Keeping your information confidential and secure

Keeping your information confidential and secure2018-07-11T10:52:50+00:00

Our commitment to your privacy

NHS Dorset Clinical Commissioning Group recognises the importance of protecting personal and confidential information in all that we do, and takes care to meet our legal duties under Data Protection Law. The CCG puts in place all reasonable technical, security and procedural controls required to protect your personal information for the whole of its life, in whatever format we hold that information in.

How do we keep your information confidential and secure

Within the health sector, we have to follow the Common Law Duty of Confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare. The NHS Care Record Guarantee and the NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

Everyone working in, or for, the NHS Dorset CCG must use personal information in a secure and confidential way. We are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All CCG staff, contractors and Governing Body members are mandated to attend annual training to ensure they are aware of their personal responsibilities and contractual obligations to uphold confidentiality. This is monitored by the CCG and can be enforced through disciplinary procedures. We ensure that any external companies who support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

We also ensure that the information we hold is kept in secure locations, and restrict access to information to authorised personnel only. We use administrative and technical controls to do this. We protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it). We use strict controls to ensure that only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.

The CCG has an Executive Director responsible for protecting the confidentiality of patient information, called the Caldicott Guardian. This role is carried out by the Director of Nursing and Quality who can be contacted by emailing dataprotection.requests@dorsetccg.nhs.uk or by telephoning 01305 368070.

How the law protects you

Your privacy is protected by law, which says that we can use your personal information only if we have a proper reason to do so. This includes sharing it outside of the CCG. The reasons why the CCG may process your personal information are:

  • to fulfil a contract we have with you;

  • when it is our legal duty;

  • when it is in the public interest or to carry out our official duties as a CCG; or

  • when you consent to it.

Sending personal information outside of the EEA

Data protection law holds all countries in the European Economic Area (EEA) to the same high standards. If we transfer information outside of the EEA, we will make sure that it is protected to these standards. We will only send your personal information to countries outside of the EEA to:

  • follow your instructions;

  • comply with a legal duty; or

  • work with other third party organisations (as detailed above) who we use to help provide our services to you.

We will always use one or more of these safeguards:

  • transfer it to a non-EEA country with privacy laws that give the same protection as the EEA;

  • put in place a contract with the recipient that means they must protect it to the same standards as the EEA; or

  • transfer it to organisations that subscribe to Privacy Shield. This is a framework that sets privacy standards for personal information sent between the US and EU countries.

How long we keep your personal information

We will only keep your personal information in accordance with the national guidance from the Department of Health set out in the Records Management Code of Practice for Health and Social Care 2016 and the CCG’s Records Retention Policy.