We understand sometimes situations may happen where you are unhappy with our services and your clinic experience matters to us.
If you do experience any issues or are unhappy about anything at our clinic, including correspondence before and after your visit, please let us know at the time by verbally informing a member of staff. If the event is after you have left the clinic, the please telephone or email your concern.
We also contact you after your appointment to ask for feedback and respond accordingly.
If you would like to email us your feedback on your experience, positive or not, kindly send that over to complaints@thedermatologypartnership.com.
Formal Complaints Policy
If you would like to write a formal complaint please put your complaint in writing by email to: complaints@thedermatologypartnership.com or post to:
The Practice Manager
St Michael’s Clinic
St Michael’s Street
Shrewsbury
SY1 2HE
We will write to you to acknowledge receipt of your letter within 3 working days. A full written response should be provided within 40 working days of receiving the initial complaint. If it is not possible to provide a response within this timeframe, we will notify you of the delay and give an expected timeline for a response.
What if I need help with my NHS complaint?
You need to contact the organisation which has referred you to the clinic from the following:
Shropshire, Telford and Wrekin CCG Patients Please visit their website: www.shropshiretelfordandwrekinccg.nhs.uk
Powys Patients
Powys Community Health Council Complaints Advocacy
Phone: 01686 627632.
Email: powyschc@wales.org.uk
Shrewsbury & Telford Hospital Patients Shrewsbury Patient, Advice & Liaison Service (PALS): 01743 261691/0800 7830057
Telford Patient, Advice & Liaison Service (PALS): 01952 282888/01952 641222 Ext. 4382
What if I need help with my Private complaint?
If you require assistance with a complaint, you can contact: The Citizen’s Advice Bureau: https://www.citizensadvice.org.uk/
0800 144 8848.
Citizens Advice provides free, confidential and independent advice from over 3,000 locations, including in their bureaux, GP surgeries, hospitals, colleges, prisons and courts. Advice is available face-to-face and by phone.
Raising the matter with the Care Quality Commission
You can report a concern to the CQC.
Please note they will not investigate a complaint, however they will look at the concern raised:
Call on:
03000 616161
Email us at:
enquiries@cqc.org.uk
Look at our website at:
www.cqc.org.uk
Disclaimer
To arrange an appointment please call reception on our central number. Availability of appointments cannot be guaranteed. Please contact your GP or attend A&E in cases of emergency. Please note that you might not see the same practitioner at every visit. Your practitioner will however be able to view your complete past history with us, in order to ensure continuity of care. Unless otherwise stated, the services featured on this website are only available within our clinics: Stratum Clinics Oxford Stratum Clinics Wimbledon Stratum Clinics Harley Street (also known as the Harley Street Dermatology Clinic) Stratum Clinics Cheltenham Stratum Clinics Canterbury (also known as the Canterbury Skin and Laser Clinic) Please note that our some of our clinics offer a limited selection of our services only. Please note that usually (in all locations) the initial visit will be for a consultation only. Any treatment/procedure is usually arranged for a later date, once you have been assessed in clinic. All marketing/advertising is intended solely for the United Kingdom. You are solely responsible for evaluating the fitness for a particular purpose of any downloads, programs and text available through this site. Redistribution or republication of any part of this site or its content is prohibited, including such by framing or other similar or any other means, without the express written consent of the Company. The Company does not warrant that the service from this site will be uninterrupted, timely or error free, although it is provided to the best ability. By using this service, you thereby indemnify this Company, its employees, agents and affiliates against any loss or damage, in whatever manner, howsoever caused.Exclusions and Limitations
The information on this web site is provided on an “as is” basis. To the fullest extent permitted by law, this Company: Excludes all representations and warranties relating to this website and its contents or which is or may be provided by any affiliates or any other third party, including in relation to any inaccuracies or omissions in this website and/or the Company’s literature; and Excludes all liability for damages arising out of or in connection with your use of this website. This includes, without limitation, direct loss, loss of business or profits (whether or not the loss of such profits was foreseeable, arose in the normal course of things or you have advised this Company of the possibility of such potential loss), damage to your health or appearance, damage caused to your computer, computer software, systems and programs and the data thereon or any other direct or indirect, consequential and incidental damages. The above exclusions and limitations apply only to the extent permitted by law. None of your statutory rights as a consumer are affected.Payment
Please note that we are a private clinic; our services are usually not covered by the NHS. Most private medical insurances will reimburse our consultation and treatment fees for medical problems when preauthorisation is obtained. Diagnosis and treatment of cosmetic / aesthetic issues and treatments are not usually covered by any insurance, whether UK based or international. Our Terms are payment in clinic on the day of the consultation / treatment. Cash and all major Credit and Debit Cards (including American Express) are acceptable methods of payment. Unfortunately, we cannot deal with your insurance directly, but are able to assist you. At the time of your service, if you / we believe you have valid insurance coverage, but later find out, for whatever reason, you were not covered, you herewith acknowledge and agree that you are responsible for the entire fee. To avoid any unexpected shortfalls, we advise patients to check with their insurance provider before incurring any costs. All goods remain the property of the Company until paid for in full. Should we not have received payment within 10 working days after the consultation/treatment, we will reserve the right to forward this matter to our Solicitors, which will incur an administration charge of £250. Monies that remains outstanding after the date of the consultation/treatment, will also incur interest at the rate of 5% above the prevailing Bank of England’s base rate on the outstanding balance until such time as the balance is paid in full and final settlement. We also reserve the right to seek recovery of any monies remaining unpaid 30 days from the date of the consultation/treatment via collection Agencies and/or through the Small Claims Court. In such circumstances, you shall be liable for any and all additional administrative and/or court costs. We do not routinely accept cheques. Please note that medication is not included in our fees. Please also note that blood tests and other lab analysis (e.g. nail/skin scrapings, skin swabs, biopsies etc.) will incur an additional charge. Please contact us to receive a complete price list.Cancellation Policy
A minimum of 24 hours’ notice of cancellation or appointment re-scheduling is required. Notification in person or via telephone will be accepted. If leaving a message on our answer phone, please clearly mention your name, as well as date and time of the phone call. Any appointments for consultations, which are not attended or cancelled/re-scheduled with less than 24 hours’ notice, will incur a 50% charge. In an instance of a second non-attendance or cancellation/re-scheduling with less than 48 hours’ notice, we reserve the right to not issue another appointment. Termination of Agreements and Refunds Policy. Both the client/patient and ourselves have the right to terminate any Service Agreement for any reason, including the ending of services that are already underway. No refunds shall be offered, where a Service is deemed to have begun and is, for all intents and purposes, underway. This also includes that if a course of several treatments was booked and paid for, and the client/patient decides not to complete the outstanding treatments of this treatment course, no refund will be offered.Availability
To arrange an appointment please call reception on our central number. Availability of appointments cannot be guaranteed. Please contact your GP or attend A&E in cases of emergency.Log Files
We use IP addresses to analyse trends, administer the site, track user’s movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information. Additionally, for systems administration, detecting usage patterns and troubleshooting purposes, our web servers automatically log standard access information including browser type, access times/open mail, URL requested, and referral URL. Any individually identifiable information related to this data will never be used in any way different to that stated above without your explicit permission.Links from this website
We do not monitor or review the content of other party’s websites which are linked to from this website. Opinions expressed or material appearing on such websites are not necessarily shared or endorsed by us and should not be regarded as the publisher of such opinions or material. Please be aware that we are not responsible for the privacy practices, or content, of these sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these sites. You should evaluate the security and trustworthiness of any other site connected to this site or accessed through this site yourself, before disclosing any personal information to them. This Company will not accept any responsibility for any loss or damage in whatever manner, howsoever caused, resulting from your disclosure to third parties of personal information.Communication
Contact information can be found on the ‘Contact’ page on our website or via company literature. Stratum Clinics Ltd. is a registered company in England and Wales. Registered number 06550196 – Registered Office 1 Angel Court, London, United Kingdom, EC2R 7HJ. By submitting an enquiry via our online enquiry forms, you are consenting to receive email communications from us. You can stop these emails at any time by unsubscribing by following the unsubscribe link at the bottom of your email.Force Majeure
We are not liable for any failure to perform any obligation under any Agreement which is due to an event beyond our control including but not limited to any Act of God, terrorism, war, political insurgence, insurrection, riot, civil unrest, act of civil or military authority, uprising, earthquake, flood or any other natural or man-made eventuality outside of our control, which causes the termination of an agreement or contract entered into, nor which could have been reasonably foreseen.Waiver
Failure of either Party to insist upon strict performance of any provision of this or any Agreement or the failure of either Party to exercise any right or remedy to which it, he or they are entitled hereunder shall not constitute a waiver thereof and shall not cause a diminution of the obligations under this or any Agreement. No waiver of any of the provisions of this or any Agreement shall be effective unless it is expressly stated to be such and signed by both Parties.General
The laws of England and Wales govern these terms and conditions. By accessing this website and/or buying products from us directly or on our website, you consent to these terms and conditions and to the exclusive jurisdiction of the English courts in all disputes arising out of such access. If any of these terms are deemed invalid or unenforceable for any reason (including, but not limited to the exclusions and limitations set out above), then the invalid or unenforceable provision will be severed from these terms and the remaining terms will continue to apply. Failure of the Company to enforce any of the provisions set out in these Terms and Conditions and any Agreement, or failure to exercise any option to terminate, shall not be construed as waiver of such provisions and shall not affect the validity of these Terms and Conditions or of any Agreement or any part thereof, or the right thereafter to enforce each and every provision.Notification of Changes
The Company reserves the right to change these conditions from time to time as it sees fit and your continued use of the site will signify your acceptance of any adjustment to these terms. If there are any changes to our privacy policy, we will announce that these changes have been made in these Terms & Conditions or on other key pages on our site. You are therefore advised to re-read this statement on a regular basis These terms and conditions form part of the Agreement between the client/patient and ourselves. Your accessing of this website and/or undertaking of a booking or buying products from us directly indicates your understanding, agreement to and acceptance, of the Disclaimer Notice and the full Terms and Conditions contained herein. Your statutory Consumer Rights are unaffected.Insurance Policy
Stratum Clinics (and our partner clinics) and all the consultants who work within our business are recognised by the main healthcare insurance providers. If you plan to use your medical insurance policy, you will need to contact your insurer ahead of your appointment to obtain a preauthorisation. We require your membership number and preauthorisation code by the time of your appointment in order to bill your insurer directly. If you do not have these, then you may self-fund your appointment and make a retrospective claim, although each insurer has different processes for this, and we recommend you familiarise yourself with your own insurers policy as they may not reimburse in full. We will provide you with a medical letter after your appointment and an invoice to support retrospective claims, but do not reimburse insurance shortfalls. For global or international insurers we will accept Letters of Guarantee for treatment. If you do not have a letter, our policy is for you to self-fund and reclaim costs through your insurer. Please email or call us if you have any questions and the team will be able to advise. Please note: if your insurance policy has an excess on your policy this will be due on the day of your appointment (and any subsequent appointments).Cookie Policy
This site uses cookies – small text files that are placed on your machine to help the site provide a better user experience. In general, cookies are used to retain user preferences, store information for things like shopping baskets, and provide anonymised tracking data to third party applications like Google Analytics. As a rule, cookies will make your browsing experience better. However, you may prefer to disable cookies on this site and on others. The most effective way to do this is to disable cookies in your browser. We suggest consulting the Help section of your browser or taking a look at the About Cookies website which offers guidance for all modern browsers.
Privacy Notice
We collect personal data from you when you are referred to our clinic or use our services. We will always aim to keep this data secure and use it only for the purposes that we are legally allowed.
For example, we collect and store information that we receive from your GP and other health professionals when you are sent to us for care. We will also gather information from you at your appointments and may request historic information from other health clinics of past health episodes if these are relevant to the care we are providing you. Some of the information we hold we recognise will be sensitive.
The information we hold will include contact details (name, address, telephone numbers, e mail), personal details (gender, date of birth, GP practice, emergency contacts) and medical information. We may also take and store photos of your skin complaint.
We use this information and medical records primarily to ensure the safe and effective delivery of care. Parts of the records will be used for the efficient management of the NHS; to undertake medical audits that improve our overall care for patients and occasionally in medical research. We will also use your mobile phone number to send you appointment reminders.
Who else has access to your data?
At times, we do need to share information with other health service bodies, to ensure you receive the best care from us and the health service generally, and so that we can administer the service. We will only send the minimum level of information that is necessary in these cases.
We do employ the services of other organisations who will process your data on our behalf – particularly our computer system providers. These companies will not use your data in anyway outside of this privacy policy and we are ensuring we have agreements in place that makes this clear.
We also need to comply with the any legal requests for information from public bodies – such as the police and government bodies – or to protect you, ourselves and others.
Your rights over your data
You have the right to be informed how we use your data. If you have any queries over and above the contents of this policy then please contact our data protection officer, Mr Paul Haycox, on dpo@stmichaelsclinic.co.uk
You can also request a summary of the information that we hold on you or for us to correct any factual data that is inaccurate. The first request for information will be provided free of charge, but a charge of £10 may be charged for subsequent requests, if they are felt to be excessive.
You may ask us to delete information that we hold on you, which we will consider. However, it is a legal requirement to maintain medical records for a defined period of time (we abide to the current retention schedules contained in the “Records Management Code of Practice for Health and Social Care 2016”) and so these will be considered alongside any request.
To make a request for any of the above, please email us at dpo@stmichaelclinic.co.uk Finally, if you are unhappy with how we are managing your personal data, or aren’t happy with our response at any time, then you have the right to file a complaint with the Information Commissioner’s Office.
Security
We use reasonable and modern methods to protect your data and have been accredited by the Cyber Essentials Plus scheme. Unfortunately, no data transmission or storage system is 100% secure. If you feel that the security of your information has been compromised in anyway then please contact us immediately. If we become aware of any security issue, then we will contact any individuals that are affected.
Contact Us
Data and privacy policy enquiries: DPO@thedermatologypartnership.com
General enquiries: Telephone: 01743 590010; Email: info@stmichaelsclinic.co.uk
Address: St Michael’s Clinic, St Michael’s Street, Shrewsbury, Shropshire, SY1 2HE
The legal conditions for processing personal data is public interest or in exercise of official authority and contractual necessity. The legal condition for processing special categories of personal data is the provision of Health and Social Care.
This privacy notice was last reviewed on 21st February 2020
Our Confidentiality Policy can be found here.
Contents
1. Introduction
2. Purpose
3. Scope
4. Roles and Responsibilities
5. Information Governance Policy Framework
6. Information Governance and Records Management Group
7. Distribution and Implementation
8. Monitoring
9. Associated Documents
Appendix 1 – Caldicott Principles
Appendix 2 – Caldicott Recommendations of the Information Governance Review 2013, Including Clinic Position
Appendix 3 – Caldicott Guardian
1. Introduction
St Michael’s Clinic Ltd. (STMC) is compliant with the UK General Data Protection Regulation (UKGDPR) and the Data Protection Act 2018.
Good information governance and record management protects the rights and interests of patients, staff, learners and members of the public who have dealings with STMC. It also helps the clinic to operate in an efficient and effective manner and ensures that it is operating in accordance with relevant laws and regulations.
This policy relates to the governance of all operational records. These are defined as information created or received during business and captured in a readable form, in any medium, providing evidence of the functions, activities and transactions of the clinic. They include:
• Administrative records, including personnel, estates, financial and accounting records, contracts and records associated with complaints.
• Patient health records including referrals, treatment records, correspondence with other health professionals, patient correspondence, out of licence drug records, treatment and chaperone registers.
• Photographs, imaging reports and images.
• Records in all electronic forms.
UKGDPR, Data Protection Act 2018 and Caldicott principles will always be observed and followed. Staff and learners will receive training on these principles, relevant statutes and record keeping responsibilities. Clinical staff must follow professional guidelines on record keeping and confidentiality.
2. Purpose
The purpose of this document is to provide guidance, to all staff and learners, on Information Governance.
Information Governance is a framework for handling personal information in a confidential and secure manner to appropriate ethical and quality standards in a modern health service. It provides a consistent way for employees to deal with the many different information handling requirements. There are a series of policies that relate to the Information Governance Policy: –
Information Governance Management Framework.
Information Risk management Policy
Confidentiality Policy
Data Protection Policy
Information Systems Security Policy
Document and Record Lifecycle Management Policy
Freedom of Information Policy
The aims of this document are:
a. To ensure that data is:
Held securely and confidentially.
Obtained fairly and lawfully.
Recorded accurately and reliably.
Used effectively and ethically
Shared and disclosed appropriately and lawfully.
b. To protect the organisation’s information assets from all threats, whether internal or external, deliberate or accidental, St Michael’s Clinic Ltd. will ensure:
Information will be protected against unauthorised access.
Cybersecurity will be maintained at a reasonable and acceptable level
Confidentiality of information will be assured.
Integrity of information will be maintained.
Information will be supported by the highest quality data.
Regulatory and legislative requirements will be met.
Business continuity plans will be produced, maintained and tested.
Information governance training will be available to all staff, and all breaches of information governance, actual or suspected, will be reported to, and investigated by the Information Governance Senior Manager and reported to the Information Commissioners Office (ICO), if required.
3. Scope
All St Michael’s Clinic Ltd. Staff and learners which are within the Scope of this Document include:
Clinical Staff (Consultants, Doctors, Nurses and HCAs)
Administrative staff (Receptionists, Medical Secretaries, Administrative and technical staff
Staff working in or on behalf of St Michael’s Clinic Ltd. (this includes contractors, temporary staff, secondees, Learners and any other permanent employees).
4. Roles and Responsibilities
Business Manager. Mr Paul Haycox as the CQC registered manager has overall accountability for establishing and maintaining an effective information governance regime and document management system, that meets all statutory requirements and adheres to guidance issued.
Caldicott Guardian. Mr Mark Norfolk acts as the Caldicott Guardian and will:
– Strive to ensure the clinic meets the Caldicott principles as laid out in the 1997 review and the recommendations produced through the Information Governance review in March 2013 (see section on Caldicott Principles in Appendix 1)
– Ensure that St Michael’s Clinic Ltd. satisfies the highest practical standards for handling patient identifiable information.
– Facilitate and enable appropriate information gathering
– Represent and champion Information Governance requirements and issues at Senior Management level.
– Ensure that confidentiality issues are part of the clinics policies, procedures and training for staff
– Oversee all arrangements, protocols and procedures where confidential patient information may be shared with external bodies both within, and outside, the organisation.
– Receive training as necessary to ensure they remain effective in their role as Caldicott Guardian
Senior Information Risk Owner (SIRO). The Business Manager has been nominated as Senior Information Risk Owner (SIRO), who will:
– Take overall ownership of the organisation’s Information Security Policy.
– Act as champion for information risk.
– Understand how St Michael’s Clinic Ltd.’s business goals may be impacted by information risks, and how those risks may be managed.
– Implement and lead Information Governance Risk Assessment and Management processes within St Michael’s Clinic Ltd.
– Advise the Senior Management Group on the effectiveness of information risk management within the organisation
– Receive training as necessary to ensure they remain effective in their role as SIRO.
Information Governance Lead. The Information Governance Lead is the IT Manager, who will oversee all procedures affecting access to person-identifiable health data including:
– Maintain an awareness of information governance issues within the organisation
– Work with the Business manager to review and update the information governance policy in line with local and national requirements.
– Undertake the role of Information Security Officer.
– Review and audit procedures relating to this policy where appropriate on an ad-hoc basis, and
– Ensure that line managers are aware of the requirements of the Information Governance policy
IT Manager. IT Manager is responsible for:
– The formulation and implementation of IT related policies and the creation of supporting procedures, and ensuring these are embedded within the service developing, implementing and managing robust IT security arrangements in line with best industry practice
– Effective management and security of St Michael’s Clinic Ltd. IT resources, for example, infrastructure and equipment
– Ensure data is securely protected and safe from internal or external attack
– Developing and implementing a robust IT Disaster Recovery Plan
– Ensuring that IT security levels required by NHS Statement of Compliance are met
– Ensuring the maintenance of all firewalls and secure access servers are always in place, and
– Acting as the Information Asset Owner for the IT infrastructure with specific accountability for computer and telephone equipment and services that are operated by corporate and clinical work force, e.g. personal computers, laptops, personal digital assistants and related computing devices.
Line Managers. Line managers will take responsibility for ensuring that the Information Governance Policy is implemented within their area.
All staff and learners. It is the responsibility of each employee to adhere to the policy.
Staff and learners will receive instruction and direction regarding the policy from several sources:
– Policy and procedure manuals
– Line manager
– Specific training courses
– Team meetings
– Staff Intranet.
All staff and learners are mandated to undertake appropriate on line Information Governance training annually.
All staff and learners must make sure that they use the organisation’s IT systems appropriately, and adhere to the Acceptable use of IT Policy.
All staff and learners must adhere to all information security requirements and confidentiality as laid out in relevant policies.
5. Information Governance Policy Framework
The St Michael’s Clinic Ltd. Information Governance Policy Framework is supported by a set of Information Governance policies and related procedures to cover all aspects of Information Governance which are aligned with the NHS Operating Framework and the Data Security and Protection Toolkit requirements.
Policies. The Key Information Governance Policies are:
– Data Protection Policy – This policy sets out the roles and responsibilities for compliance with the UKGDPR and Data Protection Act 2018. Mr Paul Haycox is the named data controller for St Michael’s Clinic Ltd. The clinic seeks to hold and process information in a transparent way and demonstrate compliance with the GDPR and Data Protection Act 2018.
Data flows have been mapped and the legal basis for processing each data item logged. These are available on request.
The UKGDPR and Data Protection Act 2018 gives individuals the right to know what information is held about them and where is was gained from; the legal basis upon which that data is held; whether data is shared, processed or held by third parties; gives rights of individuals in relation to access to data held, correcting inaccuracies and have consideration of data being deleted. Individuals also have the right to expect their data to be kept securely. It provides a framework to ensure that personal information is handled properly.
All staff and learners processing personal information must comply with the eight principles, which ensure that personal information is fairly and lawfully processed; processed for limited purposes; adequate, relevant and not excessive; accurate and up to date; not kept for longer than necessary; processed in line with individuals’ rights; secure and not transferred to other countries without adequate protection
Freedom of Information Policy – This policy sets out the roles and responsibilities for compliance with the Freedom of Information Act and Environmental Information Regulations.
Confidentiality Policy – This policy lays down the principles that must be observed by all who work within St Michael’s Clinic Ltd. and have access to personal or confidential information. All staff must be aware of their responsibilities for safeguarding confidentiality, preserving information security and their contractual obligation through the confidentiality clause contained within their contracts of employment. All clinical staff must abide by their codes of professional conduct in relation to confidentiality, including the General Medical Council (GMC) Confidentiality guidance 2009; the GMC confidentiality guidance on protecting information 2009; the Nursing and Midwifery Council Code 2009, 2nd edition 2010 and review findings of July 2012. Information provided in confidence must not be used or disclosed in a form that might identify a patient without their consent
Information Systems Security Policy – This policy is to protect, to a consistently high standard, all information assets. The policy defines security measures applied through technology and encompasses the expected behaviour of those who manage information within the organisation.
Access to IT systems is controlled using secure log on and passwords and individual staff passwords. Backup data is held on a secure and remote hosted system. Physical access to areas where patient data or staff records are stored is by key pad – where the password is changed regularly and known only to staff and learners. Out of hours the clinic has an alarm service that is linked to the police and fire departments. Remote access and use of portable devices are also covered within the policy.
Document, Record and Lifecycle Management Policy – This policy is to promote the effective management and use of information. The clinic complies with the Records Management Code of Practice for Health and Social Care 2021
Minimum retention periods may vary but St Michael’s Clinic Ltd. adhere to the following minimum retention periods: –
• Children and young people – until the patients 25th birthday, or 26th if the young person was 17 at the conclusion of treatment, or 8 years after the patient’s death
• Health records – 8 years after last treatment or death
When records are destroyed, paper records are shredded and electronic records either physically destroyed or permanently deleted.
Information Sharing Policy – The policy will ensure that all information held or processed by St Michael’s Clinic Ltd. is made available subject to appropriate protection of confidentiality and in line with the terms and conditions under which the data has been shared. This policy sets out what is required to ensure that fair and equal access to information can be provided and is supported by a range of procedures.
6. Clinical Governance Group
St Michael’s Clinic Ltd. has a long established Clinical Governance Group and it has taken on the responsibility for Information Governance and Records Management. The group will monitor, and co-ordinate implementation of the Information Governance Policy and the Data Security and Protection Toolkit requirements and other information related legal obligations.
The group will provide expert advice and guidance to all staff and learners on all elements of Information Governance. The team is responsible for:
– Reviewing and signing off internal Information Governance policies and procedures.
– Agreeing Information Governance awareness and training programmes for staff.
– Ensuring compliance with Data Protection, Information Security and other information related legislation.
– Providing advice and guidance on internal information governance to all staff and learners.
– Reviewing any data breaches (reportable and non-reportable) and overseeing any subsequent required actions. This responsibility is carried out through the SEA sub-group of the Clinical Governance Group and reports back to the main Group are made as necessary.
– Providing support to the Caldicott Guardian and Senior Information Risk Owner (SIRO) for internal Information Governance related issues.
– Ensure completion of the DSPT and receive a report on the outcome from completion
7. Distribution and Implementation of the policy
Distribution Plan
This document will be made available to all Staff and learners.
A global notice will be sent to all Staff and learners notifying them of the update of this document.
The document will be made available on a shared drive of the clinics intranet.
Training Plan
All staff and learners are mandated to undertake appropriate Information Governance training annually.
An online training package using E-Learning for Health is used for update training.
A training needs analysis will be undertaken with Staff and learners when any major changes to policy is required.
8. Monitoring
Compliance with the policy will be monitored via the Clinical Governance group.
The Information Governance Manager is responsible for the monitoring, revision and updating of this document on a 2 yearly basis or sooner if the need arises.
9. Associated Documents
The following documents will provide additional information.
– Freedom of Information Policy
– Data Protection Policy
– Confidentiality Policy
– Document, Records and Lifecycle Management Policy
– Information Systems -Security Policy
– Information Sharing Policy
APPENDIX 1
CALDICOTT PRINCIPLES
The 1997 review of the uses of patient identifiable information by Dame Fiona Caldicott devised six general principles of information governance that could be used by all NHS organisations with access to patient information.
The Information Governance Review in March 2013 set out 26 recommendations, these are attached to this policy.
The Caldicott Principles on protecting patient information.
“Only those who are involved with the direct provision of care or with broader work concerned with the treatment or prevention of disease in a population should normally have access to patient identifiable information”
There was a revision of the Caldicott principles;
1. Justify the purpose(s)
every proposed use or transfer of patient identifiable information within or from an organisation should be clearly defined and scrutinized and documented, with continuing uses regularly reviewed, by an appropriate guardian.
2. Don’t use personal confidential data unless it is absolutely necessary
Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).
3. Use the minimum necessary personal confidential data.
where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out.
4. Access to personal confidential data should be on a strict need-to-know basis
only those individuals who need access to personal confidential data should have access to it, and they should only have access to data items that they need to see. This may mean introducing access controls or splitting data flows where one dataflow is used for several purposes.
5. Everyone with access to personal confidential data should be aware of their responsibilities
Action should be taken to ensure that those handling personal confidential data- both clinical and non-clinical staff – are made fully aware of their responsibilities and obligations to respect patient confidentiality.
6. Comply with the law
Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements.
7. The duty to share information can be as important as the duty to protect patient confidentiality.
Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.
8. Inform patients and service users about how their confidential information is used
A range of steps should be taken to ensure no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this. These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information – in some cases, greater engagement will be required.
APPENDIX 2
Recommendation 1
People must have the fullest possible access to all the electronic care records about them, across the whole health and social care system, without charge
Recommendation 2
For the purposes of direct care, relevant personal confidential data should be shared among the registered and regulated health and social care professionals who have a legitimate relationship with the individual
Recommendation 3
The health and social care professional regulators must agree upon and publish the conditions under which regulated and registered professionals can rely on implied consent to share personal confidential data for direct care. Where appropriate, this should be done in consultation with the relevant Royal College. This process should be commissioned from the Professional Standards Authority.
Recommendation 4
Direct care is provided by health and social care staff working in multi-disciplinary ‘care teams’. The Review recommends that registered and regulated social workers be considered a part of the care team. Relevant information should be shared with members of the care team, when they have a legitimate relationship with the patient or service user. Providers must ensure that sharing is effective and safe. Commissioners must assure themselves on providers’ performance. Care teams may also contain staff that are not registered with a regulatory authority and yet undertake direct care. Health and social care provider organisations must ensure that robust combinations of safeguards are put in place for these staff with regard to the processing of personal confidential data.
Recommendation 5
In cases when there is a breach of personal confidential data, the data controller, the individual or organisation legally responsible for the data, must give a full explanation of the cause of the breach with the remedial action being undertaken and an apology to the person whose confidentiality has been breached.
Recommendation 6 (section 4.6)
The processing of data without a legal basis, where one is required, must be reported to the board, or equivalent body of the health or social care organisation involved and dealt with as a data breach. There should be a standard severity scale for breaches agreed across the whole of the health and social care system. The board or equivalent body of each organisation in the health and social care system must publish all such data breaches. This should be in the quality report of NHS organisations, or as part of the annual report or performance report for non-NHS organisations.
Recommendation 7
All organisations in the health and social care system should clearly explain to patients and the public how the personal information they collect could be used in de-identified form for research, audit, public health and other purposes. All organisations must also make clear what rights the individual has open to them, including any ability to actively dissent (i.e. withhold their consent).
Recommendation 8
Consent is one way in which personal confidential data can be legally shared. In such situations people are entitled to have their consent decisions reliably recorded and available to be shared whenever appropriate, so their wishes can be respected. In this context, the Informatics Services Commissioning Group must develop or commission:
• guidance for the reliable recording in the care record of any consent decision an individual makes in relation to sharing their personal confidential data; and
• a strategy to ensure these consent decisions can be shared and provide assurance that the individual’s wishes are respected.
Recommendation 9
The rights, pledges and duties relating to patient information set out in the NHS Constitution should be extended to cover the whole health and social care system.
Recommendation 10
The linkage of personal confidential data, which requires a legal basis, or data that has been de-identified, but still carries a high risk that it could be re-identified with reasonable effort, from more than one organisation for any purpose other than direct care should only be done in specialist, well-governed, independently scrutinised and accredited environments called ‘accredited safe havens’.
The Health and Social Care Information Centre must detail the attributes of an accredited safe haven in their code for processing confidential information, to which all public bodies must have regard.
The Informatics Services Commissioning Group should advise the Secretary of State on granting accredited status, based on the data stewardship requirements in the Information Centre code, and subject to the publication of an independent external audit.
Recommendation 11
The Information Centre’s code of practice should establish that an individual’s existing right to object to their personal confidential data being shared, and to have that objection considered, applies to both current and future disclosures irrespective of whether they are mandated or permitted by statute. Both the criteria used to assess reasonable objections and the consistent application of those criteria should be reviewed on an ongoing basis.
Recommendation 12
The boards or equivalent bodies in the NHS Commissioning Board, clinical commissioning groups, Public Health England and local authorities must ensure that their organisation has due regard for information governance and adherence to its legal and statutory framework. An executive director at board level should be formally responsible for the organisation’s standards of practice in information governance, and its performance should be described in the annual report or equivalent document. Boards should ensure that the organisation is competent in information governance practice, and assured of that through its risk management. This mirrors the arrangements required of provider trusts for some years.
Recommendation 13
The Secretary of State for Health should commission a task and finish group including but not limited to the Department of Health, Public Health England, Healthwatch England, providers and the Information Centre to determine whether the information governance issues in registries and public health functions outside health protection and cancer should be covered by specific health service regulations.
Recommendation 14
Regulatory, professional and educational bodies should ensure that:
• information governance, and especially best practice on appropriate sharing, is a core competency of undergraduate training; and
• information governance, appropriate sharing, sound record keeping and the importance of data quality are part of continuous professional development and are assessed as part of any professional revalidation process.
Recommendation 15
The Department of Health should recommend that all organisations within the health and social care system which process personal confidential data, including but not limited to local authorities and social care providers as well as telephony and other virtual service providers, appoint a Caldicott Guardian and any information governance leaders required, and assure themselves of their continuous professional development.
Recommendation 16
Given the number of social welfare initiatives involving the creation or use of family records, the Review Panel recommends that such initiatives should be examined in detail from the perspective of Article 8 of the Human Rights Act. The Law Commission should consider including this in its forthcoming review of the data sharing between public bodies.
Recommendation 17
The NHS Commissioning Board, clinical commissioning groups and local authorities must ensure that health and social care services that offer virtual consultations and/or are dependent on medical devices for biometric monitoring are conforming to best practice with regard to information governance and will do so in the future.
Recommendation 18
The Department of Health and the Department for Education should jointly commission a task and finish group to develop and implement a single approach to recording information about ‘the unborn’ to enable integrated, safe and effective care through the optimum appropriate data sharing between health and social care professionals.
Recommendation 19
All health and social care organisations must publish in a prominent and accessible form:
• a description of the personal confidential data they disclose;
• a description of the de-identified data they disclose on a limited basis;
• who the disclosure is to; and
• the purpose of the disclosure.
Recommendation 20
The Department of Health should lead the development and implementation of a standard template that all health and social care organisations can use when creating data controller to data controller data sharing agreements. The template should ensure that agreements meet legal requirements and require minimum resources to implement.
Recommendation 21
The Health and Social Care Information Centre’s Code of Practice for processing personal confidential data should adopt the standards and good practice guidance contained within this report.
Recommendation 22
The information governance advisory board to the Informatics Services Commissioning Group should ensure that the health and social care system adopts a single set of terms and definitions relating to information governance that both staff and the public can understand. These terms and definitions should begin with those set out in this document.
Recommendation 23
The health and social care system requires effective regulation to ensure the safe, effective, appropriate and legal sharing of personal confidential data. This process should be balanced and proportionate and utilise the existing and proposed duties within the health and social care system in England. The three minimum components of such a system would include:
• a Memorandum of Understanding between the CQC and the ICO;
• an annual data sharing report by the CQC and the ICO; and
• an action plan agreed through the Informatics Services Commissioning Group on any remedial actions necessary to improve the situation shown to be deteriorating in the CQC-led annual ‘data sharing’ report.
Recommendation 24
The Review Panel recommends that the Secretary of State publicly supports the redress activities proposed by this review and promulgates actions to ensure that they are delivered.
Recommendation 25
The Review Panel recommends that the revised Caldicott principles should be adopted and promulgated throughout the health and social care system.
Recommendation 26
The Secretary of State for Health should maintain oversight of the recommendations from the Information Governance Review and should publish an assessment of the implementation of those recommendations within 12 months of the publication of the review’s final report.
APPENDIX 3
CALDICOTT GUARDIAN
The report recommends that a senior person, preferably a health professional, should be nominated in each health organisation to act as a guardian, responsible for safeguarding the confidentiality of patient information.
Mr Mark Norfolk is the Caldicott guardian for St Michael’s Clinic Ltd., he will
• Ensure that STMC maintains the highest practical standards for handling patient identifiable information (PII)
• Facilitate and enable appropriate information sharing.
• Ensure that confidentiality issues are part of the clinic’s policies, procedures and training for staff and learners.
• Oversee all policies and procedures where confidential patient information is shared with bodies within and outside the NHS.