across the organisation lies with the Chief Executive. As the Accountable Officer, the Chief Executive has overall responsibility for the establishing and maintaining an effective document management system and the governance of information, meeting all statutory requirements and adhering to guidance issued in respect of data security and procedural documents.

Caldicott Guardian

The Caldicott Guardian:

• Ensures that the Trust satisfies the highest practical standards for handling patient identifiable information;
• Facilitates and enables appropriate information sharing and make decisions on behalf of the Trust following advice on options for lawful and ethical processing of information, in relations to disclosures;
• Represents and champions data security requirements and issues;
• Ensures that confidentiality issues are appropriately reflected in organisational strategies, policies and working procedures for staff; and
• Oversee all arrangements, protocols and procedures where confidential patient information may be shared with external bodies both within, and outside, the NHS.

Senior Information Risk Owner (SIRO)

The SIRO takes ownership of the Trust’s information risk policy, acts as advocate for information risk on the Trust Board and provides assurances to the Trust’s Chief Executive.  The key responsibilities of the Trust SIRO are to:

• Provide a focal point for managing information risks and incidents;
• Take ownership of the assessment processes for information risk;
• Keep the Trust Board and Chief Executive up to date and briefed on all information risk issues affecting the organisation and its business partners;
• Review and agree actions in respect of identified information risks;
• Ensure that the Trust’s approach to information risk is effective in terms of resource, commitment and execution, and being appropriately communicated to all staff;
• Provide a focal point for the escalation, resolution and/or discussion of information risk issues;
• Provide leadership for Information Asset Owners (IAOs) through effective networking structures, regular scheduled meetings, sharing of relevant experience, provision of training and creation of information risk reporting structures; and
• Advise the Board on the level of Information Risk Management performance within the Trust, including potential cost reductions/associated risks and process improvements/benefits.

Information Asset Administrator (IAA)

• Information Asset Administrators ensure that policies and procedures are followed as directed by the IAO’s;
• Recognise actual or potential security incidents, and consult their IAO on incident management; and
• Ensure that information asset registers are accurate and up to date.

Information Governance Team

The Information Governance team is responsible for maintaining this policy, providing advice on request to any member of staff on the issues covered within it.

Data Protection Officer (DPO)

The Data Protection Officer (DPO) for the Trust cannot be dismissed or penalised for performing his/her related tasks, does not receive any instruction from the Trust regarding exercising GDPR duties and is bound by secrecy and confidentiality. The DPO is allowed direct access to the Trust Board in matters that relates to data protection. They will:

• Inform and advise on GDPR and related obligations;
• Monitor compliance with GDPR and related obligations (including awareness raising and training);
• Provide advice about data protection impact assessment and to monitor their performance;
• Cooperate with supervisory authority (currently the Information Commissioner’s Office (ICO); and
• Act as a contact point for the supervisory authority (ICO).

Senior/ Line Management Responsibilities

• Ensure all permanent and temporary staff and contractors are aware of this Information Security Policy and their security responsibilities;
• Ensure all staff using computer system have been trained appropriately;
• Ensure no unauthorised staff are allowed to access any of the Trust’s computer systems or paper records;
• Ensure staff are given access to Trust computer systems based on their job role;
• Ensure all staff have fully completed the Trust employment checks;
• Ensure all staff leaving the Trust complete the staff leaver’s procedures and return all Trust equipment;
• Support any information security breach investigation; and
• All external suppliers who are contracted to supply services to the Trust must have signed a Trust Confidentiality agreement, which details their legal responsibility to maintain the confidentiality of information they may come into contact with whilst working at the Trust.

Staff Responsibilities

• Each employed, contracted and voluntary staff member is personally responsible for ensuring that no breaches of data security result from their actions;
• Attend relevant data security/governance training to ensure that are fully aware of their personal responsibilities in respect of information security, and that they are competent to carry out their designated duties;
• Fully comply with the Trust’s Data Security and protection policy and all relevant security policies and procedures;
• Understand that breaches of this policy will be investigated by formal disciplinary procedure which may lead to dismissal and/or legal action;
• Understand they are personally responsible for the accuracy of information/data recorded;
• Ensure they are familiar with the Trust safe haven procedures for secure transportation of information; and
• As part of their contract of employment sign a formal undertaking concerning the need to protect the confidentiality of information / observe intellectual property rights of work undertaken during the terms of employment / contract, both during and after contractual relations with the Trust.
• All staff have a duty to protect Trust IT equipment issued to them, to store it securely and not to take these items out of the country.
• To adhere at all times to the Email, Text Messaging, Apps and Internet Use Procedure in relation to the use of Trust equipment.

Procedures

Confidentiality and data protection

The following sections summarise key legal and national confidentiality and data protection requirements.

The Data Protection Principles

Data Protection legislation in 2018 applies to information about living individuals. It sets out six Data Protection Principles to support good practice and fairness in processing personal information. Personal Information will be:

1. processed lawfully, fairly and in a transparent manner in relation to individuals;
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes;
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. accurate and, where necessary, kept up to date; every reasonable step must betaken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Fair and Lawful Processing

Under the first principle of the Data Protection legislation the Trust should ensure patients are informed about the uses of and their rights regarding the processing of their personal information. This information is communicated in various ways. These materials are displayed and available in-patient waiting areas and on the Trust internet and intranet sites.

The Trust also publishes information about specific patient information sharing activities on its website (also known as a privacy notice).

Consent and recognising objections to the processing of information

An aspect of fair processing relates to individuals giving their consent for their information to be processed Explicit consent should be obtained and always recorded in cases where use of personal information would not be reasonably expected and where the information being processed is classed as particularly sensitive information. Consent is only 1 of the legal bases for sharing personal information.

For data processed for health and social care reasons (i.e., most work undertaken within the Trust) the legal basis for processing is as follows:

Article 6(1)(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

and

Article 9 (2)(h) Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional

 Under Data Protection legislation, Subjects have the right to object to their personal data being processed and the Trust has a duty to ensure such objections are recorded and managed appropriately. However, there are some circumstances where an individual cannot prevent the processing of their data, e.g., reporting notifiable diseases.

Individuals also have the right for their data to be amended if it is incorrect or deleted (however the NHS must adhere to the records management code of practice for retention of medical records, which must not be deleted before the retention period noted in the document)

Caldicott Guardian

The Caldicott Committee Report on the review of patient-identifiable information 1997 and the subsequent Information Governance Reviews identified seven good practice principles for the health service when handling patient information:

1. Justify the purpose for using or sharing person-identifiable
2. Only use person-identifiable information when absolutely
3. Use the minimum person-identifiable information
4. Access to person-identifiable information should be on a strict need to know
5. All staff handling person-identifiable information should be aware of their
6. Understand and comply with the law: Every use of person-identifiable information must be lawful.
7. The duty to share information can be as important as the duty to protect
8. Inform patients and service users about how their confidential information is used

A range of steps should be taken to ensure no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this. These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information – in some cases, greater engagement will be required.

Each organisation has a Caldicott Guardian (Medical Director within the Trust) who acts as the conscience of the organisation and is the most senior person responsible for patient confidentiality. It is the Caldicott Guardian’s responsibility for ensuring implementation of the Caldicott principles.

Disclosure of personal information

Whether personal information can be disclosed to others is dependent on a number of factors, including, whether the patient/ service user has consented to the information being shared; to whom the information is being disclosed, and the reason for its disclosure (i.e., the legal basis for sharing). There are a number of considerations to be made when deciding whether or not to disclose information. The approach may vary according to the individual circumstances surrounding the disclosure. For example, the considerations in disclosing personal information to the police will be different to those in disclosing information for research purposes. These are explained further in the Trust Subject Access Request (SARs) Policy.

Access to personal information

Individuals or persons acting on their behalf with consent have a right of access to data held about them. Any person who wishes to exercise this right should make their request in writing to the Legal Services team (for patient information), Occupational Health Dept. for occupational health records or the Information Governance team (for staff information). The process for doing this is described in Trust SARs Policy.

Access to information about deceased

Data Protection legislation applies only to information about living individuals. Where the subject is deceased access to health records comes under the Access to Health Records Act 1990.

The Act permits access to records of the deceased to the legal representative of the deceased and any individual with a legitimate claim arising from the death. Though not specified in statute, duty of confidence remains applicable to the deceased and this should be considered prior to any information disclosure.

Information security

In order to ensure the confidentiality of personal information, systems and procedures are in place to control access to such information. Such controls are essential to ensure that only authorised persons have:

• physical access to computer hardware and equipment,
• access to computer system utilities capable of overriding system and access controls e.g., administrator rights,
• access to either electronic or paper records containing confidential information about individuals.

The arrangements for the security of computer hardware, system utilities, computer files and folders are set out in the Information Security Policy and related procedures. The policy contains guidance on access controls, encryption of data, security monitoring and incidents, secure disposal of equipment and user responsibilities.

For further guidance on maintaining the confidentiality and security of personal information whilst in transit please refer to the Trust’s Information Security Policy and Safe Haven Guidance.

Information governance incidents

What is a breach.

A breach is defined as:

Article 4(12) “Personal Data Breach” means a breach of security leading to the accidental destruction, loss, alteration, unauthorised disclosure, or access to, personal data transmitted, stored or otherwise processed.

The GDPR definitions, notification and subject communication requirements include incidents that organisations might not have notified under the previous data protection regime.

The traditional view that a data incident is only reportable when data falls into the wrong hands is now replaced by a concept of a ‘risk to the rights and freedoms of individuals’ under Article 33 of GDPR.

Any security incident that creates a risk to the rights and freedoms of the individual is a personal data incident and could be notifiable to the ICO if it reaches a certain threshold. Any personal data incident that could create a significant risk to the rights and freedoms of an individual must be notified to the Information Commissioner via the DSPT reporting tool.

Personal data is defined as;

‘any information relating to an identified or identifiable living individual’ And an “Identifiable living individual” means a living individual who can be identified, directly or indirectly, by reference to— (a) an identifier such as a name, an identification number, location data or an online identifier, or (b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

This definition now makes it clear that all paper records that relate to a living individual are included in the definition and any aspect of digital processing such as IP address and cookies. Geographical data and biometric data are also clarified as being personal data when they can also be linked to a living individual.

What are the types of breaches:

• Confidentiality breach:

Unauthorised or accidental disclosure of, or access to personal data.

• Availability breach:

Unauthorised or accidental loss of access to, or destruction of, personal data.

• Integrity breach:

Unauthorised or accidental alteration of personal data.

Reporting of incidents

• All incidents will be reported on the Trust Electronic Incident Reporting system (Radar) immediately or as soon as safe to do so.
• The information reported on the incident form must be factual and accurate. No opinions or guesswork should be included. This is a legal document and must be
• Staff who intentionally fail to report an incident may face disciplinary
• Incident reports should, wherever possible, be completed by the member of staff who first becomes aware of the incident. If that person is unable to do this due to personal injury or other circumstances the form must be completed by another person on their

Grading the personal data breach

Any incident must be graded according to the significance of the breach and the likelihood of those serious consequences occurring. The incident must be graded according to the impact on the individual or groups of individuals and not the organisation. It is advisable that incidents are reviewed by the Data Protection Officer or Caldicott Guardian or the Senior Information Risk Owner when determining what the significance and likelihood a data breach will be.

Grading

No.	Likelihood		Description
1	Not occurred	There is absolute certainty that there can be no adverse effect. This may involve a reputable audit trail or forensic evidence
2	Not likely or any incident involving vulnerable groups even if no adverse effect occurred	In cases where there is no evidence that can prove that no adverse effect has occurred this must be selected.
3	Likely	It is likely that there will be an occurrence of an adverse effect arising from the breach.
4	Highly likely	There is almost certainty that at some point in the future an adverse effect will happen.
5	Occurred	There is a reported occurrence of an adverse effect arising from the breach.

If the likelihood that an adverse effect has occurred is low and the incident is not reportable to the ICO, no further details will be required.

Grade the potential severity of the adverse effect on individuals

Severity and Effect

No.	Effect		Description
1	No adverse effect	There is absolute certainty that no adverse effect can arise from the breach
2	Potentially some minor adverse effect or any incident involving vulnerable groups even if no adverse effect occurred	A minor adverse effect must be selected where there is no absolute certainty. A minor adverse effect may be the cancellation of a procedure but does not involve any additional suffering. It may also include possible inconvenience to those who need the data to do their job.
3	Potentially some adverse effect	An adverse effect may be release of confidential information into the public domain leading to embarrassment or it prevents someone from doing their job such as a cancelled procedure that has the potential of prolonging suffering but does not lead to a decline in health.
4	Potentially Pain and suffering/ financial loss	There has been reported suffering and decline in health arising from the breach or there has been some financial detriment occurred. Loss of bank details leading to loss of funds. There is a loss of employment.
5	Death/ catastrophic event.	A person dies or suffers a catastrophic occurrence

Both the adverse effect and likelihood values form part of the breach assessment grid.

Breach Assessment Grid

This operates on a 5 x 5 basis with anything other than “green breaches” being reportable. Incidents where the grading results are in the red are advised to notify within 72 hours.

Duty of Candour – Being open when patients are harmed

• When moderate, severe harm or death incidents occur, the Duty of Candour process must be followed. This is a clinical decision and also a contractual duty as well as being a legal duty under the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014: Regulation
• If an incident occurs which does not result in moderate or above harm the patient should still be offered an apology and an explanation given in line with being open principles. Organisations are said to be open when the prevailing culture visibly encourages key behaviours. These include honesty, openness, appropriate sharing of information and a willingness to learn from experiences to change how the organisation

Audit and monitoring

The Trust will ensure that it has assigned overall responsibility for monitoring and auditing access to confidential personal information to an appropriate senior staff member, e.g., the Caldicott Guardian and Data Protection Officer. They will ensure that the Trust has developed and implemented confidentiality audit procedures and communicating those to all staff who have access to personal, confidential data. The procedures will include:

• monitoring against NICE Clinical Guideline 138 and Quality Standard 15
• how access to confidential information will be monitored;
• who will carry out the monitoring of access;
• reporting processes and escalation processes;
• disciplinary processes.

The following are examples of events that the Trust will audit for frequency, circumstances, location etc:

• failed attempts to access confidential information;
• repeated attempts to access confidential information;
• successful access of confidential information by unauthorised persons;
• evidence of shared login sessions/ passwords;
• disciplinary actions taken.

Data flow mapping

The Trust is required to map all routine flows of personal information and assess associated risks. The IG team coordinates an annual review across all Trust departments of existing data flows is reviewed at least annually to meet the Data Security & Protection Toolkit and the Data Protection Officer informs the annual statutory submission to the Information Commissioner’s Office in regard to processing activities and transfers of personal information outside the UK and EEA.

Retention and storage

Records are to be retained in accordance with the NHSx Records Management Code of Practice 2023 Records, whether held in paper or electronic form must be stored securely to prevent unauthorised access. Further information regarding secure storage is available from the Information Security Policy (i.e., access controls) the Corporate Records Management Policy and Health Records Management Policy (i.e., storage and retention).

Freedom of information

A Freedom of Information (FOI) request is when a member of the public asks for information about the Trust. The request must be in writing, does not need to state “FOI” and the sender does not need to disclose their identity. All FOI requests are processed by the Trusts’ FOI lead, whose contact email is:

nlft.freedom.information@nhs.net

Training requirements

A training needs analysis will be undertaken with staff directly affected by this document. Based on the findings of that analysis appropriate training will be provided to staff as necessary.

Guidance will be provided on the Trust intranet site via the communications team by Human resource (HR).

All staff will receive Data Security Awareness training via the Trust INSET days and corporate/clinical induction and will still be require to complete their Data Security and Protection Awareness training online via the Electronic Staff Record (ESR) portal and targeted training will be used where specific issues are identified.

Process for monitoring compliance with this policy

• Compliance with the policies and procedures laid down in this document will be monitored via the corporate Data Security/Information Governance team, together with independent reviews by both Internal and External Audit on a periodic basis

The Corporate Data Security and Protection / Information Governance Manager is responsible for the monitoring, revision and updating of this document on a 3 yearly basis or sooner if the need arises.

References

• References and Related Guidance
• Department of Health Confidentiality Code of Practice 2003
• Department of Health Records Management Code of Practice 2021
• Department of Health Information Security Code of Practice 2007
• Department of Health Caldicott Manual 2006
• BS ISO/IEC 17799:2005 and BS ISO/IEC 27001: 2005 & BS7799-2: 2005
• General Data Protection Regulation (GDPR)
• Data Protection Act 2018
• Human Rights Act 1009
• Computer Misuse Act 1990
• Freedom of Information Act 2000
• Copyright, Designs and Patents Act 1988
• Regulatory of Investigatory Powers Act 2000
• Connecting for Health Information Governance Toolkit
• The NHS Care Records Guarantee 2006
• The NHS IM&T Operating Framework
• Network and Information Systems (NIS) Regulations 2018
• Data Security and Protection Toolkit

Associated documents

• IG Management and Framework Policy v1.3

Summary

Information Governance and Data Protection and confidentiality are consolidated frameworks for handling personal information in a confidential and secure manner to appropriate ethical and quality standards in a modern health service. They provide a consistent way for employees to deal with the many different information handling requirements.

 

You can make a subject access request in writing or verbally.

Email sar@tavi-port.nhs.uk

We may need to confirm your identity first. You don’t need to tell us the reason for your request.

What information do you need from me?

Details to help us locate the information you want to see

Please tell us what information you want to see and what period it covers, plus any other information that will help us to identify your record and the information you want to see.  If you have changed your name or moved address, please also include your name and address when you were a patient.  Please include your date of birth and your NHS Number if you have a record of it. 

We may also ask for evidence of your identity

We will tell you if we need evidence of your identity.  If you are not a current patient, we will usually ask for evidence of your identity.   

We will accept the following:

• Passport
• Photocard Driving License with Counterpart
• Birth certificate
• Gender Recognition Certificate
• Medical card
• National ID Card (for non-UK Nationals)

Plus one of the following:

• Council tax statement or bill
• Current notification letter from HMRC
• Current notification letter from the DWP
• Hospital letter, showing your NHS Number
• Current state pension notification letter
• Utility bill, or bank statement or credit card statement
• Mortgage statement
• Certificate of motor insurance

Can someone else make the request for me?

Yes, you can ask someone else to request access to your records for you. They will need to tell us their relationship to you, for example, your parent/guardian, independent mental health advocate or solicitor.  We will also need your consent for the disclosure to them, and evidence of their identity.   

We will also accept requests from someone representing you under a Lasting Power or Attorney or from the Court of Protection.

How long does it take?

Once we have confirmed your identity, we normally have one calendar month to provide the information to you.  If your request is complex or involves a lot of information, we are allowed up to an extra two months to consider your request and prepare the information for you.  We will let you know within the first month if this is likely to be the case.

Can I see all the information from my records?

We may not be able to send you all the information you have asked to see.  We are not able to disclose information about third party unless it is appropriate for us to obtain their consent.  We may consider withholding information that could cause you or another person serious harm. 

We may refuse a request we find to be manifestly unfounded or excessive. 

How will the information be given to me?

We can send the information to you by secure email, unless you tell us you want to receive the information by post or collection in person. 

Access to a child/young person’s record

If you are aged 13 or over, you can request access to your own records.  If you are younger than this but have the capacity to understand your records, we may still provide access directly to you. 

If you have parental responsibility and your child is under 13 and/or lacks the capacity to understand their records, you can request access to your child’s record directly.  If your child is over 13 and has capacity, we will require their consent.  We may withhold information where we consider this to be in the child’s best interest or where there is information about other people. 

What if I don’t agree with something on my record?

You can ask us to correct the record and we will either amend the information as requested or add your comments regarding the information you feel is incorrect. 

This is your right to rectification.

How to complain

If you are unhappy about how we have dealt with your request for information or with any of the information we hold about you, please write to our Data Protection Officer at nlft.information.governance@nhs.net.  The matter will be investigated and if you are still unhappy after that, you have a right to complain to the Information Commissioner’s Office at https://ico.org.uk/make-a-complaint/your-personal-information-concerns/

Introduction

The Tavistock and Portman NHS Foundation Trust, (the Trust), will use appropriate and necessary means to ensure that it complies with the Freedom of Information Act 2000, Environmental Information Regulations (2004) and associated Codes of Practice.

The Freedom of Information Act 2000 and the Environmental Information Regulations 2004 are part of the Government’s commitment to greater openness in the public sector, a commitment supported by this Trust.

The main features of FOIA and the EIR are: General right of access to information held by public authorities, subject to certain conditions and exemptions;

FOIA gives the public a general right of access to almost all types of recorded information held by public authorities, upon written request or by reference to published information on the Trust’s website.

The Act came into full effect on 01 January 2005 and places a statutory obligation on all public bodies to publish details of all recorded information that they hold and to allow the general public to have access to this either via proactive publication on its website or to receive information upon request, except where a valid exemption applies e.g. personal or other confidential data, or the locating and extracting of data is estimated to exceed 18 hours.

Some FOIA exemptions require a Public Interest Test (PIT) or a Prejudice Test (PT) to weigh up whether the public interest/harm in maintaining the exemption outweigh the public interest in their disclosure.

The Trust recognises the importance of the Act and it will ensure that appropriate systems are put in place and maintained to publicise what recorded information is held by the Trust and how this information can be accessed on request by the general public.

EIR gives the public a general right of access to almost all types of environmental information held by public authorities, upon written or oral request, or by reference to published information on the Trust’s website.

Unlike FOIA however, the presumption is that EIR data will, mostly, be disclosed.

There are no set limits on time estimated/required to locate and extract data, and information would only be withheld under compelling and substantive reasons, which are called ‘Exceptions”.

Unlike FOIA the engagement of every EIR exception requires a Public Interest Test (PIT) to weigh up whether the public interest in maintaining the exception outweighs the public interest in its disclosure.

The Trust has a duty, when responding to EIR requests, to:

• Confirm or deny whether the requested data is held
• Communicate the information, or its publicly available location in a timely manner
• Or state and explain how an exemption (FOI) or exception (EIR) applies

FOIA Code of Practice (section 8) confers a duty on the Trust to adopt and maintain a Publication Scheme which conforms to the health sector’s model publication scheme.

Purpose

This Policy will provide a framework within which the Trust will ensure compliance with the requirements of the Freedom of Information Act (2000) and the Environmental Information Regulations (2004). This policy is intended to cover all recorded information held by the Trust.

This Policy will apply to all Trust employees. It may also apply to staff employed by the Trust on a contractual basis where the requirement will be detailed in the contract/agreement.

This Policy will underpin any operational procedures and activities connected with the implementation of the Freedom of Information Act and Environmental Information Regulations.

The Policy supports the principle that the Trust wants to create a climate of openness and dialogue with all stakeholders and intends that improved access to information about the Trust will facilitate this.

The Trust believes that individuals also have a right to privacy and confidentiality. This Policy does not overturn the common law duties of confidence or statutory provisions that prevent disclosure of personal identifiable information. The release of such information is specifically excluded from FOIA (section 40) and is covered by the Subject Access Request (SAR) provisions of the Data Protection Act 2018 and the Access to Health Records Act 1990 and is dealt with in other Trust policies.

The Trust believes that public authorities should be allowed to discharge their functions and will use the exemptions and exceptions contained in the regulations where an absolute exemption applies or where a qualified exemption can reasonably be applied in terms of the public interest.

The Trust believes that staff should have access to expert knowledge to assist and support them in understanding the implications of both FOI and EIR. This Policy sets out a framework to provide this.

Scope

FOIA and the EIR apply to all information held by the Trust regardless of its date. It does not oblige the Trust to retain information which is no longer useful to it or which may be destroyed in accordance with the Trust’s retention policy.

FOIA is overseen by the Information Commissioner’s Office (our regulator) who has the ability to monitor organisational compliance, issue undertakings, serve information and enforcement notices and, if deemed necessary, to initiate court proceedings to force compliance

This policy applies to all staff working in, or on behalf of the Trust and includes contractors, temporary and agency staff, secondees and all permanent employees.

Definitions

FOIA Freedom of Information Act 2000

EIR Environmental Information Regulations 2004

GDPR 2018  General Data Protection Regulations

DPA 2018 Data Protection Act

Applicant The individual/s, group, organisation requesting access to information under the legislation.

Recorded Information All information held by the Trust, not just limited to official documents, it covers, drafts, emails, and notes (both electronic and handwritten), recordings of telephone conversations and CCTV recordings. Nor is this limited to information created within the Trust, as it also relates, for example, to documents received from external sources, such as other organisations or members of the public, though there may be a valid exemption for not releasing them.

Data Sets For these purposes, a data set is a collection of factual, raw and/or processed data, held in electronic form and gathered as part of providing services and delivering the Trust’s functions.

Information Commissioner The Information Commissioner’s Office (ICO), a UK independent authority which oversees compliance with GDPR, DPA, FOIA and EIR.

Publication Scheme A guide with electronic links to data which is routinely published on the Trust’s website, in line with the ICO guidance for a model publication Scheme

Policy statements

Regular monitoring of the compliance levels and effectiveness of this procedure will be via review at the quarterly Information Governance Group Meeting by:

• • Identifying and assessing any flaws and/or improvements in the ways information is gathered, processed and reported, and reviewing the number of requests and reasons for those which breach statutory deadline for response.
  • Reviewing the general response times to requests
  • Reviewing the number of internal reviews conducted, as an indicator of applicant dissatisfaction levels and how many complaints subsequently submitted to and investigated by the ICO.
  • Analysing requests, to identify any trends or themes, by subject category, with a view to improving the focus of the Trust’s publication scheme content. The Trust regularly reviews its procedures and systems to ensure their compliance under section 46 of the Freedom of Information Act.

Duties and responsibilities

The Trust recognises its responsibilities under FOIA and EIR to provide the general right of access to information held. Overall responsibility for this policy rests with the Director of Corporate Governance (Interim).

The administration of the Trust’s FOIA and EIR policies rests with the IG Officer as the Trust Lead on FOI and EIR requests.

The IG Officer is responsible for ensuring that these policies remain up to date with the requirements of FOIA and EIR through regular attendance at peer group FOI/EIR meetings, membership of professional groups, and regular familiarisation with ICO latest decision notices and news items on FOI/EIR.

The IG Officer is responsible for supplementing the Trust’s cyclic mandatory FOI/EIR training provision with extra training for IG Champions – those staff responsible for handling FOI requests and supplying response data for subsequent drafting and signoff.

The IG Officer is responsible for ensuring that responses to media enquires are passed to the Communications Team for extra oversight and signoff, once the Executive Director has approved the response data.

The IG Officer uses their judgment to keep the Interim Deputy Company Secretary and Director of Corporate Governance (Interim) informed of more complex requests, or requests linked to current issues faced by the Trust.

The Trust undertakes to comply with the requirements of the Freedom of Information Act 2000, (FOAI) and to establish a scheme to assure its fulfilment.

FOIA and EIR give the public at large a general right of access to information held by the Trust, subject to certain conditions and exemptions/exceptions.

Any person submitting to the Trust a request for information is entitled to be informed in writing whether the Trust holds the information specified in the request, and to have that information communicated to them.

In complying with the duty to confirm or deny that requested data is held (Section 1 FOIA only), the Trust may, under certain circumstances, ‘neither confirm nor deny’ when affirmation or denial would prejudice the confidentiality of data being withheld (Section 1 FOIA).

Under FOIA only, any request for information must be received in writing, stating the name of the applicant (first name and surname, first initial and surname, or name of company), an address for correspondence, and a description of the information requested.

Under the EIR, the request may be made verbally, but must still contain the applicant’s name and correspondence address.

The Trust has a duty to ensure that procedures and systems are in place to facilitate public access to Trust data. A flowchart entitled “How to Deal with an FOI Request” is attached as Appendix A

All staff, temporary staff (agency and bank), contractors and Non-Executive Directors are obliged to adhere to this policy. A failure to adhere to it and its associated procedures may result in disciplinary action

Managers at all levels are responsible for ensuring that the staff for whom they are responsible are aware of and adhere to this Policy.

All staff are responsible for ensuring that any stray requests for Trust information from the public are forwarded to the FOI mailbox. This includes verbal EIR requests.

Upon receipt of a new request the IG Officer will log it and forward it to the relevant Executive Director for delegation to one of their team members, who would, wherever possible, delegate it to an FOI/EIR champion, already trained on FOI/EIR procedures. (See point 6.5 above and section 8, Training Requirements).

Suppliers have obligations under both FOIA and EIR, by nature of having a contract with a public authority, to assist the Trust with FOI enquiries concerning their business with the Trust, and must forward any written requests for information, pertinent to the Trust, received by their staff to the Trust’s FOI mailbox.

Those making verbal requests under EIR should be directed to contact the Trust’s FOI office on 0208938 2173 or the switchboard on 0207 435 7111. For regulatory purposes, the time allowed for response will commence on the day the request is received by the Trust, rather than the contractor. Contracts should, therefore, include a clause setting out the Contractor’s obligations in this respect.

When entering into contracts with contractors from the private sector, the Trust may be under pressure to accept confidentiality clauses which exempt from disclosure information relating to the terms of the contract, its value and performance. The Trust will reject such clauses and only where, exceptionally necessary, include non-disclosure provisions in a contract. In any such instances, the Trust will investigate the option of agreeing with the contractor a schedule of the contract that clearly identifies information that should not be disclosed. The Trust will take care when drawing up any such schedule, aware that any contractual restrictions on disclosure could potentially be overridden by obligations under the Act, as described above.

Any acceptance of confidentiality provisions to not disclose information under FOIA or EIA must be for good (valid) reasons and capable of justification to the Information Commissioner. The Trust will not agree to hold information ‘in confidence’ which is not in fact confidential in nature.

Trust management responsible for management of suppliers are required to support the FOIA and EIR processes, and ensure the contractor establishes a robust process for providing information and/or their opinion on disclosure of data upon request, which the Trust would take into consideration when deciding whether to release requested data. Any such response would still be subject to Trust Executive Director sign off prior to dispatch.

Procedures

The Trust will meet all the requirements of a valid FOI/EIR request, as defined in s8 of FOIA, provided that it meets with all mandatory requirements, i.e. that:

• FOI requests must be received in a written format, email or hard copy, or via the Trust’s website FOI request submission form and contain contact information, and adequately describe the information required.
• EIR requests can be received both in verbal and in written format, relate specifically to the environment or anything which affects the environment such as emissions and discharges.
• Both FOI and EIR requests must include the name of applicant, (can be first name and family name, or initial and family name, but not solely initials and/or the name of the business).
• New requests are logged and then tracked and reported on via the FOI/EIR log throughout their lifetime, i.e. until file closure.
• Once logged, new FOI requests are sent to the subject matter Executive Director and, if known, copied to the subject matter Manager. The Executive Director will delegate the request for data provision as appropriate and will sign off the resulting data as correct and in order for sending out to the applicant.
• Requests which are not applicable to the Trust may be answered and signed off by the IG Officer, indicating why the request didn’t apply to the Trust.
• All Media requests must have secondary sign off from the Communications Manager.
• FOI and EIR requests must be answered within 20 working days, excepting bank holiday days anywhere in the UK counting the first working day after receipt as Day 1, unless paused whilst clarification is sought from the applicant.
• All responses must include the duty to confirm/deny or neither confirm nor deny that the requested data is held when doing so would compromise confidentiality of any withheld data.
• Support on the application of exemptions or exceptions and the public interest test will be provided by the Trust’s FOI Lead (IG Officer), taking into account advice from the person who holds/owns the information.
• Any exemption must be applied in line with section 17 of the FOI Act and any exception must be applied in line with regulation 14 of the EIR . All EIR exceptions and most FOI exemptions are subject to the public interest test i.e. where the public interest in withholding the information outweighs the public interest in disclosure, and where it does, we can refuse to disclose.
• Sometimes redaction is required to render exempt information unreadable from documents being prepared for release. Time spend redacting does not count towards the 18 hours/£450 resource limits.
• If the exemption (FOI) or exception (EIR) requires a public interest test this must be done where possible within the 20-day deadline. In the event that this will take longer than 20 working days the requestor should be notified and given a date by which to expect a decision to have been made (in accordance with s.17 (2) of the FOI Act and Reg. 14 of EIR).
• If denying a request, the Trust has a duty (FOIA s16, and EIR Reg 9) to provide reasonable advice and assistance to applicants requesting information. This may include assistance in clarifying their request, reducing the cost of the request, redirecting the applicant to a website or another public authority, and providing a link to the publication scheme if the information is held there.
• All refusals must include appropriate refusal notice which considers the requirements of the exemptions or exceptions being applied and the requirements of s.17 of the FOI Act and regulation 14 of the EIR. The notice should be accompanied by any information which is not exempt.
• If the requestor has stated a format preference, the Trust is required to comply with this as far as practicably possible. If it is not possible, the information will be supplied in another suitable format and an explanation provided to the requestor as to why it wasn’t possible to comply with their preference.
• If information requested relates to a third party, then they should be contacted and given an opportunity to comment/advise if, in their view, the information should be released or withheld, and why. Whilst their views would be taken into consideration, the Trust reserves the right to make the final decision about releasing the information.
• When responding to a request for information, the requester will be notified that if they are dissatisfied with the Trust’s response, that they may request an internal review within 40 working days of the date of the initial response, and of their right to complain to the Information Commissioner if they are still dissatisfied following the outcome of the internal review.
• Internal Reviews are undertaken by nominated staff not previously involved in the request, who will consider decisions made, rationale, public interest, timeliness and all other relevant aspects of the request and may either uphold the original decision or issue new findings and recommendations.

Once the request has been responded to, the FOI/EIR Log will be updated and the request closed.

Data sets published in response to individual requests or through the Publication Scheme on the Trust’s website, must be made available for re-use at the point of release under the Open Government Licence, and where reasonably practicable, published in a reusable format.

Training requirements

Trust’s IG Lead (IG Officer) to have training and development opportunities to maintain/update their knowledge on the recent applications of the regulations, and attendances at formal training sessions, peer group meetings with counterparts and senior IG staff from other Trusts/public authorities, and membership of FOI/E

The Trust to provide relevant FOI training for all new staff at their induction and every three years to current staff within their INSET training programme.

Provide relevant and appropriate training to nominated FOIA champions throughout the Trust, who are relied upon to provide data to inform FOI responses.

Process for monitoring compliance with this policy

Compliance with this Policy will be monitored quarterly by the Information Governance Group in consultation with the IG Officer, together with any independent reviews by Internal External Audit on a periodic basis.

The IG Officer is responsible for the revision and updating of this document in line with any changes to FOIA regulations and/or any associated legislation, and ICO directives.

References

• Freedom of Information Act 2000 (FOIA 2000) https://www.legislation.gov.uk/ukpga/2000/36/contents
• Information Commissioner’s Office Guidance Documentation on FOIA 2000 and EIR 2004 Regulations: Freedom of information and environmental information regulations | ICO
• https://ico.org.uk/for-organisations/guidance-index/freedom-of-information-and-environmental-information-regulations/
• The Environmental Information Regulations 2004 http://www.legislation.gov.uk/uksi/2004/3391/contents/made
• Guide to the Environmental Information Regulations ICO Guide to the Environmental Information Regulations
• EIR Code of Practice Code of Practice -obligations of public authorities under EIR
• Freedom of Information Code of Practice Freedom of Information Code of Practice – GOV.UK
• The Data Protection Act 2018: Data Protection Act 2018 – GOV.UK
• Records Management: NHS Code of Practice:  Records Management Code of Practice
• The Information Commissioner’s Office: http://www.ico.org.uk/

Associated documents

• FOIA Guidance: Freedom of information guidance and resources | ICO
• EIR Guidance:  Guide to the Environmental Information Regulations | ICO
• EIR Code of Practice:  Code of Practice -obligations of public authorities under EIR
• EIR Code of Practice:  Freedom of Information Code of Practice
• NHS England Records Retention and Disposal Schedule: Records Retention and Disposal Schedule