👪

All staff and IG

Obligations, agreements and training

Penrose Health complies with the Data Protection Act 2018, and all other data protection legislation currently in force e.g. GDPR. These laws set rules for us on how we can process personal information, and gives rights to people whose personal information is used.

All staff who work for Penrose Health are responsible for the maintenance of confidentiality, the protection and appropriate use of special categories of personal data in accordance with the Data Protection Legislation.

Staff have legal obligations regarding IG (under Data Protection Legislation, common law duty of confidentiality, and professional obligations/codes of conduct) as well as contractual obligations re: IG (under the confidentiality clauses in contracts/relevant addenda).

To help you fulfill those obligations, we’ve written this whole 🔒IG Homepage which takes into account all of the laws, requirements, standards and principles laid out here.

You should also keep reading below to see what we’re doing as an organisation to make sure everyone remains IG compliant at all times.

Contracts, confidentiality agreements and policies

When you start with Penrose Health, you should be asked to sign a contract (possibly including some addenda depending on when you started). Within this, there are clauses that relate to Information Governance that you are obliged to adhere to.

Separately to your contract, as part of your onboarding document, you should have been asked to sign a confidentiality policy. We have copied its contents to the 🤐Confidentiality Policy page. All employees of Penrose Health (or anyone working on Penrose Health’s behalf), are also obliged to adhere to the contents of this document.

If you have not signed these documents or have any questions about them, please contact your Line Manager or the IG Lead.

Awareness and Training

All staff, including volunteers, students, contractors and temporary employees are required to complete and pass Information Governance training on an annual basis.

Training resource will be provided for all staff on key Information Governance issues including, but not limited to:

Principles of Information Governance
Information Management
Data Protection
Consent
Confidentiality
Records Management

An online Information Governance training programme will be provided (via our BlueStream training platform) - this is mandatory for all staff. This may be supported by face-to-face training where required.

Current training requirements will be updated when there are changes to the Information Governance assurance framework as outlined by the Department of Health, NHS England and NHS Digital.

For any senior staff that need additional training (e.g. those who hold roles in our IG People Structure), there may be additional training from time to time as needed.

A full IG Training Needs Assessment will be reviewed and approved by the organisation . This will address the expected training for staff at all levels of the organisation and those that are working within particular specialities.

In order to check staff training levels, there will be periodic training audits on BlueStream data as well as staff surveys to check comfort with IG.

If you don’t feel you’ve received appropriate training or have any questions, please contact your Line Manager or the IG Lead.

General principles around IG to be aware of

While you’re working with us you might be given, told or find out information (formally or informally) about our patients, your colleagues or practice business. This information must be considered strictly confidential, and should not be shared or discussed except in the proper performance of your duties.

Below we have listed out some key things to bear in mind with regard to IG. This is not a substitute for reading (and signing) our 🤐Confidentiality Policy and ensuring you have completed all relevant trainings.

Patient information & sharing information

We have a strict 🤐Confidentiality Policy in relation to our patients as we are dealing with personal health information. Patient information must remain confidential unless the patient provides informed consent for its release.

In some cases it might be necessary to breach confidentiality and disclose information about a patient without their consent. For example, if disclosure is in the patient’s interest but it’s impossible to seek their consent.

An unnecessary breach of confidentiality will be considered gross misconduct, and we might decide that we need to take disciplinary action against you. GPs may also expect disciplinary action to be taken against them by the General Medical Council for an unnecessary breach of confidentiality.

Access to data & patient medical records

All staff at our surgeries have access to our patients’ medical records. All the information in our patients’ records is strictly confidential and should not be accessed without good reason.

Copies of medical records should not be made other than in the course of your duties, and only with the permission of the Doctor concerned. On no account should copies of medical records be provided to anyone outside of the Practice without the permission of the Doctor concerned.
Patient records must not be removed from the Practice premises, except where this is necessary for patient consultations in the patient’s home or when agreed by the Practice Manager. When transporting or using patient records you must keep them in your personal custody and return them to the Practice premises as soon as possible.

Staff must not attempt to access their own medical records (if they were ever registered with us) or those of friends, family members, or colleagues. Access to your own records may only be granted under the terms of the General Data Protection Regulation, the Access to Health Records Act 1990 and the Access to Medical Reports Act 1988.

‣

Although we should not be accessing records without good reason, patients have got the right to access their own records at any time- for more information, click here

Your personal information

While you’re employed with us, and for as long as is necessary after you finish working with us, we will need to process data about you. For example, references you gave us during your recruitment, details about your pay, and details of health and sickness absence records.

We keep this information in accordance with the data protection principles mentioned above. We use it for management and administrative use only, unless we need to disclose data about you to a relevant third party, e.g. if we’re legally required by HMRC, or you ask for a reference from us.

In some cases the Practice may hold sensitive data, which is defined by the legislation as special categories of personal data, about you. For example, this could be information about health, racial or ethnic origin, criminal convictions, trade union membership, or religious beliefs. This information may be processed not only to meet the Practice's legal responsibilities but, for example, for purposes of personnel management and administration, suitability for employment, and to comply with equal opportunity legislation. Since this information is considered sensitive, the processing of which may cause concern or distress, you will be asked to give express consent for this information to be processed, unless the Practice has a specific legal requirement to process such data.

‣

Can I see what information you have about me?

Data security and unauthorised disclosures

You’re responsible for making sure that any personal data that you hold and process as part of your job role is stored securely. You must make sure that no information is disclosed by any means, accidental or otherwise. Any unauthorised disclosure will be considered as gross misconduct, and we might decide that we need to take disciplinary action against you.

‣

Click the toggle to see some ways that you can keep data secure.

Data breaches

A data breach is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, someone’s personal data. For example, accidentally sending a patient’s test results to the wrong patient, or losing a laptop that has patient information saved on it.

In the event that we become aware of a breach, or a potential breach (a ’close call’), an investigation will be carried out by the Practice Manager.

‣

Click the toggle to see what will happen in an investigation of a data breach.

We record all data breaches regardless of if they are notifiable or not, as part of the general accountability requirement under the Data Protection Act 2018. We’ll record the facts relating to the breach, its effects, and any remedial action taken.

For more details of this and information on how to report an incident/breach, please visit our ❗Incident Reporting page

If you have any concerns, or you feel there are generally systematic issues, you can raise a concern through our Whistleblowing process. Take a look at our 📢Whistleblowing page to learn more.