Understanding Confidentiality and Security

1
Understanding Confidentiality and Security
2
Objectives

• To foster an awareness of the importance of
  Confidentiality and Security
• To understand the main threats and counter
  measures
• To raise awareness of the relevant legislation in
  particular the Data Protection Act 1998
• To be able to secure automated and manual data

3
Content

• Introduction
• Some recent surveys
• What can go wrong?
• Legal frameworks
• Practical guidance
• Case Study
• Summary and Conclusion

4
Recent surveys on attitudes to Confidentiality
and Security
5
Patient/Client Attitudes to Confidentiality

• Survey by NHS and Consumer Association in 2002
  findings
• General happiness to share info with doctors
  being trusted most
• 25 wished to exclude sensitive information from
  routine sharing
• Over 33 wanted to be consulted every time their
  details were shared
• Under 50 felt reassured that confidentiality
  would be protected by NHS policies
• Nearly 25 didnt know what NHS did with patient
  information.
• Non-English speakers were happiest to share total
  record.

6
Who cares about data protection?

• Information Commissioner survey 2003 identified 5
  groups
• The concerned (40) very worried ?
• The proactive (13) not worried ?
• The self-reliant (10) unconcerned ?
• The social observers (17) Extremely worried ?
• The naïve (19) unconcerned ?

7
BMA Survey June 2005

• 75 of patients would not mind their health
  information being held on a central database
• 75 had concerns about the security of
  information
• 81 were worried about accessibility by people
  other than the healthcare professionals providing
  their care
• 93 said the public should be fully consulted
  about the proposals before they are finalised

8
Information Commissioner survey November 2005

• 4 out of 5 concerned about their Health and
  Safety if data falls into wrong hands
• 52 concerned personal details may be passed to
  others.
• 80 expressed concerns about the use, transfer
  and security of personal information.
• 50 thought that bodies collecting personal
  information handled the data fairly or properly.
• IC stated that No doubt they are increasingly
  aware of the dangers of identity theft and the
  serious consequences if their health, financial
  and other personal records fall into the wrong
  hands or are otherwise misused.

9
News items on Confidentiality and Security
10
(No Transcript)
11
(No Transcript)
12
What do we mean by Data Protection?

• Covers
• Confidentiality
• Integrity
• Availability
• Covers the use and management of data through
  organised systems of all forms, whether based on
  human endeavours, paper methods or information
  technology.

13
What do we hold?

• Information about you
• Information about patients/clients
• Information about the Trust

14
Reflective Exercise 1

• What do we use personal information for?

15
What do use personal information for?

• Personal care and treatment
• Assuring and improving the quality of care and
  treatment (e.g., through clinical audit)
• Monitoring and protecting public health
• Coordinating HPSS care with that of other
  agencies (e.g., voluntary and independent
  services)
• Effective health and social care administration
• Teaching/research
• Statistical analysis

16
What can go wrong?
17
What can go wrong?

• Incorrect input
• Theft
• Wilful damage
• Unauthorised access
• External
• Internal
• Software Virus
• Cyber crime

18
(No Transcript)
19
Security Breaches examples

• A set of patients' medical records left in a skip
  by retiring doctor (real example!)
• A security guard reading personal data left on an
  employees desk overnight.
• A copy of a child at risk register found on a
  second hand computer (real example)
• A employee using the PC of another employee (who
  logged in and left PC unattended) to process data
  without authorisation
• A patient at a GP surgery viewing the personal
  data of a previous patient on a PC screen.

20
Security Breaches examples (2)

• A patient in a waiting room at a doctors surgery
  overhearing information about another patients
  ailments.
• An employee using data for which they have
  authorised access for unauthorised purposes e.g
  a police officer using the police national
  computer to check out daughters boyfriend. (real
  example)
• A passenger on a train was sitting next to
  someone who was reading a solicitors brief about
  a person who had been charged with murder he
  happened to be a relative of the passenger.

21
The Impact of the Threats

• Personal privacy
• Personal health and safety
• Financial
• Commercial confidentiality

• Legal damages and penalties
• Disruption
• Political embarrassment

22
Ethical Considerations

• Promote patient/client well-being
• Avoid detrimental acts/omissions
• Open and co-operative manner
• Recognise patient/client dignity
• No abuse of position
• Protect confidential information

23
Legal Frameworks
24
The Computer Misuse Act 1990

• Introduced three offences
• Unauthorised access to computers
• Unauthorised access with intent
• Unauthorised modification

25
Case Study Computer Misuse Act.
A man was convicted in London (6/10/05) of
hacking into a charity website, set up after the
Indian Ocean tsunami disaster, in breach of the
Computer Misuse Act. A computer consultant, was
given a 400 fine and ordered to pay 600 in
costs. He fell foul of section one of the
Computer Misuse Act, the UKs main cybercrime
legislation, on New Years Eve last year. He
clicked on a banner ad to donate 30 to the
Disaster Emergency Committee (DEC) appeal.
However, when he did not get a confirmation or
thank you in response to his donation, he feared
that he had fallen for a phishing site, and
decided to test the site to make sure.
Unfortunately, in doing so he set off the DEC
protection systems, and the police were called
in. The Judge found the accused guilty with
some considerable regret, but the wording of
the Act made it clear that the security
consultant was guilty. "Unauthorised access,
however praiseworthy the motives, is an offence,"
said the judge.
26
Data Protection Act 1998 Main Provisions

• Covers all HPSS records including electronic
  records
• Defines processing as obtaining, holding and
  disclosing data
• Permits subject access to all records
• Imposes considerable penalties

27
Data Protection 98 The Principles

• Personal data shall be processed fairly and
  lawfully
• Personal data shall be obtained only for one or
  more specified and lawful purpose
• Personal data shall be adequate, necessary and
  not excessive in relation to the purpose for
  which it was provided

28
(No Transcript)
29
Data Protection 98 The Principles
continued...

• Personal data shall be accurate and up to date
• Personal data processed for any purpose or
  purposes shall not be kept for longer than is
  necessary for those purposes
• Personal data shall be processed in accordance
  with the rights of the subject under the Act

30
Data Protection 98 The Principles
continued...

• Technical organizational measures shall be
  taken against unauthorized or unlawful processing
  of personal data and against accidental loss or
  damage to personal data
• Personal data shall not be transferred to a
  country outside the European Economic Area.

31
Case Study 1 Data Protection

• An employee of the Child Support Agency, having
  read what he believed to be an inaccurate press
  article derogatory of the CSA and concerning a
  CSA client known to him, decided to set the
  record straight by faxing the true story to the
  newspaper concerned. Whilst the fax was sent
  anonymously, an investigation identified him as
  the author. He was dismissed from his employment
  and convicted of unlawful disclosure of personal
  data.

32
Case Study 2 Data Protection

• The complainant who was employed by a hospital
  was summoned to the office of his Personnel
  Manager to discuss his sickness record. The
  Personnel Manager had accessed the hospitals
  clinical computer information system in order to
  challenge certain aspects of the employees
  account of events. As a result of this complaint
  the hospital revised its security arrangements
  and the Personnel Manager incurred disciplinary
  action as a result of the inappropriate use of
  confidential clinical information for non-medical
  purposes.

33
Case Study 3 Data Protection

• The complainant visited his local hospital for a
  course of physiotherapy. Some months after the
  therapy was complete the complainant received a
  letter from the physiotherapist who had since set
  up her own business. The physiotherapist had used
  the complainants information that had originally
  been given in confidence to the hospitals for the
  earlier treatment.

34
Personal Data

• data which relates to a living individual who can
  be identified from those data and is
• system processed or intended to be processed
  automatically,or
• recorded as part of a relevant filing,or part of
  an accessible record.

35
Scope of Data Protection Legislation

• Automated Data
• Relevant filing systems (Manual data)
• Accessible Records

36
Automated Data

• On computer
• Document image processing
• Audio/Video
• Digitized images
• CCTV images

37
Relevant Filing System

• Non-automated systems structured by reference to
  individuals
• Standard manual files
• Impact of Durant case
• Organised to allow ready access to specific
  information about individuals

38
Accessible Records

• Covers all Health and Social Care records
• Structured to allow access to individuals

39
Storage

• Diaries
• Computers
• message books
• appointments register
• disks
• address books
• Complaints register

40
Legitimacy of Processing (1998)

• Principle 1 Personal data shall be processed
  fairly and lawfully and,in particular,shall not
  be processed unless
• (a) at least one of the conditions in Schedule 2
  is met, and
  
• ( b)in the case of sensitive personal data,at
  least one of the conditions in Schedule 3 is met

41
Schedule 2 conditions (1998)

• Data Subject has given consent
• Performance of a contract.
  
• Compliance with legal obligation.
• Protection of subjects vital interest.
• Crown/public functions
• Legitimate interests of controller or third
  party.

42
Sensitive Data

• Racial or ethnic origin
• political opinion
• religious beliefs (or similar beliefs)
• membership of trade union
• physical or mental health or condition
• sexual life
• any offence or alleged offence
• any proceedings or sentence

43
Sensitive Data - Schedule 3

• Data subject has given explicit consent
• Performance of legal duty in relation to
  employment
• Protection of subjects or third partys vital
  interests
• Legitimate activities of some non-profit
  organisations
• The information has been made public deliberately
  by the data subject
• In connection with legal proceedings
  
• Administration of justice, statutory obligations
  or crown/public functions
  
  
• Medical purposes
• For equal opportunities monitoring
• By order Secretary of State

44
Subject Access Requests

• Right of access to personal data in computer or
  manual form
• Entitled to
• Be informed whether personal data is processed
• A description of the data held, the purposes for
  which it is processed and to whom the data may
  be disclosed
• A copy of the data and
• Information as to the source of the data
• There are limited exemptions

45
Subject Access Requests contd

• Responding
• request should be in writing to the Data
  Protection Coordinator,
• Data should never be read over phone, faxed or
  emailed to data subject,
• Must be given in 40 days.

46
Practical Guidance
47
Securing automated data

• Key areas
• Faxing
• Avoid the use of fax for sending personal data -
  if there is no alternative use secure protocols
• Passwords
• Good password management will help protect
  personal data and staff

48
Securing automated data (2)

• Email
• Personal data should not be transmitted by email
• Data can be accessed by data subjects
• Email can be insecure
• Survey of 800 UK companies revealed that 22
  Directors had reprimanded staff for gossiping
  using email and 85 considered email to be
  facilitating scandalous material around office.
• Portables/laptops
• Do not leave unattended when leaving ensure that
  it is locked away be aware of others being able
  to see your computer screen,
• PDAs and Memory sticks must not contain personal
  information

49
Securing manual data

• Do not allow sensitive conversations to be
  overheard
• Guard against people seeking information by
  deception
• Message books
• Accessible to staff only sensitive data should
  not be recorded in message books
• Lock filing cabinets

50
Securing manual data (2)

• Diaries
• Patient/client data, which is held in diaries
  should be given the same security as any other
  record
• Telephone conversations
• Staff should be careful about those within
  earshot when discussing sensitive information
  check the authenticity of any caller before
  divulging any information

51
Securing manual data (3)

• Minutes of meetings
• Minutes which render the subject identifiable
  should be marked confidential stored in a secure
  area available only to the personnel concerned.
• Staff Supervision records/Staff Appraisal
• Sick leave records
• Such information is classified as sensitive data.
  Care should be taken when transferring
  information from medical certificates to
  notification form i.e abbreviations can lead to
  misinterpretation

52
Case Study

• Questions to consider
• Type of data held on clients/patients
• Who holds it?
• Who shares it?
• Who else has access to data?
• What security surrounds it?
• Any data held on others in the case study?
• Is data accurate, up-to-date

53
Summary of key points.

• Duty to PROTECT information
• Duty to OBTAIN information fairly
• Duty to ensure information is SECURE
• Duty to JUSTIFY use and storage of personal data
• DONT PASS ON information unless you are sure
• Remember Subject Access

54
BE CAREFUL WHEN YOURE ASKED FOR PERSONAL DETAILS
YOU NEVER KNOW WHERE THEYLL END UP
EVERY
TIME YOURE ASKED FOR PERSONAL INFORMATION THINK
BEFORE YOU GIVE IT AWAY

55
Thank you for attending