Information Governance and Legislation

Question 1

How is personal data defined by GDPR?

Answer 1

Information relating to natural persons who can be identified or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information.

Question 2

How is data controller defined by GDPR?

Answer 2

Individual or organisation who determines the purposes and means of processing data.

Question 3

How is data processor defined by GDPR?

Answer 3

Responsible for processing data on behalf of a controller

Question 4

What are the (7+1) principles of processing personal data under GDPR?

Answer 4

1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Protected by appropriate security
8. Accountability

Question 5

Explain lawfulness, fairness and transparency under GDPR.

Answer 5

Tell the subject why you are collecting their data, what you are going to do with it and who you will share it with.
All subjects must be treated equally and their data must not be used to disadvantage them.
The subject must fully understand.

Question 6

Explain purpose limitation under GDPR.

Answer 6

Only use the data for the purposes for which it was obtained.
Each purpose must be specific to comply with lawfulness, fairness and transparency.

Question 7

Explain data minimisation under GDPR.

Answer 7

Only collect and keep the data you require.
Only keep the data you can now argue the reason for.
Don’t collect and keep data just in case.

Question 8

Explain accuracy under GDPR.

Answer 8

Input checks for accuracy.
Automatic verification checks.
Check with the subject it is up to date.
Don’t create duplicates.
Synchronise changes between systems.

Question 9

Explain storage limitation under GDPR.

Answer 9

Don’t keep for longer than necessary.
Follow retention guidelines (NHS Code of Practice and local policy).
Review what you are holding.
Dispose of information correctly.

Question 10

What are pieces of legislation governing the use of data in the NHS?

Answer 10

General Data Protection Regulation 2016
(European Union Withdrawal Act 2018)
Data Protection Act 2018

Computer Misuse Act 1990
Freedom of Information Act 2000
Health and Social Care Act 2012
Network and Information Systems Regulations 2018 (NIS)

Question 11

What is information governance?

Answer 11

Rules to keep data safe, but the rules must be interpreted appropriately

Question 12

Why is information governance important?

Answer 12

Patients may lose trust if data is not safeguarded, if trust is lost then patients may withhold part or all of their information. A clinical service need information to diagnose and treat, and research needs information to push the boundaries of understanding about healthcare

Question 13

How is GDPR composed?

Answer 13

Articles - legally binding and mandatory
Recitals - guidance/good practice and open to interpretation

Question 14

What is the difference between FOIA and GDPR/DPA?

Answer 14

Both are administered by Information Commissioners Office (ICO)

GDPR/DPA2018 - Personal information about a specific individual

FOIA2000 - General information about an organisation or specific information about what the organisation is doing

Question 15

What are the GDPR lawful bases?

Answer 15

• Explicit consent
• Performance of a contract
• Compliance with legal obligation
• Protect vital interests of the data subject or other natural person
• Public interest or by official public authority
• Legitimate interests, except where these conflict with the fundamental rights and freedoms of the data subject, in particular children

Question 16

What are the prohibited categories of processing personal data under GDPR?

Answer 16

1. Racial or ethnic origin
2. Political opinions
3. Religious or philosophical beliefs
4. Trade union membership
5. Identification by genetic or biometric data
6. Health
7. Information about a person’s sex life
8. Sexual orientation

Question 17

What are the special category permissions under GDPR?

Answer 17

1. Explicit consent given
2. Obligation or right of the data controller
3. Vital interests, if consent not possible
4. Activities of a political, philosophical, religious or trade union body
5. Data already made public by data subject
6. Court/legal cases
7. Health or social care
8. Public interest

Question 18

Explain integrity and confidentiality under GDPR.

Answer 18

Confidentiality
Integrity
Availability

Question 19

How do you demonstrate data protection is embedded within organisational processes?

Answer 19

DPIA
Enhanced recording of activities
Appointment of DPOs
Adherence to codes of conduct

Question 20

What is a DPIA?

Answer 20

Data Protection Impact Assessment
- Required for any new processing that is likely to result in a high risk to individuals but it is good practice to do anyway
- Consult with DPOs and topic experts

Question 21

What should a DPIA include?

Answer 21

• Nature, scope and context of processing
• Assessment of necessity and proportionality
• Identification of risks
• Identification of additional measures to mitigate

Question 22

What are some key points of GDPR?

Answer 22

• Right of access
• Data portability
• Right of erasure

Question 23

What are the 8 Caldicott Principles?

Answer 23

1. Justify purpose
2. Only use when necessary
3. Use minimum that is required
4. Access on strict need to know
5. Everyone must understand their responsibilities
6. Understand and comply with the law
7. Duty to share information
8. Regularly review and improve practice

Question 24

What are the three specific offenses of the Computer Misuse Act 1990?

Answer 24

1. Unauthorised access to computer material
2. Unauthorised access with the intent to commit or facilitate a crime
3. Unauthorised modification of computer material

Question 24

What is the Freedom of Information Act 2000?

Answer 24

Drives transparency in the affairs of public authorities through giving persons access to information and applies to publicly owned companies

Question 25

What are the FOI Basic Rights of Access?

Answer 25

1. Requestors must be informed if the authority holds the information and if there is no exemption access must be provided 2. Requests must be in writing with your name, address and clear description of the information (can be by email) 3. You can refer to the Information Commissioner if your request is rejected 4. Can charge a fee

Question 26

How can you comply with FOI?

Answer 26

1. Make documents available anyway 2. Respond within 20 days 3. Communicate on the requestors preferred means 4. Authority doesn't need to reply if a recent same request was addressed and publicised 5. Only need to answer the specific question

Question 27

What are the FOI excemptions?

Answer 27

Absolute 1. Personal information 2. Accessible by other means 3. Authority is dealing with a security matter 4. Court records Qualified - balance public interest in disclosure with withholding 1. Will be revealed in a reasonable future date 2. In relation to an offence 3. Royal family communications 4. Trade secrets and commercial interests

Question 28

What are the offences under the FOI Act?

Answer 28

It is an offence to: Alter, deface, block, erase, destroy or conceal any record with the intention of preventing disclosure

Question 29

What is a SIRO?

Answer 29

Senior Information Risk Owner - board level (COO) Owns the organisation's information risk policy; ensures information risk is properly identified and managed.

Question 30

What is a Caldicott Guardian? And who might fulfil the role?

Answer 30

Ensures patient-identifiable information is shared appropriately and ethically, in line with the Caldicott Principles. Senior clinician (Medical Director)

Question 31

What is a DPO?

Answer 31

Data Protection Officer - Ensures compliance with data protection law, especially GDPR; advises on DPIAs (Data Protection Impact Assessments).

Question 32

What is a IAO? And who might fulfil the role?

Answer 32

Information Asset Owners Responsibilities: Accountable for a specific set of information assets; ensure local compliance, risk assessments, and staff training. Departmental managers, such as the Radiotherapy Service Manager responsible for patient imaging data.