Privacy Policy


  1. Introduction
  2. Statement/Objective
  3. Roles & Responsibilities
  4. New Legislation: Summary of key changes
  5. Training
  6. Monitoring, Auditing, Reviewing & Evaluation
  7. Distribution
  8. Data Protection
  9. Appendices


  1. Introduction
    1. Torbay and South Devon NHS Foundation Trust (TSDFT) is required to ensure that all reasonable and appropriate measures are taken to ensure the security, privacy and confidentiality of the Personal Identifiable Data (PID) that is held about patients, staff and service users. This requirement is mandated in law and by the Department of Health within a number of Acts and Guidance documents (See Appendix One).
    2. All legislation relevant to an individual’s right of confidence and the ways in which that can be achieved and maintained are paramount to the Trust. This relates to roles that are reliant on computer systems or manual records such as; patient/client administration/payment, purchasing, invoicing, care/treatment planning and the use of manual records relating to individuals whose information may be held within the Trust.
    3. Under UK data protection legislation, the Information Commissioner (ICO) may, in certain circumstances, service a monetary penalty notice on an organisation up to the maximum of €20,000,000 (£17million) or up to 4% of annual turnover for breach of the legislation. This can be combined with an undertaking which may involve the changing of processes and procedures at the Trust as appropriate.
    4. This policy outlines how the Trust will meet its legal obligations under current law to hold, obtain, record, use, and store all personal identifiable data in a secure and confidential manner. It is the policy of the Trust that all processing of personal data by, or on behalf of the Trust will be in accordance with the siz principles of good practice put in place by the legislation.
    5. Finally the Trust will take reasonable measures to obtain informed consent wherever possible, for the sharing of information. The organisation recognises that for consent to be valid, the data subject must be informed of the purpose for which the information is being collected, how it will be used and with whom it will be shared.
  2. Statement/Objective
    1. This Policy provides the expectation on how the Trust and it’s staff will ensure compliance with the relevant Acts, including the specific roles and responsibilities, training, monitoring and audit. Specifically this Policy will support the Six Principles of current UK data protection legislation as well as Caldicott Principles, which are:
    2. Data Protection Act (2018) Principles
      1. Processed fairly, lawfully and in a transparent manner.
      2. Collected for specified, explicit, and legitimate purposes and not further processed for other purposes, incompatibly with the original purpose
      3. Adequate, relevant and limited to what is necessary in relation to the purposes.
      4. Accurate and kept up to date.
      5. Kept in a form that permits identification no longer than is necessary.
      6. Processed in a way that ensures appropriate security of that personal data.
    3. Caldicott Principles
      1. Justify the purpose(s) for using confidential information
      2. Don’t use personal confidential data unless it is absolutely necessary
      3. Use the minimum necessary personal confidential data
      4. Access to personal confidential data should be on a strict need-to-know basis
      5. Everyone with access to personal confidential data should be aware of their responsibilities
      6. Comply with the law
      7. The duty to share information can be as important as the duty to protect patient confidentiality
  3. New Legislation: Summary of key changes
    • New Data Subject Rights
      • The Trust will only be able to charge for requests in exceptional circumstances
      • New right to object to the processing of data for risk stratification or case finding if this amounts to profiling
      • New right of data portability and enhanced rights of erasure
    • Accountability
      • The Trust will need to demonstrate compliance and can be fined even if no harm has occurred.
      • New systems must be designed in accordance with privacy by design and privacy by default
    • Conditions for processing
      • Schedule 3 medical purposes is expanded to include Social Care
      • New Schedule 3 condition for public health, quality and safety of health care and quality and safety of drugs and medical devices.
    • Breach Notifications
      • New duty to inform subjects of high risk breaches
      • Duty to notify the ICO within 72 hours of breaches unless they are unlikely to result in a risk to the rights and freedoms of people
      • Duty to report to the ICO even if only small numbers of service users affected.
    • Fair Processing Notices
      • Additional information will need to be included in privacy notices including data retention periods, source of data and data processing conditions relied on
      • Privacy notices should be able to be understood by children whose data is processed.
  4. Roles & Responsibilities
    1. The Chief Executive has the ultimate responsibility for compliance with all relevant Acts and Guidance within the Trust. They have delegated the responsibility for bringing Data Protection issues to the Board to the Caldicott Guardian.
    2. The Caldicott Guardian plays a key role in ensuring that the Trust and its partner organisations satisfy the highest practical standards to handling personal information. Acting as the “conscience” of the Trust, the Caldicott Guardian will actively support work to facilitate and enable information sharing, advising on options for lawful and ethical processing of information as required.
    3. The Data Protection Officer (DPO) is responsible for the following:
      • Ensuring that TSDFT complies with all relevant Acts and Guidance in relation to Data Protection and Access.
      • Promoting Data Protection awareness throughout the Trust by providing written procedures/guidance that are widely disseminated and available to staff.
      • Co-coordinating the work of other staff with data protection responsibilities
      • Ensuring patients and service users are provided with information on their rights under data protection legislation and how the information we collect is held, used, shared and stored.
      • Monitoring compliance with the Act and the effectiveness of procedures through the use of compliance checks/audits and ensures appropriate action is taken where non-compliance is identified.
      • Assisting with investigations into breaches of confidentiality or data loss of personal and sensitive information
      • Co-ordinate, investigate and report incidents involving the breaching of person confidential data
      • Maintaining the Registration with the Information Commissioner for data handling activities
      • Implement and maintain a process for handling Subject Access Requests including from patients, services users, and third parties, Solicitors, Courts and Police.
    4. Managers will ensure that all staff including contractors, bank, voluntary and other agencies staff are:
      • aware of and comply with the Data Protection & Access Policy, its associated procedures/guidelines and any updates,
      • attend all mandatory and appropriate training,
      • have appropriate access to systems which contain personal and sensitive data,
      • know how to respond to subject access requests,
      • know how to access and store personal identifiable information, both manual and electronic records
    5. All Staff need to be aware that confidentiality and security of information includes all information relating to the Health and Social Care Community, its patients, service users, carers and employees. Such information may relate to staff or patient/client’s records, telephone enquiries about individual’s, electronic databases or methods of communication containing personal identifiable information including mobile devices.
      Staff will be expected to:

      • read and comply with the Confidentiality: Staff Code of Practice which forms part of their contract of employment;
      • adhere to this Policy and any associated procedures/guidelines;
      • to attend all mandatory training and awareness programs;
      • to ensure that all personal identifiable information is accurate, relevant, up-to-date and used appropriately on both electronic and manual records and devices;
      • to share information on a ‘need to know’ basis only (see checklist in Appendix 2);
      • to ensure that all personal identifiable information is kept safe and secure at all times and in line with the Trust’s Retention & Disposal Schedule;
      • be aware that personal and sensitive information should not be published on the Trust’s website.
      • It must be stressed that you must not take personal identifiable and/or sensitive data home with you or keep it at home, particularly on your home computer unless authorised to do so or when using home-accessible environments specifically designed to offer the necessary protections (e.g. NHSmail, Accellion, BoardPacks, Bring Your Own Device (BYOD)). Home computers can be easily compromised putting all the information at risk.
      • If as an employee you are found to have made an unauthorised disclosure you may face disciplinary action, which could lead to your dismissal and legal action being taken against you.
  5. Training
    1. To support the implementation of this Policy and the adherence to the relevant Acts and Guidance, ALL STAFF will complete the mandatory Information Governance Training module on an annual basis. Additionally, for specific staff groups, more in depth training is required via the Information Governance Training Tool and local modules. This information can be found within the IG Training Implementation Plan.
  6. Monitoring, Auditing, Reviewing & Evaluation
    1. The sharing of personal confidential data will be monitored through the Information Sharing processes at the Trust, including adherence to the Information Sharing Agreements in place.
    2. This Policy, its associated procedures/guidelines will be monitored by the Data Access & Disclosure Office.
    3. Data Protection issues and updates will be included as a matter of routine into the Information Governance Steering Group and where appropriate to the Board.
    4. Internal Audit will review this policy and its implementation as part of their annual Audit Plan. The DPO may also ask them to assist with specific areas of assurance.
    5. The Trust will implement the use of the complaints procedure to deal with complaints in connection with current data protection legislation. If the complainant is dissatisfied with the conduct of the Trust, then they can be referred to the Information Commissioner.
    6. This Policy and associated procedures will be reviewed annually or earlier if appropriate, to take into account any changes to legislation that may occur, and/or guidance from the Department of Health, the NHS Executive and/or the Information Commissioner or following recommendations from internal and/or external audit reports.
  7. Distribution
    1. Staff will be advised of this Policy and associated procedures/guidance through the relevant communications, including bulletins and meetings The Policy will be widely available to all staff and volunteers via their line manager, ICON and the Trust website.
  8. Data Protection
    1. Torbay and South Devon NHS Foundation Trust (TSDFT) has a commitment to ensure that all policies and procedures developed act in accordance with all relevant data protection regulations and guidance. This policy has been designed with data protection legislation in mind and therefore provides the reader with assurance of effective information governance practice.

      The UK data protection regime has 6 principles that need following which require that personal data shall be:

      1. Processed fairly, lawfully and in a transparent manner.
      2. Collected for specified, explicit, and legitimate purposes and not further processed for other purposes, incompatibly with the original purpose.
      3. Adequate, relevant and limited to what is necessary in relation to the purposes.
      4. Accurate and kept up to date.
      5. Kept in a form that permits identification no longer than is necessary.
      6. Processed in a way that ensures appropriate security of that personal data.

      Have all of the data protection principles been considered in the development or update of this policy? Yes [X]   No [ ]

      For more information:

  9. Appendices

Appendix One: Legislation and Guidance

Data Protection Act (1998)
Data Protection Act (2018)
Access to Health Records (1990)
Human Rights Act (1998)
Freedom of Information Act (2000)
Environmental Information Regulations (2004)
Regulation of Investigatory Powers Act (2000)
Crime and Disorder Act (1998)
Mental Capacity Act (2005)
Police and Criminal Evidence Act (1984)
Health and Social Care Act (2012) (2015)
General Data Protection
Regulation (GDPR)

Confidentiality NHS Code of Practice
Caldicott Guardian Manual
Information Security Management NHS Code of Practice
IGA Records Management Code of Practice for Health and Social Care
Records Information Governance: To share or not to share
General Data Protection Regulations

Appendix Two – Definitions

Category A
Person Confidential Data (column (a)) which can be combined with other, already available, information to identify an individual’s sensitive personal data (column (b) OR
Sensitive Personal Data (column (b))


Column A Column B
Person Confidential Data (Individual Identifiable)
A non-sensitive identifier, the disclosure of which is unlikely to cause damage or distress to an individual or third party (exemptions apply).
Sensitive Personal Data (Individual Identifiable)
Information, the disclosure of which, is likely to cause damage or distress to an individual or third party e.g.:
Defined in the Data Protection Act as:
Data relating to a living individual who can be identified;
from those data (e.g. an employee’s name), or
from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (e.g. an employee’s payroll number)

For NHS common law duty of confidence purposes, Individual Identifiers / Person Confidential Data also applies to deceased patients.
This information includes single items such as:
Address (home or business)
Email address
Date of birth
Payroll number
Driving Licence [shows date of birth and first part of surname]

Defined by the Data Protection Act as:
Personal Data consisting of information as to:
Racial / ethnic origin
Political opinions
Religious beliefs
Trade union membership
Physical or mental health
Sexual life
Criminal offences

…for Information mapping purposes will include information which may lead to damage or distress (e.g. breach of privacy, financial loss) such as:
Biometrics; DNA Profile, Fingerprints
Bank, Financial Or Credit Card Details
Mother’s Maiden Name
National Insurance Number
Tax, Benefit Or Pension Records
Health, Adoption, Employment, School, Social
Services, Housing Records
Child Protection

Category B
Personal Data (not in the public domain) of 51* or more individuals, the disclosure of which is unlikely to cause an individual damage or distress but would harm public confidence

Column A Column B
A database, electronic folder, disk, or paper records of patients’ names and addresses. Not Applicable

Processing includes everything done with that information, i.e. holding, obtaining, recording, using disclosure and sharing. ‘Using’ includes disposal, i.e. closure of the record, transfer to an archive or destruction of a record.

Data Controller is the person who determines the purposes for which and the manner in which any personal data are, or are to be, processed. It is the duty of the Data Controller to comply with the Data Protection principles in relation to all personal data with respect to which he/she is the Data Controller. This is usually the Chief Executive of an NHS organisation but can be delegated. The delegated responsibilities of the Data Controller are outlined in Sections 4 and 5.

Data Processor in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

Data Subject is an individual person who is the subject of any relevant personal data.

Third Party in relation to personal data means any person other than the data subject, the data controller or any data processors or other person authorised to process data for the data controller or processor.

Information Asset is any collection of personal information that can be processed by automated means. This could be an electronic system like ESR or PARIS or an Access database or an Excel spread sheet. An information asset should be registered on the Trust’s Information Asset Register which is held by the Information Asset Support Team Manager.