Greater Manchester SCB Logo


Top of page

Size: View this website with small text View this website with medium text View this website with large text View this website with high visibility

1.5 Policy for the Secure Handling of Protected Information

Contents

  1. Purpose
  2. Scope
  3. Definition of Protected Information
  4. Data Handling Principles
  5. Incident Reporting
  6. Partner Organisations - GMSCB Expectations

    Appendix 1: GMSCB Secure Data Handling Policy

    Appendix 2A: Security Classification

    Appendix 2B: Handling Protected Documents

    Appendix 2C: Record Retention Criteria

    Appendix 3: Key Legislation

    Appendix 4: Golden Rules of Data Protection


1. Purpose

1.1

The Greater Manchester Safeguarding Children Boards (GGMSCB) are committed to ensuring the availability, confidentiality and integrity of Protected Information, irrespective of whether this is held electronically, on paper or in other formats.

The purpose of this policy is to set out:

  • The principles guiding GMSCB's approach in ensuring secure data handling of Protected Information;
  • The incident reporting procedures GMSCB has adopted;
  • The expectations on partners with whom GMSCB necessarily closely works with in discharging its statutory functions.
1.2

This policy relates to:

  • Information generated directly by GMSCB; the purpose of which is to inform the members of the Boards and partner organisations e.g. policies and procedures, business plans;
  • Information shared with MSCB by others to facilitate the discharge of GMSCB functions;
  • Information shared by GMSCB with others to facilitate the discharge of GMSCB functions.


2. Scope

2.1 This policy applies to employees of GMSCB; the GMSCB and Executive; and all Subgroups and other multi-agency fora of the Board. The policy also applies to any third parties appointed under the terms of a contract to provide professional and/or other services (i.e. data processors) for GMSCB involving Protected Information under the control of GMSCB.
2.2 The expectations on Partner Organisations who support the functions of the GMSCB are set out in Section 6, Partner Organisations - GMSCB Expectations.


3. Definition of Protected Information

3.1

Protected Information is defined as:

  1. Protected Information about people;

    All people-related information enabling a child or a living person to be identified (for example family members and non-publicly available information about employees, such as full name in combination with home address or other identifiers), especially where this contains "sensitive" personal data as defined under the Data Protection Act 1998 and/or information protected by the common law obligation of confidence;

    The Data Protection Act1998 defines sensitive personal data as: (a) the racial or ethnic origin (b) political opinions (c) religious beliefs or other beliefs of a similar nature, (d) trade union membership (e) physical or mental health or condition (f) sexual life (g) commission or alleged commission of any offence, or (h) the disposal of proceedings relating to the commission or alleged commission of an offence or the sentence of any court in such proceedings. Although not defined as sensitive for DPA purposes, society regards financial information (bank account details etc) as confidential;
  2. Protected Information which is not about people;

    This includes information whether in draft or final form which in the wrong hands has the potential to cause harm, including but not limited to the following examples:
    • By damaging the reputation of GMSCB and/or any of its partners;
    • By disclosing information of a confidential nature whether or not it is protected by common law (e.g. legally privileged information);
    • Revealing the internal operations/investigating practices of partner bodies not otherwise in the public domain.


4. Data Handling Principles

4.1 GMSCB undertakes to ensure that it implements organisational and technical security measures appropriate to the nature and sensitivity of the Protected Information and the degree of harm which may be caused if the Protected Information were to become compromised.
4.2

Specifically, GMSCB will ensure that:

  • Protected Information is communicated with members of the GMSCB Executive, the Board, Sub-Groups; Independent Consultants; and with external bodies by secure electronic means;
  • All communications and documents containing Protected Information are protectively marked to draw attention to the level of security the recipient must observe (see Appendix 4 for an explanation of the levels used by GMSCB and the appropriate electronic methods for distribution);
  • Any Protected Information distributed in paper form at meetings convened by GMSCB is returned to GMSCB officers on conclusion of the meeting and is not in any circumstances physically removed from secure GMSCB premises.


5. Incident Reporting

5.1 GMSCB is committed to ensuring it reacts appropriately to any actual or suspected security incident.
5.2 A security incident occurs whenever there is reason to believe that security has been compromised resulting in unauthorised access, misuse, modification, corruption, loss or theft of Protected Information assets.
5.3

Anyone acting under the auspices of GMSCB who knows, or suspects, a security breach involving Protected Information assets under the control of GMSCB has occurred must:

  • Take any obvious safe steps to reduce the harm/risk by preventing any further loss of the data, system intrusion or unauthorised access;
  • Assess whether any lost or stolen data is potentially recoverable and what reasonable steps may be necessary to achieve this;
  • Report the incident quickly and no later than 24 hours after discovery to the relevant LSCB Business Manager; or the Independent Chair of the LSCB; (or out of hours in an emergency the police.)
5.4

An urgent assessment will be undertaken by the Independent Chair and/or the Business Manager to determine:

  • The severity of the breach;
  • The process for investigating what has happened;
  • How and why it has happened;
  • Who was involved;
  • The actions required to contain the incident;
  • Who needs to be informed of the breach and by whom;
  • Any learning lessons to reduce the risk of a similar event in the future.
5.5 If the incident is severe and/or requires a multi-agency response, an incident response team will be urgently convened to risk assess the actions required to recover from and contain the incident. The nature and severity of the incident will determine the team members and timeframe for the meeting.
5.6 Where compromised information originates from a partner organisation, GMSCB undertakes to notify the partner organisation on a timely basis.
5.7 GMSCB has resolved to report any incident involving the loss or theft of Protected Information with the potential to cause an individual harm to GMP for investigation; this will be facilitated through the Force Duty Officer.


6. Partner Organisations - GMSCB Expectations

6.1 The GMSCB recognises that Partner Organisations are separate data controllers and will have their own policies relating to secure data handling and incident reporting.
6.2

However, as a minimum GMSCB expects that Partner Organisations will adhere to the following:

  • Accept responsibility for safeguarding Protected Information once it has been securely communicated by GMSCB and ensure that it remains at all times on a secure network or in a secure environment;
  • Ensure employees handling GMSCB received Protected Information have received appropriate data handling and information security training;
  • Ensure that Protected Information is securely communicated to GMSCB and is protectively marked;
  • Ensure that Protected Information is securely destroyed once it is no longer required, observing the principle that the primary record holder is the body responsible for meeting the relevant retention periods;
  • Notify GMSCB on a timely basis if Protected Information received from GMSCB is compromised; and likewise inform any other partners from whom the Protected Information may have originated;
  • Cooperate with GMSCB and any other affected partners, in determining the actions necessary to recover from and contain a security incident, including notification of the Information Commissioner or any other regulatory bodies.


Appendix 1: GMSCB Secure Data Handling Policy

Click here to view Appendix 1: GMSCB Secure Data Handling Policy


Appendix 2A: Security Classification

UNCLASSIFIED PROTECT RESTRICTED

Unclassified information is data which does not meet any of the criteria which would require the information to be categorised as protected or restricted.

The loss, or compromise information or material likely to result in any of the following:

  • Cause substantial distress to individuals;
  • Breach proper undertakings to maintain the confidence of information provided by third parties;
  • Breach statutory restrictions on the disclosure of information;
  • Cause financial loss or loss of earnings;
  • Unfair advantage for, individuals or companies;
  • Prejudice the investigation or facilitate the commission of crime; and/or
  • Disadvantage government in commercial or policy negotiations with others.

All information should be shared on a strict 'need to know' principle.

Material classified as PROTECT includes sensitive information (e.g. commercial or personal) that needs to be protected and one that does not have the higher level security dimension, and where the use of RESTRICTED would be excessive.

The PROTECT classification must be used for the transmission of personal sensitive data, particularly when several records are aggregated.

The highest level of security necessary for local government issues is RESTRICTED information.

If unauthorised access would be likely to meet one or more of the following criteria:

  • Cause substantial distress to individuals;
  • Breach proper undertakings to maintain the confidence of information provided by third parties;
  • Undermine the proper management of the public sector and its operations;
  • Disadvantage government in commercial or policy negotiations with others;
  • Impede the effective development or operation of government policies;
  • Cause financial loss or loss of earnings potential to, or facilitate improper gain or advantage for, individuals or companies;
  • Prejudice the investigation or facilitate the commission of crime;
  • Adversely affect diplomatic relations (this is least likely to affect most Council staff in their day-today activities); and/or
  • Make it more difficult to maintain the operational effectiveness of security of UK or allied forces (this again is least likely to affect most Council staff in their day-to-day activities).


Appendix 2B: Handling Protected Documents

PROTECT RESTRICTED

Clear desk policy

Protectively marked information must not be left unattended during working hours.

Protectively marked documents must not be taken out of the office unless appropriate security measures are in place and without the permission of the data owner, either through explicit permission or approved procedures.

Protectively marked information must not be left unattended during working hours.

Protectively marked documents must not be taken out of the office unless appropriate security measures are in place and without the permission of the data owner, either through explicit permission or approved procedures.

Hard Copy Storage

Can be stored in any lockable furniture.

Protectively marked documents should not be stored out of the office unless appropriate security measures taken.

Can be stored in any lockable furniture.

Protectively marked documents should not be stored out of the office unless appropriate security measures taken.

Electronic storage

Stored in directories which are only accessible to personnel authorised to read documents

Portable devices

Information on computer disk, CD, memory-stick or other electronic media must be marked with the security classification of the most highly classified data stored on the device and it must be encrypted.

Protectively marked information must be stored on the corporate network; not saved on personal electronic devices.

Information on computer disk, CD, memory-stick or other electronic media must be marked with the security classification of the most highly classified data stored on the device and it must be encrypted.

Protectively marked information must be stored on the corporate network; not saved on personal electronic devices.

Email When sending sensitive personal data (especially in aggregate) or material marked "PROTECTED" by email over the public internet then this data must be to the standard or AES 256 bit encryption.

Material classified as RESTRICTED must not be made available via a website, or sent over non-secure email.

RESTRICTED may only be sent using the GCSx secure email system and to an email address which is capable of receiving the email, without it passing over the public internet.

PROTECT RESTRICTED

Telephone Information designated UNCLASSIFIED and PROTECT may be discussed / sent over non-secure telephone / fax lines.

Information protectively marked RESTRICTED must not be:

  • Discussed over a non-secure telephone line or non-secure mobile phone;
  • Sent over a non-secure fax line; and/or sent to a pager.

Post /courier

To send documents classified as PROTECT and RESTRICTED by post, envelopes must be addressed to an individual by name or job title and marked 'Addressee only'.

Do not include the classification on the envelope.

Consideration should also be given to using couriers and registered post.

To send documents classified as PROTECT and RESTRICTED by post, envelopes must be addressed to an individual by name or job title and marked 'Addressee only'.

Do not include the classification on the envelope.

Consideration should also be given to using couriers and registered post.

Disposal All documents/ records must be linked to an approved retention and disposal schedule.

Once the document/record has reached the end of its lifecycle it should be reviewed and if no longer needed destroyed using approved secure processes, see below.

If data needs to be retained for a further period its review cycle established should be periodically reviewed.

Documents/records should be confidentially destroyed in a way that ensures the information can not be put back together and read/used. An entry should be made of its existence, the date it was destroyed and by whom in a "destruction manual". A confidential destruction certificate should be obtained and retained in a secure location.

All documents/ records must be linked to an approved retention and disposal schedule.

Once the document/record has reached the end of its lifecycle it should be reviewed and if no longer needed destroyed using approved secure processes, see below.

If data needs to be retained for a further period its review cycle established should be periodically reviewed.

Documents/records should be confidentially destroyed in a way that ensures the information can not be put back together and read/used. An entry should be made of its existence, the date it was destroyed and by whom in a "destruction manual".

A confidential destruction certificate should be obtained and retained in a secure location.


Appendix 2C: Record Retention Criteria

Record Retention Period Commences

Serious Case Review Documents
100 years Date agreement given to commence review

Management Review Documents
100 years Date agreement given to commence review

Multi Agency File Audit Documents
100 years Date agreement given to commence review

GMSCB Board and Subgroup records and procedures; Child Protection Register; list of children subject of a Child Protection Plan; Adult or Child electronic or written records.

Electronic records to be subject to review every 10 years Permanent - review 70 years and offer to archive service Date of meetings / start date of procedure


Appendix 3: Key Legislation

There are legal requirements surrounding information sharing that must be considered and complied with to ensure an individual's rights are respected. Organisations should put in place standards and procedures to ensure they do not breach these legal requirements.

The main pieces of legislation governing an individual's rights in respect of information sharing are:

  • The Data Protection Act 1998;
  • The Freedom of Information Act 2000;
  • The Human Rights Act 1998;
  • The Adoption Act 1976;
  • The Mental Health Act 1983;
  • The Service users Access to Records Act 1987 and Regulations 1989;
  • The Copyright Designs and Patents Act 1988;
  • The Children Act 1989;
  • The Children Act 2004;
  • The Computer Misuse Act 1990;
  • The NHS and Community Care Act 1990;
  • The Access to Health Records Act 1990;
  • The Carers (Recognition and Service) Act 1995;
  • The Crime and Disorder Act 1998;
  • The Health Act 1999 (section 31);
  • The Regulation of Investigatory Powers Act 2000;
  • The Health and Social Care Act 2001 (Section 60);
  • The Learning and Skills Act (2001);
  • The NHS confidentiality code of practice.

This appendix is provided as a general guide. More detailed guidance should be sought from designated officers such as the Data Protection Officer, Information governance leads, Caldicott guardian or legal advisers.

In alphabetical order:

Caldicott principles

The Caldicott Committee (which reported in 1997) carried out a review of the use of patient identifiable information. It recommended a series of principles that should be applied when considering whether confidential information should be shared. All NHS organisations and social services departments are now required to apply the Caldicott principles. These principles relate to the use of patient-identifiable information and are detailed below.

  1. Define Purposes

    Every proposed use or transfer of patient-identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed, by an appropriate guardian;
  2. Use anonymised information if possible

    Patient-identifiable information items should not be included unless it is essential for the specified purpose. The need for patients to be identified should be considered at each stage of satisfying the purpose;
  3. Use the minimum information necessary

    The minimum amount of identifiable information should be transferred or made accessible that is necessary for a given function to be carried out;
  4. Access to personal information on a need to know basis

    Only those individuals who need access to patient-identifiable information should have access to it, and they should only have access to the information items that they need to see. This may mean introducing access controls or splitting information flows where one information flow is used for several purposes;
  5. Staff must be aware of their responsibilities

    Action should be taken to ensure that those handling patient-identifiable information - both clinical and non-clinical staff - are made fully aware of their responsibilities and obligations to respect patient confidentiality;
  6. Use only when lawful

    Every use of patient-identifiable information must be lawful. All Health and Social Services organisations are required to nominate a senior person to act as a Caldicott Guardian responsible for safeguarding the confidentiality of patient information.

Common Law Duty of Confidentiality

The Common Law Duty of Confidentiality requires that unless there is a statutory requirement to use information that has been provided in confidence, it should only be used for purposes that the subject has been informed about and consented to. In certain circumstances, this also applies to the deceased. The duty is not absolute but should only be overridden if the holder of the information can justify disclosure as being in the public interest i.e. to protect others from harm.

Crime and Disorder Act 1998

The Act is concerned with measures to reduce crime and disorder and includes the introduction of local crime partnerships to formulate and implement strategies for reducing crime and disorder in each local authority area.

Section 115 of the Act provides that any person has the power to lawfully disclose information to the police, local authorities, Probation Provider or health authorities (where they would not otherwise have the power). Guidance from the Information Commissioner suggests that this power can be used to support anti-crime initiatives by these agencies generally and not just for the purposes of obtaining one or more of the various orders specified in the Act.

Under Section 17 each police authority and local authority is required to exercise its functions with due regard to the need to do all it reasonably can to prevent crime and disorder in its area.

Criminal Procedures and Investigations Act 1996

This Act requires the police to record in durable form any information that is relevant to an investigation. The information must be disclosed to the Crown Prosecution Service (CPS), who must in turn disclose it to the defence at the relevant time if it might undermine the prosecution case.

In cases where the information is deemed to be of a sensitive nature then the CPS can apply to a judge or magistrate for a ruling as to whether it should be disclosed.

Data Protection Act 1998

A few definitions may help in understanding the language of the Act:

  • Data processing: applies to anything at all done to personal data, including collection, use, disclosure (sharing), destruction and merely holding data;
  • Data controller: organisations processing personal data;
  • Data subject: the individual service user about whom personal data is held and used.

The key law that governs sharing of personal information is the Data Protection Act 1998 (the D.P Act).

The Data Protection Act provides eight guiding principles. They apply to information about a living person, where that person could be identified from that information. As such, they do not apply to anonymised information, but care needs to be taken with information covering small areas / groups, where individuals could still be identified.

The eight guiding principles of the data protection act:

  1. Fair and lawful Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless certain conditions are met. Also the processing must adhere to the fair processing code;
  2. Use for specified purposes Personal data shall be obtained only for one or more specified purposes, and shall not be further processed in any manner incompatible with that purpose or purposes;
  3. Adequate, relevant and not excessive Personal data shall be adequate, relevant and not excessive in relation to the purpose;
  4. Accurate and up to date Personal data shall be accurate and, where necessary, kept up to date;
  5. Don't keep longer than necessary Personal data processed for any purpose or purposes shall not be kept longer than is necessary for that purpose or those purposes;
  6. Rights given under the act Personal data shall be processed in accordance with the rights of the data subject under this act";
  7. Security Appropriate and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data;
  8. Disclosure outside Europe Personal data shall not be transferred to a country or territory outside the European Economic area, unless that country or territory ensures an adequate level of protection.

Schedule 2 and Schedule 3 conditions

  • Condition for processing personal data is that one condition in Schedule 2 should be met;
  • Condition for processing sensitive personal data is one condition in Schedule 2 and a condition in Schedule3 should also be met.

Schedule 2: Personal data

The data subject has given consent, or the processing is necessary for:

  • A contract;
  • Legal obligation;
  • Protection of the vital interests of the data subject;
  • Public function;
  • In the public interest;
  • A statutory obligation;
  • Legitimate interests of the Data Controller.

Schedule 3: Sensitive personal data

The data subject has given explicit consent, or the processing is necessary for:

  • Employment related purposes;
  • The purpose of, or in connection with legal proceedings;
  • Protection of vital interests of the individual (where consent cannot be obtained);
  • Made public by the data subject;
  • Substantial public interest;
  • Prevention or detection of an unlawful act;
  • Legitimate interests of a non-profit making organisation;
  • Medical purposes.

Freedom of Information Act 2000

The Freedom of Information Act provides clear statutory rights for those requesting information together with a strong enforcement regime. Under the terms of the Act, any member of the public will be able to apply for access to information held by bodies across the public sector.

The legislation will apply to a wide range of public authorities, including Parliament, Government Departments and local authorities, health trusts, doctors' surgeries, publicly funded museums and thousands of other organisations.

The main features of the Act are:

  • A general right of access to information held by public authorities in the course of carrying out their public functions, subject to certain conditions and exemptions;
  • In most cases where information is exempted from disclosure there is a duty on public authorities to state where they believe the public interest in disclosure outweighs the public interest in maintaining the exemption in question;
  • An office of Information Commissioner and a Information Tribunal, with wide powers to enforce the rights created;
  • A duty imposed on public authorities to adopt a scheme for the publication of information. The schemes, which must be approved by the Commissioner, will specify the classes of information the authority intends to publish, the manner of publication and whether the information is available to the public free of charge or on payment of a fee.

Health and Social Care Act 2001 (Section 60)

Section 60 of the Act provides a power to ensure that patient-identifiable information needed to support essential NHS activity can be used without the consent of patients. The power can only be used to support medical purposes that are in the interests of patients or the wider public where consent is not a practical alternative and where anonymised information will not suffice. It is intended largely as a transitional measure whilst consent or anonymisation procedures are developed which is reinforced by the need to review each use of the power annually.

The reason for this provision is mainly in relation to the carrying out of large-scale research projects which may involve tens of thousands of patients where contact would be impracticable.

The essential nature of such research is put forward as the justification for the "public good" outweighing issues relating to privacy and confidentiality. (Note that as of February 2002 the regulations which are needed to give effect to Section 60 have not yet been passed.)

Human Rights Act 1998

Article 8.1 of the Act provides that "everyone has the right to respect for his private and family life, his home and his correspondence." European case law shows that storing or using "private" information, or disclosing this information for a purpose other than the purpose for which it was originally obtained will all constitute an interference with these rights. This is however, a qualified right i.e. there are specified grounds upon which it may be legitimate for authorities to infringe or limit those rights. Article 8.2 defines the grounds as follows:

  • In the interests of national security, public safety, or the economic well-being of the country;
  • For the prevention of disorder or crime;
  • For the protection of health or morals;
  • For the protection of the rights and freedoms of others.
In addition to identifying one of these grounds, a public body would also have to show:

"proportionality" i.e. that it had tried to strike a fair balance between the individual's rights and the permitted ground for interference it was seeking to rely on. In the event of a claim that an organisation has acted in a way which is incompatible with the Act, the key factors that will be considered will include:

  • Whether the organisation can show that it has taken the rights under the Act into account in reaching its decision;
  • That it considered whether any breach may result, directly or indirectly, from its action;
  • If there was the possibility of a breach, whether the particular rights which might be breached were absolute rights or qualified rights;
  • Whether one of the permitted grounds for interference could be relied upon;
  • Whether there was proportionality.

The Act also requires public bodies to read and give effect to other legislation in a way which is compatible with these rights and makes it unlawful to act incompatibly with them.

As a result these rights still need to be considered, even where there are special statutory powers to share information.

Regulation of Investigatory Powers Act 2000

This legislation ensures that investigatory powers are used in accordance with human rights.

Statutory restrictions on passing on information

There are statutory restrictions on passing on certain types of information.

  • The NHS (Venereal Diseases) Regulations 1974 and NHS Trusts (Venereal Diseases) Regulations 1991 prevent the disclosure of any identifying information about a patient with a venereal disease other than to a medical practitioner under specified circumstances;
  • The Human Fertilisation and Embryology Act 1990 (as amended) limits the circumstances in which information may be disclosed by centres licensed under the Act;
  • The Abortion Regulations 1991 limit and define the circumstances in which information submitted under the Act may be disclosed.
If it seems likely that information to be shared falls into one of these categories further advice should be sought.


Appendix 4: Golden Rules of Data Protection

Seven golden rules for information sharing:

  1. Remember that the Data Protection Act is not a barrier to sharing information but provides a framework to ensure that personal information about living persons is shared appropriately;
  2. Be open and honest with the person (and/or their family where appropriate) from the outset about why, what, how and with whom information will, or could be shared, and seek their agreement, unless it is unsafe or inappropriate to do so;
  3. Seek advice if you are in any doubt, without disclosing the identity of the person where possible;
  4. Share with consent where appropriate and, where possible, respect the wishes of those who do not consent to share confidential information. You may still share information without consent if, in your judgment, that lack of consent can be overridden in the public interest. You will need to base your judgment on the facts of the case;
  5. Consider safety and well-being: Base your information sharing decisions on considerations of the safety and well-being of the person and others who may be affected by their actions;
  6. Necessary, proportionate, relevant, accurate, timely and secure: Ensure that the information you share is necessary for the purpose for which you are sharing it, is shared only with those people who need to have it, is accurate and up-to-date, is shared in a timely fashion, and is shared securely;
  7. Keep a record of your decision and the reasons for it - whether it is to share information or not. If you decide to share, then record what you have shared, with whom and for what purpose.
The 'Seven Golden Rules' will help support your decision making so you can be more confident that information is being shared legally and professionally.

End