Good information handling provides a range of benefits as well as helping you to comply with the Data Protection and Freedom of Information Acts. Our information rights checklist (pdf) lists the benefits and risks, along with practical suggestions for how to be open and responsible.
Earlier this year, the NHS Commissioning Board (NHS England) announced plans to introduce a new system for collecting and analysing data called care.data.
In October we received an updated plan from NHS England which confirms that the data extraction for the care.data system will not begin until spring 2014. Further guidance has been provided by NHS England to GPs to enable them to more clearly understand the process and to ensure they are fully aware of their fair processing obligations under the Data Protection Act.
We've also written some FAQs for GPs in relation to the fair processing requirements of the Data Protection Act.
Changes to the health and care system
On 1 April 2013 there were significant changes in the NHS. We've written some FAQs for bodies involved in the transition to process the information they hold in accordance with the Data Protection Act and the Freedom of Information Act.
Data protection – looking after the information you hold about patients
If you handle and store information about identifiable, living people – for example, about patients – you are legally obliged to protect that information.
Under the Data Protection Act, you must:
- only collect information that you need for a specific purpose;
- keep it secure;
- ensure it is relevant and up to date;
- only hold as much as you need, and only for as long as you need it; and
- allow the subject of the information to see it on request.
Requests for personal information
Your patients have rights to see their personal information. They can make a subject access request to see the personal information you hold about them.
Data breaches in the health and care system
The health sector handles some of the most sensitive personal data, and patients have the right to expect that information will be looked after. It is important that all IG SIRI (Serious Incident Requiring Investigation) which occur in health, public health and adult social care services are reported at the earliest opportunity, and are handled effectively.
All health service organisations in England must now use the IG Toolkit Incident Reporting Tool. This will report IG SIRIs to the Health and Social Care Information Centre (HSCIC), Department of Health, ICO and other regulators. Health service bodies in Scotland, Wales and Northern Ireland should submit a report to the ICO using our Security breach notification form.
- Read the HSCIC checklist and guidance on reporting incidents (pdf)
- Report an incident using the IG Toolkit Incident Reporting Tool
- Email the HSCIC helpdesk
Registering with the ICO
If you handle personal information, you may need to register with us as a data controller. Notification is a statutory requirement and every organisation that processes personal information must notify the ICO, unless they are exempt. Failure to notify is a criminal offence.
As an employer, you are obliged to protect your employees’ personal information.
- Employment topic guide
- Quick guide to the employment practices code (pdf)
- Subject access code of practice (pdf)
We've published two reports detailing some of the good practice and areas for improvement we have seen in both the NHS, and the health sector at large.
- Audit outcomes - NHS (February 2010 - July 2012) (pdf)
- Audit outcomes - health (August 2012 - January 2014) (pdf)
We’ve published a report highlighting some areas of good practice and potential improvement for GPs practices.
Freedom of information – making public information available
The Freedom of Information Act means that public authorities must disclose official information when people ask for it (unless there is a good legal reason not to), and they must reply within 20 working days. Find out more about your freedom of information obligations.
If you work for a public authority, the Freedom of Information Act says you must produce a publication scheme, which outlines the information you will routinely make available to the public - such as minutes of meetings, annual reports or financial information. To help you do this, we have produced definition documents.
- Community Health Councils, Wales (pdf)
- Health bodies in England (pdf)
- Health bodies in Northern Ireland (pdf)
- Health bodies in Wales (pdf)
- Patient and Client Care Council - Northern Ireland (pdf)
- Health regulators (pdf) – updated 30 April 2014
Find out about the obligations of health practitioners:
Template guide to information for dentists
Template guide to information for dentists (Welsh language version)
Template guide to information for general practitioners
Template guide to information for general practitioners (Welsh language version)
Template guide to information for optical contractors
Template guide to information for optical contractors (Welsh language version)
Template guide to information for pharmacy businesses
Template guide to information for pharmacy businesses (Welsh language version)
Medical records of the deceased
Health organisations often get freedom of information requests relating to the medical records of the deceased. There are no special exemptions under the Act about the deceased, but you do need to consider whether the information is sensitive.
Health and safety
Some information may be exempt from release under the Freedom of Information Act if it would be likely to endanger people’s health and safety.
Our training page has videos and practical toolkits to help you promote good data protection practice in your own organisation.