A. Confidentiality Notice

This document and the information contained herein are the property of House of Health UK (“the Organisation”).

This document contains information that is privileged, confidential, or otherwise protected from disclosure. It must not be used by, nor its contents reproduced, copied, or disclosed without prior written consent from House of Health UK.

1. Summary

Information holds immense value, both in the clinical care of patients and in the efficient operation of services and resources. It plays a pivotal role in clinical governance, service planning, and performance management. Consequently, it is imperative to ensure the effective management of information. This involves the establishment of robust governance structures, policies, procedures, and accountability mechanisms. This policy should be considered in conjunction with the Confidentiality Policy.

2. Relevant CQC Fundamental Standard/H+SC Act Regulation (2014)

Regulation 15: “Premises and Equipment”

3. Guiding Principles

• Patient records generated at House of Health UK are the property of the clinic.
• User records must be securely stored, preventing unauthorised access.
• User records should never be left unattended.
• House of Health UK holds the responsibility for record security.
• Records must be retained for the duration specified in Part 1 of Schedule 3 of The Care Standards Act 2000.
• Any statutory regulations related to the destruction of user records will be followed.
• The security of records provided to patients is the patient’s responsibility.
• Computer-held data is password-protected, and access is limited, following the confidentiality policy.

The Organisation recognises the need to balance openness and confidentiality in information management. It supports corporate governance and public accountability while safeguarding personal, staff, and commercially sensitive information. Patient information may be shared with other healthcare organisations and agencies in a controlled manner, respecting patient and public interests.

The Organisation acknowledges that accurate, timely, and relevant information is essential for high-quality healthcare. It is the responsibility of all staff to ensure information quality and its active use in decision-making processes.

There are four interconnected aspects of the Information Governance Policy:

a) Openness

• Non-confidential information about the Organisation and its services is available to the public, following the Organisation’s code of openness.
• Policies ensure compliance with the Freedom of Information Act.
• The Organisation conducts reviews of its openness policies.
• Patients have access to information about their healthcare, treatment options, and patient rights.
• The Organisation has procedures for interacting with the media and handling queries from patients and the public.

b) Legal Compliance

• All personally identifiable information, including that of patients, is considered confidential.
• The Organisation reviews its compliance with legal requirements annually.
• Staff personal information is considered confidential, except when national policy requires otherwise.
• Policies ensure compliance with the Data Protection Act, Human Rights Act, and common law confidentiality.
• Policies establish controlled sharing of patient information with other agencies, considering relevant legislation.

c) Information Security

• Policies ensure effective and secure management of information assets and resources.
• Information and IT security arrangements are reviewed annually.
• The Organisation promotes confidentiality and security through policies, procedures, and training.
• Incident reporting procedures are established, and all reported breaches are monitored and investigated.
• Data is stored confidentially and securely, and passwords are regularly changed.
• Information and data are disposed of safely, following current guidelines.

d) Information Quality Assurance

• Policies and procedures ensure information quality assurance and effective records management.
• The Organisation conducts annual assessments of information quality and records management.
• Managers are responsible for improving information quality within their services.
• Information quality is assured at the point of collection.
• The Organisation promotes information quality and records management through policies, procedures, and training.

4. Responsibilities

The CQC Registered Manager defines the Organisation’s Information Governance policy, considering legal and healthcare requirements, and ensures adequate resources for policy support. The CQC Registered Manager serves as the Information Governance Lead, overseeing daily Information Governance matters, developing and maintaining policies and standards, raising awareness, and ensuring ongoing policy compliance.

All staff, including permanent, temporary, or contracted employees, and contractors, are responsible for daily compliance with Information Governance requirements.

5. Policy Approval

The Organisation recognises the value of information as a valuable asset and commits to ensuring compliance with this policy. Staff, contractors, and relevant parties are expected to adhere to this policy to ensure Information Governance compliance and effective healthcare delivery to the local population.

6. Caldicott Guardian

6.1

The Caldicott Guardian, a senior official, is responsible for safeguarding the confidentiality of patient and service-user information and facilitating appropriate information sharing. Every CQC regulated organisation must appoint a Caldicott Guardian. In our Organisation, the Practice Manager is responsible for designating a Caldicott Guardian.

6.2

Personally identifiable information exists in various forms, including digital storage, network transmission, physical paper records, spoken communication, and recordings. The Organisation must ensure the integrity, confidentiality, and availability of sensitive information.

6.3

No one associated with the Organisation, including staff from commercial partners and volunteer groups, is permitted to share personally identifiable information unless authorised by the Organisation’s Caldicott Guardian. Authorisation is typically granted when access is essential on a need-to-know basis and aligns with Caldicott principles.

6.4

The Caldicott standard is built upon six principles:

• 6.4.1 Justify the Purpose: Every use or transfer of personally identifiable information must have a clear and defined purpose, subject to ongoing scrutiny by the Caldicott Guardian.
• 6.4.2 Minimise Use of Personally Identifiable Information: Personally identifiable information should only be used when absolutely necessary, with no suitable alternatives.
• 6.4.3 Use the Minimum Necessary Personally Identifiable Information: When using personally identifiable information, justify each individual data item’s necessity, aiming to minimise identification potential.
• 6.4.4 Strict Need-to-Know Access: Only individuals requiring access to personally identifiable information for specific purposes should have access, and they should only access the necessary data items.
• 6.4.5 Staff Awareness and Responsibility: Measures should be taken to ensure that all staff handling personally identifiable information are aware of their confidentiality responsibilities and obligations.
• 6.4.6 Legal Compliance: Every use of personally identifiable information must comply with the law, respecting individuals’ right to expect their confidential information will be used only for the intended purposes and not disclosed without informed consent.

7. Confidential Waste Management

7.1

Confidential waste is defined as waste containing personally identifiable information or business-sensitive data. The following are specific materials classified as ‘confidential’ and require secure disposal:

• Data related to future organisational activities.
• Payroll and pension data.
• Sensitive personal data as defined by the Data Protection Act 2018 and General Data Protection Regulations (GDPR) 2016.
• High-level personal data, including information about staff disciplinary proceedings or harassment.
• Clinical records.
• Records of a commercially sensitive nature, such as contracts, tenders, purchasing and maintenance records, or legal documents.
• Records containing sensitive information in multimedia formats like video, DVD, photographs, etc.

7.2

The Organisation has a legal obligation under the Data Protection Act 2018 to protect all personally identifiable information. The seventh principle emphasises the need for appropriate technical and organisational measures to prevent unauthorised processing or loss of personal data.

7.3

The Organisation acknowledges its duty to safeguard all personally identifiable and confidential information related to its business activities from public exposure. Proper control of record destruction minimises vulnerability to legal challenges and financial losses.

7.4

All staff members, whether clinical or administrative, have the responsibility to ensure the effective, secure, and policy-compliant destruction of confidential information. Any breach of confidentiality is treated as a security incident and must be reported following the Organisation’s Incident Reporting Policy.

7.5

To meet legal requirements, the Organisation must retain records appropriately. Records that have reached the end of their lifecycle should be destroyed using one of the following methods:

• Internal Shredding: Cross Cut Shredder
• Use of External Confidential Waste Disposal Company (if necessary)

8. Subject Access to Clinical Records Policy

Please refer to the separate “Subject Access to Clinical Records Policy.” Note that charges for Subject Access cannot be raised after the introduction of GDPR from May 2018.

9. Information Risk Management

As the Organisation increasingly relies on computerised systems for communication and information management, associated risks rise. These include risks to confidentiality, data integrity, system availability, business continuity, avoiding prosecution, and compliance with data protection laws. These risks will be reviewed and managed in line with the Organisation’s broader Risk Strategy.

10. Virus Protection

Anti-virus software will be installed, enabled, and regularly updated on all personal computers and notebooks/laptops used by the Organisation’s staff. The anti-virus software will be configured to check all infectible file types from local drives, the Internet, and email. Any actual or potential computer virus threats will be promptly addressed.

11. Hardware and Media Disposal

The Organisation will implement procedures to prevent accidental disclosure of personal or sensitive data when disposing of hardware or media. Procedures will include reformatting or, preferably, physical destruction of storage media holding confidential information.

12. Access Controls

• 
  Key equipment and paper records will be stored in a password-protected safe.
• Computers will be password-protected, and confidential information will be encrypted.
• Access is restricted to the Organisation’s staff exclusively.

13. Environmental Controls

Key equipment and paper records will be in environments with appropriate temperature, humidity, and dust controls. Fire risks will be minimised with smoke detectors and alarms.

14. Control of Software Systems

Unlicensed software installations are prohibited. Records of software licenses and evidence of purchases and renewals will be maintained.

15. Information for the Public and Users

Information for the public will be made available through the website. Users and their relatives can access information about personal care and treatment under Subject Access provisions, complying with the Data Protection Act 2018.

16. IT Business Continuity Plan

The Organisation will establish arrangements for business continuity in the event of IT system or communication failures. Plans will cover data restoration, hardware and communications fallback, interim measures for clinical messaging, and paper-based records. (Please refer to the Business Continuity Plan Policy).

17. Sharing of Data with Other Agencies

The Organisation acknowledges that other agencies may require service user information in the course of their duties. Information sharing will only occur when there is a clear business need, ensuring confidentiality. Personal data sharing will require prior consent unless there are compelling public interest reasons or court authorisation. Records of shared information will be maintained, and confidentiality breaches will be treated as security incidents.

18. Records Retention

Records pertaining to service users and non-clinical functions, such as accounting and financial matters, will be retained according to statutory timeframes. For details, please refer to the Data Retention Policy.

19. IT Security Incidents

The term “significant incident” may vary in interpretation but should encompass any event resulting in system downtime, data loss or corruption, suspected unauthorised access, virus detection, or suspected malicious attempts to disrupt services or data. Incidents that compromise our information governance responsibilities may include:

• Loss or theft of data or data-containing equipment.
• Unaudited access due to inappropriate access controls.
• Equipment malfunctions.
• Human errors.
• Unforeseen events like fires or floods.
• Hacking attempts.
• Deceptive actions (e.g., “blagging”) to obtain information from the Organisation.

Any such incident should be promptly reported to the Organisation’s Practice Manager or its designated person, who will assess:

• Legal or contractual requirements for notification.
• Alignment with the seventh Data Protection principle: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
• How notification can benefit affected individuals.
• Whether notifying the Information Commissioner’s Office (ICO) is necessary, especially in the case of a large-scale incident or serious consequences.
• Tailoring notifications for specific groups of individuals, such as children or vulnerable adults.
• Avoiding unnecessary notifications, as not every incident warrants them.
• Consideration of who to notify, the content of notifications, and the communication method.
• Including essential details in notifications, such as the incident’s description, timing, and the data involved.
• Providing clear guidance to individuals on protecting themselves and offering assistance.
• Offering a contact method for further information or inquiries.

The Organisation will maintain a record of significant IT-related security incidents, including date, time, location, discovery, incident description, corrective actions, and preventive measures.

Any severe information breach should be reported to the Information Commissioner’s Office, including breaches of the Data Protection Act (DPA), Privacy and 

Electronic Communications Regulations (PECR), or unlawful obtaining of personal data (section 55 DPA breach). Notifications can be made via the ICO website.

20. General Data Protection Regulations (GDPR)

Since May 2018, GDPR has been applicable in the UK, emphasising increased responsibility for organisations handling data. House of Health UK commits to full GDPR compliance and ensures the following:

• Privacy Notices: Privacy Notices will be published, outlining how data of service users and staff is used, stored, and disposed of. These notices will be regularly reviewed and updated.
• Consents: Service users and staff will be requested to provide consents for data holding, usage, disposal, and sharing as part of their initial consent to receive services or employment.
• Information Commissioner’s Office (ICO): The Organisation will maintain registration with the ICO, ensuring ongoing compliance with ICO obligations.
• Subject Access: Service users and staff will be allowed access to their information, subject to statutory exemptions, without charges.
• Data Protection Officer: A designated Information Lead/Data Protection Officer will oversee GDPR compliance, promote awareness, provide training, and conduct audits.
• Data Retention: Data will be retained within legal timeframes, guided by Department of Health data retention guidelines.
• Data Analysis: Comprehensive records will be maintained, detailing information storage, responsible parties, and security access controls.
• Email Accounts: Email footers will emphasise data confidentiality and secure handling.
• Staff Training: Staff will receive GDPR training, focusing on Subject Record Access requests and data breach responses.
• Staff Records: Staff records will be securely held, whether in hard copy or electronically, with appropriate safeguards.
• Policies: Relevant GDPR policies, including Subject Access to Records, Data Breaches, and Information Governance, will be developed and regularly updated.
• Data Disposal: Data disposal will be confidential and secure, including cross-shredding for hard copies and industry-standard destruction for data.
• Data Breaches: Any data breach or suspected breach will be reported internally to the CQC Registered Manager and Data Protection Officer, with external notifications made as necessary (e.g., to the ICO, commissioners, and affected subjects).
• Virus Checks/Firewalls: Adequate virus checks and firewalls will be maintained to address data protection requirements under GDPR.
• Third-Party Suppliers: Responsibility for data processed by third parties will be clarified in written communications, including indemnities and actions in case of data loss or destruction.

21. Professional Responsibilities

Professional staff are required to maintain contemporaneous notes of service user consultations. Electronic records must be clearly attributable.