Introduction

Kidney Cancer Support Network (KCSN) is committed to the values of integrity, accountability and openness. KCSN is also committed to ensure the safety of personal data and to enforcing the message that misuse of personal data within the organisation is not acceptable and will not be tolerated.

KCSN will act in compliance with current guidelines and best practice to provide high quality, timely, accurate and secure information.

This policy will outline KCSN’s methods of managing and ensuring the security of personal data and health information.

Purpose

Information governance is a framework for handling and managing information to ensure appropriate and reliable collection, storage, processing, access, security and confidentiality.

This policy aims to ensure that all KCSN consultants, volunteers and trustees are aware of their individual responsibilities in relation to the management and governance of information.

The guidelines within this policy cover all types of information retained by KCSN. This includes but is not limited to information held in:

  • Electronic equipment such as computers, tablets, smart phones, dictation equipment, MP3 players and cameras
  • Paper-based records.

The information/data covered by this policy includes, but is not limited to the following:

Personal data constitutes all information that:

  • Can be used to identify an individual
  • Can be combined with other information to identify an individual

Sensitive personal data relates to any identifiable information regarding the subject’s:

  • Racial or ethnic origin
  • Political opinions
  • Religious belief or similar
  • Trade union affiliation
  • Information relating to an individual’s sexual orientation
  • Commission or allegation of any offence

KCSN data relates to any sensitive organisational information, including:

  • Meeting schedules, agendas and minutes of trustees’ meetings
  • Financial accounts
  • Contracts
  • Policies and procedures

 

Failure to follow this policy could result in contractual/agreement action.

Policy

This policy will establish a consistent approach by which KCSN addresses all aspects of the management of information; including generation, collection, processing, access, use, storage and ultimately disposal. It will do this by:

  • Requiring that information is kept confidential in line with the requirements of the Data Protection Act (1998)
  • Establishing mechanisms for members of the KCSN community to have access to their own information, with clear procedures and arrangements for handling queries from members
  • Ensuring KCSN has clear procedures and arrangements for handling information requests from the press and broadcasting media
  • Establishing mechanisms to allow the purpose and quality of KCSN information to be monitored and maintained, and to ensure that it is appropriate for the purposes intended.

This policy applies to all consultants and volunteers working with KCSN, including trustees.

It is the policy of KCSN to ensure that:

  • Information is protected against unauthorised or unlawful access
  • Confidentiality of information is assured
  • Technical integrity of information is maintained
  • Regulatory requirements and guidelines are met
  • Information technology systems are used in a manner that prevents the release of information (by accident or deliberate/criminal act), ensures their safe use, and avoids damage to the specific system or any other system to which it is connected
  • Information that can be used to identify a person, including confidential information about that person, business information, and confidential corporate information, is restricted to authorised users only

All consultants, volunteers and trustees working with KCSN are to be made aware of Information Governance so that an assurance can be provided that they understand the policy.

All breaches of information security, actual or suspected, will be reported to and reviewed by the KCSN Board of Trustees.

Roles and responsibilities

A member of the Board of Trustees will be appointed to have overall responsibility for the information governance within KCSN, and advise the board on the effectiveness of information risk management across the organisation. This person will also act as the Data Protection Officer and be responsible for ensuring consultants and volunteers working for KCSN comply with the requirements of the Data Protection Act (1988) and other mandatory national standards and processes.

All consultants, volunteers and trustees operating on behalf of KCSN are required to comply with the guidelines of the Data Protection Act (1988) when dealing with sensitive personal data, and the requirements of the KCSN Information Governance policy. They are responsible for protecting the integrity, security and confidentiality of personal data/information (both manual and electronic), and to ensure that any personal information gathered in the course of their work is only used for the stated purpose of gathering the information and kept secure.

An external IT consultancy will provide robust security measures to adequately support the KCSN server holding all personal data/information. The IT consultancy will also be responsible for anonymisation and pseudonymisation of personal data for transfer to external organisations for data management, analysis and reporting. The IT consultancy will provide assurances to the Board of Trustees, including the processes used for anonymisation and pseudonymisation of personal data.

Policy effect

KCSN will:

  • Establish and maintain policies and procedures to ensure compliance with the Data Protection Act, the Common Law Duty of Confidentiality, and any other legislation that is relevant to the processing of personal information
  • Establish mechanisms to ensure that consultants, volunteers and trustees are aware of and understand their responsibilities
  • Recognise the need for an appropriate balance between openness and confidentiality in the management and use of information
  • Be publicly accountable and needs to ensure that the principles of corporate governance are fully supported
  • Regard person identifiable information relating to the members of KCSN and their relatives as confidential, except where there is an overriding legal requirement to share information
  • Regard person identifiable information about consultants, volunteers and trustees as being confidential, except board members that may require otherwise, and where legislation permits
  • Recognise that equal importance must be placed on the need to ensure high standards of data protection and confidentiality to safeguard both personal data/information and KCSN data
  • Comply with the appropriate legal and regulatory frameworks and guidelines relating to the Data Protection Act and the Common Law Duty of Confidentiality.

Protection of Information

This includes the maintenance of standards associated with the Data Protection Act (1998) and the Common Law Duty of Confidentiality. High standards within this area will be ensured by KCSN through:

  • Maintenance of policies to effectively incorporate the requirements of key legislation within KCSN’s processes for the effective and secure management of information
  • Promotion of effective confidentiality, data protection and security practice to consultants, volunteers and trustees through policies and procedures.

Data Security Arrangements

  • Manual paper records containing person identifiable information should be stored in locked cabinets
  • Access to any computer or tablet must be password protected, and the password must not be shared. Computers and tablets should not be on view or accessible to unauthorised persons, and password-protected screen savers should be in use.
  • Personal data/information must be held on the KCSN server, not stored on local hard drives. KCSN consultants, volunteers and trustees must be aware of the high risk of storing information locally and take appropriate security measures
  • Personal data/information sent by email must be safely stored and archived. Great care should be taken in sharing personal data/information via email – it should be password protected and procedures undertaken to ensure that the correct person has received it.

Systems and Applications

The following rules must apply:

  • Consultants, volunteers and trustees who require access to KCSN’s systems must be appropriately authorised
  • Levels of access to KCSN’s systems must be given based upon the role of the consultant or volunteer
  • Access to KCSN’s systems will be given on a need to know basis and such access will be recorded
  • Password access is given to individuals; authorised consultants and volunteers should not under any circumstances allow their access to be used by others.

Anonymisation

Anonymisation is a process by which identifiable information is removed from data so that the individuals from whom the information was collected remain anonymous. If personal data is shared, either internally or externally, all identifying factors should be removed.

Pseudonymisation

Pseudonymisation is a process by which a pseudonym is applied to identifiable data for the purposes of sharing the data. If personal data is shared, either internally or externally, all identifying factors should be removed.

Sharing Information with External Organisations

When sharing personal data with external organisations, KCSN must seek assurance that these organisations have appropriate processes for receiving personal data. KCSN must be assured that these organisations will comply with the requirements of this policy, and meet legislative and related guidance requirements relating to the Data Protection Act and the Common Law Duty of Confidentiality.

Consultants, volunteers and trustees sharing personal data with other organisations should be aware of the agreements between KCSN and the organisation concerned.

KCSN will:

  • Be responsible for the pseudonymisation of personal data before the data are shared with external organisations
  • Support the transition processes of pseudonymised personal data back to identifiable data, if subsequently required
  • Only supply identifiable personal data to consultants, volunteers or trustees authorised to use these data
  • Be responsible for most of the inter-organisational communication and transfers of pseudonymised personal data to external organistions.

Consultation and review process

This and previous versions of this Policy have been the subject of consultation and discussion with the board.

*Consultants, contractors and volunteers (including trustees) of the charity will be required to comply with the content of this policy.

Policy Updated: August 2016

Next Review: August 2017

  TOP