Information Governance and Legislation

Question 1

What is information governance?

Answer 1

Rules to keep data safe (as long as they are interpreted appropriately).

Question 2

Why is information governance important?

Answer 2

To safeguard and use patient information appropriately, allowing patients to trust the NHS to hold their information. This encourages patients to disclose information truthfully, allowing clinical services to use this information for diagnosis and treatment.

Question 3

What are information asset owners (IAO)?

Answer 3

Individuals responsible for ensuring that information risk is managed appropriately.

Question 4

Describe the hierarchy of information risk management

Answer 4

An Information Asset Officer (IAO) supported by an Information Asset Administrator (IAA) reports to a Senior Information Risk Owner (SIRO) who reports to an Accounting Officer, normally the Chief Executive.

Question 5

What is the difference between a SIRO and a Caldicott Guardian?

Answer 5

A SIRO oversees an organisation’s information risk policy and management, but a Caldicott Guardian protects the confidentiality of health and care information by ensuring its proper use.

Question 6

What are the 6 key pieces of legislation surrounding information governance?

Answer 6

1) UK General Data Protection Regulation
2) Data Protection Act 2018
3) Computer Misuse Act 1990
4) Freedom of Information Act 2000
5) Health and Social Care Act 2012
6) Network and Information Systems Regulations 2018

Question 7

What is the difference between the articles and the recitals in GDPR?

Answer 7

Articles are legally binding (mandatory) whereas recital are guidance on good practice and are open to interpretation.

Question 8

What do the Data Protection Act 2018 and UK GDPR focus on?

Answer 8

Protecting personal information about specific individuals.

Question 9

What does the Freedom of Information Act 2000 focus on?

Answer 9

General information about an organisation and specific information about what the organisation is doing.

Question 10

According to GDPR, what is personal data?

Answer 10

Information relating to natural persons who can be identified or who are identifiable either directly from the information in question or who can be indirectly identified from that information in combination with other information.

Question 11

According to GDPR, what is the data controller?

Answer 11

The entity who determines the purposes and means of processing data.

Question 12

According to GDPR, what is the data processor?

Answer 12

The entity that is responsible for processing data on behalf of a controller.

Question 13

According to GDPR article 5(1)(a), how must data be processed?

Answer 13

Lawfully, fairly, and in a transparent manner in relation to individuals.

Question 14

According to GDPR article 5(1)(a), what must you do when collecting an individuals data?

Answer 14

Tell the subject:
- Why you are collecting their data
- What you are going to do with it
- Who you will share it with

All subjects must be treated equally and their data must not be used to disadvantage them.

Question 15

According to GDPR article 6, what are the lawful bases for collecting and storing data?

Answer 15

• Explicit consent (not as easy to withdraw in healthcare)
• Performance of a contract
• Compliance with legal obligation
• Protecting the vital interest of the data subject or other natural person
• Public interest or by official public authority
• Legitimate interest, except where these conflict with the fundamental rights and freedoms of the data subject

Question 16

According to GDPR article 7, which special categories of personal data have additional processing restrictions?

Answer 16

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Identification by genetic or biometric data
• Health
• Information about a person’s sex life
• Sexual orientation

Question 17

Under what circumstances can special category personal data be collected?

Answer 17

• If explicit consent is given
• Obligation or right of the data controller
• Vital interests (if consent isn’t possible)
• Activities of a political, philosophical, religious, or trade union body
• Data already made public by the data subject
• Court/legal cases
• Health or social care (alongside other lawful bases)
• Public interest

Question 18

According to GDPR article 5(1)(b), data can be collected for _________, ______, and ________ purposes. This data ______ be further processed in a manner that is incompatible with those purposes.

Answer 18

Specified
Explicit
Legitimate
Cannot

Question 19

What does GDPR article 5(1)(c) say about what data can be collected for processing?

Answer 19

It should be adequate, relevant and limited to what is necessary for the intended processing. Data should only be collected and kept if it is required for the intended purpose.

Question 20

True or false: Data collected must be accurate, and every reasonable step must be taken to ensure that any inaccurate data is erased.

Answer 20

True

Question 21

How long can collected data remain identifiable?

Answer 21

For no longer than is necessary for the purposes which the personal data is processed (unless the data is collected for archiving, research, or statistical purposes).

Question 22

How can organisations ensure that identifiable data isn’t kept for longer than necessary?

Answer 22

By using organisational data retention policies with appropriate disposal policies after this period.

Question 23

Why does personal data need to be protected by appropriate security measures?

Answer 23

To prevent unauthorised or unlawful access, accidental loss, destruction, or damage (a personal data breach).

Question 24

What are the 5 data protection responsibilities of an organisation?

Answer 24

• Be able to demonstrate data protection is embedded throughout organisational processes
• Complete a Data Protection Impact Assessment
• Enhanced recording of activities
• Appointent of Data Protection Officers (DPOs)
• Adherence to codes of conduct, particularly ‘approved codes of conduct’

Question 25

What is a Data Protection Impact Assessment (DPIA)?

Answer 25

An assessment of the impact of the envisaged processing operations on the protection of personal data. It is required for any new data processing likely to result in high risk to individuals. A Data Protection Officer (DPO) should be consulted when producing a DPIA.

Question 26

What must a DPIA include?

Answer 26

- The nature, scope, and context of the data processing - An assessment of necessity and proportionality - Identification of risks, their likelihood, and potential severity - Identification of additional measures to mitigate

Question 27

What is right of access?

Answer 27

A fundamental right under GDPR that gives individuals the right to request and receive a copy of their personal data held by an organisation. It can by requested by any means, is generally provided for free, and a response is required within a month.

Question 28

What is data portability?

Answer 28

The right of an individual to receive their personal data in a structured, commonly used, and machine-readable format, and to have it transmitted to another controller. This allows individuals to move and reuse their data across different services.

Question 29

What is the right of erasure?

Answer 29

The right of an individual to request that their data is removed from the data controllers records as long as the right conditions are met.

Question 30

What is a personal data breach?

Answer 30

A breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. If there isn't a risk to people's rights and freedoms then a data breach doesn't need to be reported to the ICO.

Question 31

Can personal data be transferred outside of the UK according to GDPR?

Answer 31

No, unless: - There is explicit consent and information about the lack of adequate protections - The transfer is necessary for the performance of a contract between the subject and controller - The transfer is necessary for important reasons of public interest - The transfer is necessary for legal claims - The transfer is necessary to protect the vital interests of the data subject

Question 32

What are the 7 Caldicott Principles?

Answer 32

1) Confidential information should only be used for a justified purpose 2) It should only be used when absolutely necessary 3) Use the minimum data required 4) Access should be on a strict need to know basis 5) Everyone must understand their responsibilities 6) Understand and comply with the law 7) Duty to share information can be as important as duty to protect patient confidentiality

Question 33

How can NHS trusts abide by the Caldicott Principles?

Answer 33

By employing a Caldicott Guardian.

Question 34

What are the 3 specific offenses of the Computer Misuse Act 1990?

Answer 34

1) Unauthorised access to computer material (hacking or cracking) 2) Unauthorised access with the intent to commit or facilitate the commission of a serious crime 3) Unauthorised modification of computer material directly(e.g. manual modifications) or indirectly (e.g. viruses)

Question 35

What is the aim of the Freedom of Information Act 2000?

Answer 35

To drive transparency in the affairs of public authorities.

Question 36

What does the Freedom of Information Act cover?

Answer 36

- Giving persons access to information held by public authorities - Publication schemes - Basic rights of access & fees - Complying with requests - Exemptions (absolute & qualified) - Offences

Question 37

What are the 4 FOI basic rights of access?

Answer 37

- A requestor must be informed if the authority holds relevant information, and if there is no exemption, then the requestor must provide access to it - Requests for information must be in writing (can be by email) with your name, address, and a clear description of the information required - If a request is turned down then the requester can refer to the Information Commissioner who can serve an enforcement notice - The public authority can charge a fee (that is limited and related to costs)

Question 38

How can public authorities comply with FOI?

Answer 38

- Make documents publicly available anyway - Respond to requests within 20 days (taking into account payment of fees) - Comply with the requester's preferred means of communication - Authority doesn't need to reply if the same request has been recently addressed and published - Authorities only need to answer specific information about the data actually recorded; they don't need to perform analysis of the data, generate new data, or give opinions on the data.

Question 39

What is the difference between absolute and qualified exemptions to FOI?

Answer 39

Absolute: no value judgement is required, the request can be simply refused Qualified: the authority needs to balance public interest in disclosure with public interest in withholding

Question 40

What are the absolute exemptions to FOI?

Answer 40

- Personal information - Information accessible by other means - If the authority is dealing with a security matter - Court records

Question 41

What are the qualified exemptions to FOI?

Answer 41

- If information will be revealed at a reasonable future date - If in relation to an offence - Royal family communications - Trade secrets and commercial interests

Question 42

If a requester disagrees with qualified exemptions, they can apply to the ________ ________.

Answer 42

Information Commissioner

Question 43

Certain FOI restrictions are removed after __ _____.

Answer 43

30 years

Question 44

What is considered an offence under FOI?

Answer 44

It is an offence to alter, deface, block, erase, destroy, or conceal any record with the intention of preventing disclosure. This applies to both the authority and employees.

Question 45

What are the 7+1 principles of processing personal data?

Answer 45

GDPR 5(1) 1) Lawfulness, fairness, and transparency 2) Purpose limitation 3) Data minimisation 4) Accuracy 5) Storage limitation 6) Integrity and confidentiality 7) Protected by appropriate security GDPR 5(2) 1) Accountability