550 likes | 761 Views
Understanding Confidentiality and Security. Objectives . To foster an awareness of the importance of Confidentiality and Security To understand the main threats and counter measures To raise awareness of the relevant legislation in particular the Data Protection Act 1998
E N D
Objectives • To foster an awareness of the importance of Confidentiality and Security • To understand the main threats and counter measures • To raise awareness of the relevant legislation in particular the Data Protection Act 1998 • To be able to secure automated and manual data
Content • Introduction • Some recent surveys • What can go wrong? • Legal frameworks • Practical guidance • Case Study • Summary and Conclusion
Patient/Client Attitudes to Confidentiality • Survey by NHS and Consumer Association in 2002 findings: • General happiness to share info with doctors being trusted most; • 25% wished to exclude sensitive information from routine sharing; • Over 33% wanted to be consulted every time their details were shared; • Under 50% felt reassured that confidentiality would be protected by NHS policies; • Nearly 25% didn’t know what NHS did with patient information. • Non-English speakers were happiest to share total record.
Who cares about data protection? • Information Commissioner survey 2003 identified 5 groups: • The concerned (40%) very worried • The proactive (13%:) not worried • The self-reliant (10%) unconcerned • The social observers (17%) Extremely worried • The naïve (19%) unconcerned
BMA Survey: June 2005 • 75% of patients would not mind their health information being held on a central database • 75% had concerns about the security of information • 81% were worried about accessibility by people other than the healthcare professionals providing their care • 93% said the public should be fully consulted about the proposals before they are finalised
Information Commissioner survey November 2005 • 4 out of 5 concerned about their Health and Safety if data falls into wrong hands • 52% concerned personal details may be passed to others. • 80% expressed concerns about the use, transfer and security of personal information. • 50% thought that bodies collecting personal information handled the data fairly or properly. • IC stated that “No doubt they are increasingly aware of the dangers of identity theft and the serious consequences if their health, financial and other personal records fall into the wrong hands or are otherwise misused.”
What do we mean by Data Protection? Covers: • Confidentiality • Integrity • Availability • Covers the use and management of data through organised systems of all forms, whether based on human endeavours, paper methods or information technology.
What do we hold? • Information about you • Information about patients/clients • Information about the Trust
Reflective Exercise 1 • What do we use personal information for?
What do use personal information for? • Personal care and treatment • Assuring and improving the qualityof care and treatment(e.g., through clinical audit); • Monitoring and protecting public health; • Coordinating HPSS care with that of other agencies (e.g., voluntary and independent services); • Effective health and social care administration • Teaching/research • Statistical analysis
Incorrect input Theft Wilful damage Unauthorised access External Internal Software Virus Cyber crime What can go wrong?
Security Breaches: examples • A set of patients' medical records left in a skip by retiring doctor (real example!) • A security guard reading personal data left on an employee’s desk overnight. • A copy of a child at risk register found on a second hand computer (real example) • A employee using the PC of another employee (who logged in and left PC unattended) to process data without authorisation • A patient at a GP surgery viewing the personal data of a previous patient on a PC screen.
Security Breaches: examples (2) • A patient in a waiting room at a doctor’s surgery overhearing information about another patient’s ailments. • An employee using data for which they have authorised access for unauthorised purposes – e.g a police officer using the police national computer to check out daughter’s boyfriend. (real example) • A passenger on a train was sitting next to someone who was reading a solicitor’s brief about a person who had been charged with murder – he happened to be a relative of the passenger.
Personal privacy Personal health and safety Financial Commercial confidentiality Legal damages and penalties Disruption Political embarrassment The Impact of the Threats
Ethical Considerations • Promote patient/client well-being • Avoid detrimental acts/omissions • Open and co-operative manner • Recognise patient/client dignity • No abuse of position • Protect confidential information
The Computer Misuse Act 1990 Introduced three offences • Unauthorised access to computers • Unauthorised access with intent • Unauthorised modification
Case Study: Computer Misuse Act. A man was convicted in London (6/10/05) of hacking into a charity website, set up after the Indian Ocean tsunami disaster, in breach of the Computer Misuse Act. A computer consultant, was given a £400 fine and ordered to pay £600 in costs. He fell foul of section one of the Computer Misuse Act, the UK’s main cybercrime legislation, on New Year’s Eve last year. He clicked on a banner ad to donate £30 to the Disaster Emergency Committee (DEC) appeal. However, when he did not get a confirmation or thank you in response to his donation, he feared that he had fallen for a phishing site, and decided to test the site to make sure. Unfortunately, in doing so he set off the DEC protection systems, and the police were called in. The Judge found the accused guilty with “some considerable regret”, but the wording of the Act made it clear that the security consultant was guilty. "Unauthorised access, however praiseworthy the motives, is an offence," said the judge.
Data Protection Act 1998: Main Provisions • Covers all HPSS records including electronic records • Defines ‘processing’ as obtaining, holding and disclosing data • Permits subject access to all records • Imposes considerable penalties
Data Protection ’98 The Principles • Personal data shall be processed fairly and lawfully • Personal data shall be obtained only for one or more specified and lawful purpose • Personal data shall be adequate, necessary and not excessive in relation to the purpose for which it was provided
Data Protection ’98 The Principles continued... Personal data shall be accurate and up to date Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for those purposes Personal data shall be processed in accordance with the rights of the subject under the Act
Data Protection ’98 The Principles continued... • Technical & organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or damage to personal data • Personal data shall not be transferred to a country outside the European Economic Area.
Case Study 1: Data Protection An employee of the Child Support Agency, having read what he believed to be an inaccurate press article derogatory of the CSA and concerning a CSA client known to him, decided to set the record straight by faxing the true story to the newspaper concerned. Whilst the fax was sent anonymously, an investigation identified him as the author. He was dismissed from his employment and convicted of unlawful disclosure of personal data.
Case Study 2: Data Protection The complainant who was employed by a hospital was summoned to the office of his Personnel Manager to discuss his sickness record. The Personnel Manager had accessed the hospital’s clinical computer information system in order to challenge certain aspects of the employee’s account of events. As a result of this complaint the hospital revised its security arrangements and the Personnel Manager incurred disciplinary action as a result of the inappropriate use of confidential clinical information for non-medical purposes.
Case Study 3: Data Protection The complainant visited his local hospital for a course of physiotherapy. Some months after the therapy was complete the complainant received a letter from the physiotherapist who had since set up her own business. The physiotherapist had used the complainant’s information that had originally been given in confidence to the hospitals for the earlier treatment.
Personal Data • data which relates to a living individual who can be identified from those data and is: • system processed or intended to be processed automatically,or • recorded as part of a relevant filing,or part of an accessible record.
Scope of Data Protection Legislation • Automated Data • Relevant filing systems (Manual data) • Accessible Records
Automated Data • On computer • Document image processing • Audio/Video • Digitized images • CCTV images
Relevant Filing System • Non-automated systems structured by reference to individuals • Standard manual files • Impact of Durant case • Organised to allow ready access to specific information about individuals
Accessible Records • Covers all Health and Social Care records • Structured to allow access to individuals
Storage • Diaries • Computers • message books • appointments register • disks • address books • Complaints register
Legitimacy of Processing (1998) • Principle 1: Personal data shall be processed fairly and lawfully and,in particular,shall not be processed unless: • (a) at least one of the conditions in Schedule 2 is met, and • ( b)in the case of sensitive personal data,at least one of the conditions in Schedule 3 is met”
Schedule 2 conditions (1998) • Data Subject has given consent • Performance of a contract. • Compliance with legal obligation. • Protection of subject’s vital interest. • Crown/public functions • Legitimate interests of controller or third party.
Sensitive Data • Racial or ethnic origin • political opinion • religious beliefs (or similar beliefs) • membership of trade union • physical or mental health or condition • sexual life • any offence or alleged offence • any proceedings or sentence
Sensitive Data - Schedule 3 • Data subject has given explicit consent • Performance of legal duty in relation to employment • Protection of subject’s or third party’s vital interests • Legitimate activities of some non-profit organisations • The information has been made public deliberately by the data subject • In connection with legal proceedings • Administration of justice, statutory obligations or crown/public functions • Medical purposes • For equal opportunities monitoring • By order Secretary of State
Subject Access Requests • Right of access to personal data in computer or manual form • Entitled to: • Be informed whether personal data is processed • A description of the data held, the purposes for which it is processed and to whom the data may be disclosed; • A copy of the data; and • Information as to the source of the data • There are limited exemptions
Subject Access Requests cont’d • Responding: • request should be in writing to the Data Protection Coordinator, • Data should never be read over phone, faxed or emailed to data subject, • Must be given in 40 days.
Securing automated data Key areas: • Faxing • Avoid the use of fax for sending personal data - if there is no alternative use secure protocols; • Passwords • Good password management will help protect personal data and staff
Securing automated data (2) • Email • Personal data should not be transmitted by email • Data can be accessed by data subjects • Email can be insecure • Survey of 800 UK companies revealed that 22% Directors had reprimanded staff for gossiping using email and 85% considered email to be facilitating scandalous material around office. • Portables/laptops • Do not leave unattended; when leaving ensure that it is locked away; be aware of others being able to see your computer screen, • PDA’s and Memory sticks must not contain personal information
Securing manual data • Do not allow sensitive conversations to be overheard • Guard against people seeking information by deception • Message books • Accessible to staff only; sensitive data should not be recorded in message books • Lock filing cabinets
Securing manual data (2) • Diaries • Patient/client data, which is held in diaries should be given the same security as any other record • Telephone conversations • Staff should be careful about those within earshot when discussing sensitive information; check the authenticity of any caller before divulging any information