NHS Kernow Clinical Commissioning Group, herein known as theorganisation, has devolved the responsibility for Registration Authoritymanagement to Cornwall IT Services (CITS), Royal Cornwall Hospitals Trust. From April 2008, NHS Employment Check Standards became arequirement in the NHS as part of the annual health check. Similarly, robustidentity checks were also enforced using the same identity management standards carried out by an NHS organisation's Registration Authority (RA) to verify an individual's identity before allowing access to NHS Care Records Service (NCRS) applications.

All employees working in/with the NHS are bound by a legal duty of confidence to protect personal information they may come into contact with during the course of their work. This is not just a requirement of their contractual responsibilities but also a requirement within the Data Protection Act 2018 and the common law duty of confidentiality. In addition, for health and other care professionals their own profession's Code(s) of Conduct, including the Code of Conduct for NHS Managers, applies. The rights and pledges of the NHS Constitution have been taken into account in the development of this document to ensure that the values and principles of the NHS are upheld.

This Data Protection Policy aims to detail how NHS Kernow meets its legal obligations and NHS requirements concerning confidentiality and information security standards. The requirements are primarily based upon two key pieces of legislation: the Data Protection Act 2018 and the General Data Protection Regulations. However, other relevant legislation and appropriate guidance is also referenced.

Data Quality Policy

Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in clinical governance, service planning, delivery and performance management.It is of paramount importance to ensure that information is efficiently and securely managed and that appropriate policies, procedures and management accountability and structures provide a robust governance framework for information management.The purpose of this policy is to describe a system that ensures NHS Kernow meets its responsibilities for the management of its information assets and resources.

NHS Kernow is required to have effective arrangements in place to govern the uses of information and information systems within the organisation. It aims to achieve a standard of excellence in Information Governance (IG) by ensuring information is dealt with legally, securely, efficiently, and effectively in the course of NHS Kernow business, in order to commission and support high quality patient care.Within NHS Kernow a framework exists which establishes a set of policies and procedures to ensure that appropriate standards are defined, implemented and maintained. It brings together the legal rules, guidance and best practice. In addition it assists with the assurance processes, including validating the IG processes of the organisations we commission.Information governance is about setting a high standard for the handling of information and giving the organisation and its staff the tools to achieve that. The ultimate aim is to demonstrate that NHS Kernow can be trusted to maintain th

This Policy describes the technical and operational controls in place to protect the organisation's information.

It is NHS policy and a legal requirement that when patient data is used for purposes other than involving direct care, the patient should not be identified unless there is a legal basis to do so, i.e. explicit patient consent.The NHS Confidentiality Code of Practice states the need to effectively anonymise patient data prior to the non-direct care usage being made of the data. Data itself cannot be labelled as primary or secondary use data; it is the purpose of the disclosure and the usage of the data that is either primary or secondary. This means that it is legitimate to hold data in identifiable form, but it becomes essential to ensure that only authorised users are able to have identifiable data disclosed to them. This policy provides the framework for how the organisation will use patient identifiable data for purposes other than the direct care of the patient.

NOTE: NHS Kernow has opted to rely on the Information Governance Alliance's Records Management Code of Practice for Health and Social Care (2016) for managing its health records.

All NHS organisations require safe haven procedures to maintain the privacy and confidentiality of the personal information held and transferred in and out. The implementation of this policy and supporting procedures facilitates compliance with the legal requirements placed upon the organisation, especially concerning sensitive information (e.g. health information).