The UK government places a strong emphasis on the need to share information across organisational and professional boundaries, in order to ensure effective co-ordination and integration of services. The Caldicott Review ‘To share or not to share ’specified that “The duty to share information can be as important as the duty to protect patient confidentiality”. Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. They should be supported by the policies of their employers, regulators and professional bodies.

The Government has also emphasised the importance of data. The Review of Data Security, Consent and Opt-Outs published by the National Data Guardian in 2016 introduced ten Data Security Standards. These form the basis for the Data Security and Protection Toolkit.

The EU General Data Protection Regulation (GDPR), and Data Protection Act 2018 (DPA 2018) which implements it in the UK, has strengthened the legislation, in particular requiring that organisations are accountable and able to demonstrate compliance. Please refer to the Information Commissioner’s web site and IGA GDPR guidance. References to data protection legislation in this policy include provisions of the GDPR and DPA2018.

It is important that EDMS Medical protects and safeguards person-identifiable information that it gathers, creates processes and discloses, to comply with the law, relevant mandatory requirements and provide assurance to patients and the public.

All employees working within EDMS Medical are bound by the common law duty of confidence and must comply with data protection legislation. Staff must handle personal information they may come into contact with during the course of their work in a lawful and compliant manner. This is not just a requirement of their contractual responsibilities but also a requirement within the common law duty of confidence and data protection legislation. It is important for staff to be aware that it is an offence under DPA2018 for a person knowingly or recklessly to obtain or disclose personal data.

This policy sets out the requirements placed on EDMS Medical staff when sharing personal information within EDMS Medical and between the NHS and other bodies.

The Information Commissioner’s Office (ICO) has issued a data sharing code of practice that must be adhered to when sharing personal data.

Information can relate to patients, staff (including temporary staff), members of the public, or any other identifiable individual, however stored. Information may be held on paper, CD/DVD, USB sticks, computer file or printout, laptops, palmtops, mobile phones, digital cameras or even heard by word of mouth.

Person-identifiable information is anything that contains the means to identify a person, e.g. name, address, postcode, date of birth, NHS number etc. This type of information must not be stored on removable or mobile media unless it is encrypted as per current government encryption guidance.

Confidential information within the EDMS Medical is commonly thought of as health information; however, it can also include information that is private and not public knowledge or information that an individual would not expect to be shared. It can take many forms including patient level health information, employee records, occupational health records etc.