Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

TCS IG Guidance - NHS Connecting for Health by changcheng2


									                               Transforming Community Services
                        Some Key Issues in Information Governance

1    Introduction
The Transforming Community Services (TCS) programme includes changes in organisational
arrangements and developing the usage of information and the associated infrastructure to
focus and improve services.
The interaction of the organisational arrangements and the use of, and access to, patient data
and records through different models of information management facilities leads to the need to
be clear about the associated Information Governance (IG) arrangements. These allow for
protecting and enabling effective use of the data of patients or service users or clients (mainly
referred to as patients for simplicity throughout the rest of this paper, but is intended to imply
service users and clients).
A range of organisational models1 are emerging including Community Foundation Trust; Social
Enterprise; Vertical Integration – i.e. to support different parts of the patient pathway, e.g. with
NHS Provider Trust via Joint Venture, Community Interest Company or S75 Agreement;
Horizontal integration – i.e. to cover same part of pathway, e.g. with similar providers and/or
Local Authorities (LA) via S75 partnership agreement and mixtures of the above to provide the
full range of services.
Patient records and data (in paper or electronic form) have to be included in the formal
arrangements and agreements involved in transferring services from Primary Care Trusts
(PCTs) to Receiving Organisations in order that the Receiving organisation can perform its
functions. It is crucial that the IG aspects of transferring records and data are also considered
in such agreements. This paper sets out some of the key IG issues to be considered to enable
the informatics aspect of TCS to be undertaken successfully.
The legal status of some Receiving Organisations will change during the period that the
community services transformation is taking place. The legal status is material in the transfer
of responsibility of records and data and should not occur until the Receiving Organisation is a
legal entity, which also brings the need to implement the associated IG obligations.

2    Provision of information management capability
The staff working in the various organisation models will be expected to access patient records
and use IT equipment to collect, store, organise and manage data about patients. Such
capability can be provided in a variety of ways including
    In-house
    NHS based shared services
    External contracted services e.g. Local Service Provider (LSP) supplied
    PCT owned and licensed software, including NHS enterprise wide agreements
        (effectively free software whilst existing contracts operate).
The first three are common arrangements in the NHS for providing such services. The
organisational models appearing through TCS indicate that the existing pattern of supply of
capability and services will be challenged to meet the needs of the new organisations.
The fourth way offers the opportunity for a PCT to 'own and license' and thereby provide
software (that has already been paid for by the NHS or is free) to providers without such
facilities or from outside the NHS, who may not have access to Enterprise Wide Agreements
etc. This potentially enables a variety of the emerging organisational models to be supported
and has several advantages, such as enabling multiple small service providers simultaneously
or a single external supplier, of changing service suppliers and keeping costs down. This also

  Transforming Community Services: enabling new patterns of provision; see

a5a029d7-2512-45ce-b7bc-51a25da56300.doc – Author: Wally Gowing
                                            Page 1
means that the information and the system capability may be retained for the local health
economy irrespective of the community service provider arrangements.

a5a029d7-2512-45ce-b7bc-51a25da56300.doc – Author: Wally Gowing
                                            Page 2
3      IG Context
IG is concerned with ensuring that person level data and records of Data Subjects can be
properly protected whilst productively used to support delivery of care and effective operation of
services. IG can also be viewed as a mechanism to manage risks to patient data and to
organisations in their management and use of data and records of patients.
The legal basis for IG is provided through the Data Protection Act2 and NHS policy, such as the
Caldicott Principles. A key concept concerning access to identifiable data is that such access
should only take place if it is necessary and can be justified and that identifiable data should
only be used in the support of delivery of care, otherwise effectively anonymised data should
be used.
Key concepts of IG implementation at organisational level are Data Controller and Data
Processor (defined in Appendix 1) as legal obligations are vested in organisations, which have
to be legal entities to undertake these roles. The Data Controller has responsibility for the use
to which the data is put by an organisation and may undertake processing, whilst a Data
Processor may be a separate organisation that provides services to the Data Controller
organisation. A Data Controller should explicitly state what is expected from its Data
Processors and this should be achieved through formal contracts (rather than SLAs) even
when between NHS organisations. The contracts should create clarity about the services and
provide mutual protection given the liabilities that each are under in delivering services.
Given the various combinations of models emerging for organisations and community service
provision, together with those for information service provision, it is important to be clear how
the IG obligations can be met.
For NHS organisations, IG responsibilities are vested in three roles, namely Caldicott Guardian,
Senior Information Risk Owner (SIRO) and Information Asset Owner (IAO) (see Appendix 1).
Compliance by NHS related organisations with IG requirements is assessed through the
Information Governance Toolkit (IGT) which is revised annually to reflect IG legal and policy
The Information Commissioner, who is the Independent Regulator and responsible for Data
Protection, recommends that a Privacy Impact Assessment (PIA) be undertaken at the outset
of any project that might impact on people’s privacy. The aim of the PIA is to assess privacy
risks to individuals in the collection, use and disclosure of information. PIAs, which can be run
on ‘full-scale’ or ‘small-scale’ basis, are intended to help identify privacy risks, foresee problems
and bring forward solutions. To assist the Information Commissioner’s Office (ICO) has
produced a PIA handbook3 outlining processes and providing screening questions etc. The
use of PIA may be pertinent to all Receiving organisations, particularly newly created
The scope of records and data held by a range of organisations will change as TCS is
implemented. The resulting changes will need to be reflected in the many IG policies and
procedures that affected organisations to ensure an effective IG regime. In turn, these IG
changes may well impact on staff and associated IG training.

    Data Protection Act 1998; see

a5a029d7-2512-45ce-b7bc-51a25da56300.doc – Author: Wally Gowing
                                            Page 3
4     IG implications of implementing TCS
4.1    Introduction
In changing organisational structures and the associated changing of information systems and
transfer of data, there are important IG issues that must be considered and resolved. These
include those in the list below, which are subsequently considered further in the following sub-
     The legal status of the organisations involved
     Transfer of records and data between organisations
     Which organisation owns the system
     Which organisation controls the data
     Which organisation processes the data
     Modifying DPA registration – notification to Information Commissioners Office (ICO)
     Avoiding orphaned data
     Managing information sharing and access through protocols between organisations
     Whether a system is principally for operational/clinical purposes or a data warehouse/
        repository type system principally for secondary uses
     Who/which individual members of staff has/have access to the data and which data
     Implementing fine grained access control to person level identifiable data
     Identifying risks to records and data of individuals
     Subject Access and Section 10’s
     Modifying policies
     Informing patients about what is happening to their data
4.2    Legal status and transfer of records and data
Under the DPA, Data Controllers have to be legal entities as there is liability for their actions.
This means for instance, that GP Commissioning Consortia cannot be Data Controllers until
they are legally formed, that is at the time their legal status is attained when the relevant health
bill has been passed.
It is assumed that there will be legal terms of transfer between a PCT and relevant Receiving
Organisations. The transfer of records and data should be included as part of the formal
transfer of assets alongside premises, staff and hardware. The fate of records and data should
be clearly stated within the schedules supporting the transfer of services, including, for
example, Data Protection aspects, the handling of Freedom of Information requests.
Reference should be made to the subsequent need for establishing the mechanisms for
working between the organisations as issues arise in managing the existing data assets. An
example of this is given in Appendix 2, a document setting out sample processes for managing
orphaned data.
It is important to resolve issues at the outset, especially in relation to any future resource issues
that may arise, so that problems due to lack of scope or clarity do not build up against the
backdrop of PCTs ceasing to exist in the near future; it would be prudent to include
mechanisms to resolve problems in the interim.
When services are transferred to significant NHS organisations, responsibility for full records
and data should be transferred as the Receiving Organisation is taking on the PCT Community
and other Services roles and liabilities. Professional staff will need access to such records and
data and it is expected that the ICO would deem that full transfer to the Receiving Organisation
is reasonable from the Data Subject’s viewpoint.
When services are being transferred to emerging Receiving Organisations that are not yet legal
entities, then the Data Controller may continue to be the PCT until legal entity status is
reached. This may be accompanied in some cases of such organisations being initially limited
in capacity and capability, where the commissioner’s contracts for services should retain the
right to transfer records and data to successor organisations. In such cases, it may be sensible
to transfer recent records and data relating to recent activity (e.g. last 2 years) and not to
a5a029d7-2512-45ce-b7bc-51a25da56300.doc – Author: Wally Gowing
                                            Page 4
transfer archive data to add to the burdens of the new organisation. Such archive data would
continue to be the responsibility of the PCT as Data Controller.
However, in general, records and data about individuals whose services are being transferred
should not be orphaned, i.e. some part left behind at the PCT or the PCT’s Data Processor, as
they are clearly the responsibility of the Receiving organisations - see Section 4.7.
4.3      System ownership
The issue of ‘Who owns the system supporting delivery of community services?’ should not be
relevant or have impact for TCS as long as ownership does not assume the right of access to
data or data controller rights, for example LSPs are systems owners for much data processed
for the NHS.
There is an issue with existing community systems where these have been operated by PCTs
utilising software made available volume licence agreements with organisations such as
Microsoft through Connecting for Health (CFH). It is possible to move forward with the model
of the PCT/Commissioner 'owning' or 'licensing' software and systems for use by a new
community service provider; this is legitimate from an IG viewpoint as long as relevant IG
'rules'/constraints are met in which the PCT/Commissioner does not have access to the data at
individual patient level.
CFH can provide copies of the licensing arrangements and forms for any required transfers.
4.4      Data Controller
There must be clarity about who/which organisation is the Data Controller for the transferred
records and data in order to exercise the responsibility on which personal data can be
processed and how – see Appendix 1 for definitions. In effect the Data Controller must be the
organisation which ‘determines the purposes for which and the manner in which any personal
data are, or are to be, processed’4; in this case in support of provision of care or undertaking
analysis etc. This means for instance that a PCT can own a system, but the Receiving Trust
having the responsibility for patients and their information must be the Data Controller.
Any organisation registering with the Information Commissioner as a data controller must
assume full responsibility for managing patient information held on relevant systems (e.g. RiO
in London), some of which will be in active use and some a historic record of care.
Organisations can be data controllers jointly if organisations act together to decide the purpose
and manner of any data processing. This can occur within the NHS and may be pertinent in
some instances arising from changes associated with TCS.
4.5      Data Processing
There must be clarity about whom/which organisation acts as Data Processors for/on behalf of
the Data Controller for data transferred as part of TCS; this may be the same organisation, a
shared service or an external contractor (e.g. LSP); there may be more than one Data
Processor. A Data Processor must be part of a legal entity as liability for failing to meet the
legal obligations of the DPA must be accepted and indemnified against.
If the Data Processor is in an organisation separate from the Data Controller, then formal
contracts (with schedules for specific services, performance etc) must be used.
If a Data Processor is providing services to a consortium of NHS organisations hosted by one
of the NHS organisations, contracts must be held with each of the NHS organisations for the
relevant Data Processing, for which each NHS organisation is the Data Controller.
4.6      Notification to the Information Commissioner
PCTs and the Receiving organisations consequent on TCS must notify the ICO annually of its
processing of personal data. The notifications for 2011 will need to include any additional or

    as defined in Data Protection Act 1998, see footnote 2

a5a029d7-2512-45ce-b7bc-51a25da56300.doc – Author: Wally Gowing
                                            Page 5
reduced data processing to be carried out by relevant organisations for the changes occurring
because of TCS.
4.7     Orphaned records and data
Transfer of records and data arising from TCS should be included as and be regarded as, a
transfer of assets in much the same way as staff or hardware, and such records and data
cannot be ‘orphaned’ – this applies to both electronic and paper records. When PCTs transfer
responsibility for their services and the legal liability for the care provided, the data and records
controlled by the PCTs and the related responsibility also has to be transferred to the new body
responsible for delivering the services.
If the Receiving Organisation does not want to take all of the historical data then, if the relevant
retention period for the type of record has been reached, such data can be securely destroyed
prior to transfer or archived if the data remains relevant. If the data are archived, then
responsibility for the data’s continued existence must be clarified at the point of archiving and
must reside with a suitable legal entity.
For data which have not reached the retention period expiry date, responsibility for the data
should be transferred to the Receiving Organisation along with the other responsibilities passed
over by the PCT. If such data were to be destroyed inappropriately it would leave the receiving
organisation defenceless in terms of having evidence mitigating its liability. A court could view
such destruction as evidence of the body seeking to shirk its responsibilities.
If a new body does not want historical data in its records then the data does not need to move
but there would need to be a new data processing contract with the current data processor to
retain the data as an archive for the prescribed retention period and then either public records
archiving or destruction.
If orphaned records are to be archived, then there needs to be agreement and clarity between
organisations on the specific responsibilities in meeting the various legal obligations that may
arise. These responsibilities include the situation where a patient moves from ‘inactive’ to
‘active’ through supply of community services; subject access requests under the DPA; where
litigation arises or where records are requested by Courts or the police. A sample agreement is
attached as Appendix 2 based on an agreement developed in the Liverpool/Sefton area. This
followed from the splitting of a PCT’s community services between 2 Receiving Organisations
and the decision to not transfer inactive records.
4.8 Information Sharing
4.8.1 Information Sharing Protocols
Information sharing is necessary to support patient care across organisations and where single
instances of software are used by multiple providers. Many NHS organisations have staff
employed by other organisations using their patient information systems. The usual ways to
manage this relationship are through any one of the following:
     Acceptable Use Policy signed when a user starts to access the system
     Honorary contracts and or third party agreement when the staff member does not work
       for the organisation that is the Data Controller
     Information Sharing Protocols or Data Sharing Agreements including Subject Specific
       Information Sharing Agreements.
Information Sharing Protocols (ISP) enable organisations to share data and information about
patients and are typically used for to support care pathways (e.g. Greater Manchester ISP5,
Surrey Multi Agency ISP6, and Pan Birmingham Cancer Network ISP7). Sharing information
about individuals between public authorities is often essential in order to keep people safe, or


a5a029d7-2512-45ce-b7bc-51a25da56300.doc – Author: Wally Gowing
                                            Page 6
ensure they get the best services. This sharing must only happen when it is legal and
necessary to do so to provide services to the patients and when adequate safeguards are in
place to protect the security of the information. This means that the same rules and restrictions
apply to access to identifiable data by an ISP organisation as in the originating organisation.
As ISPs can enable access to identifiable data, such ISPs must be signed off by relevant
Caldicott Guardians on behalf of the Data Controller organisations.
A generic sample ISP for sharing information with other organisations is shown in Appendix 3.
4.8.2 Information Sharing for TCS
The implementation of the records and information aspects of TCS should be supported
through the use of relevant ISPs and confidentiality agreements. These can be split into 3
     Pre Transfer ISP
     Post Transfer ISP
     Staff Confidentiality Agreement (to be used during the TCS change project)
Sample documents are shown in Appendix 4. These documents have been developed by
Manchester PCT and reflect the fact that Manchester PCT will continue to operate the
Community system for use by a variety of provider Trusts. Whilst this may not be a typical
situation, the purpose and principles of the ISPs and confidentiality agreement, especially the
Pre-Transfer ISP are relevant wherever data and record transfers are due to take place and
whatever organisational change arrangements are planned. The documents provide templates
for development of local ISPs and agreements as required.
In addition to the ISPs above, there may be Subject Specific Information Sharing Agreements
(SSISA) to supplement any overarching ISPs by giving the details of sharing of specific sets of
data for specific purposes
A particular example of this is that future versions of RIO (used for community and mental
health services in London) will include a function for a user of one organisation’s RIO system to
see data held for a patient held on another organisation’s RIO application (RiO2RiO) as long as
the patient has given consent. This will be supported by a SSISA for trusts that use this
function, and the SSISA document will spell out the obligations for use of this form of
4.9      Primary use versus secondary use
Systems that support the delivery of care and record, for example, clinical data as part of the
patient record, will largely operate for these primary purposes. The use of data to support
analysis of activity or commissioning processes is regarded as for secondary purposes, as are
the associated systems. For primary use purposes, data can be accessed in identifiable form.
However, secondary use should utilise de-identified data and currently most NHS organisations
and systems are unable to meet this basic DPA and Common Law of Confidentiality
requirement in respect of secondary use. The NHS currently utilises a Section 251 approval to
allow use of identifiable data. This approval is reviewed on an annual basis, but will be
withdrawn as the NHS implements de-identification facilities and capabilities, which is IGT
Requirement 8-324.
Guidance and further information on implementation of de-identification for secondary use is
available from CFH and IC websites8.
4.10 Health data and Social Services systems
Some Receiving organisations may determine to use systems utilised by Social Services for
data processing. Organisations need to be aware of the differences between the basis on
which health related data and social services related data are obtained, stored and processed.
The major difference is that Social Services departments obtain consent of the service


a5a029d7-2512-45ce-b7bc-51a25da56300.doc – Author: Wally Gowing
                                            Page 7
user/client prior to collection of personal data beyond demographic data, whereas explicit
consent is not obtained for personal data collected through health service provision.
This means that a range of Social Services staff is therefore able to access data within their
systems on the basis that explicit consent has been obtained. If NHS health sourced data are
added to the social services system, then access to the data should be restricted to those
operating within the NHS, i.e. based on legitimate relationships of clinicians and related staff. If
wider use of the data is to be made through the system, then explicit consent must be obtained
for such use.
4.11 Who accesses the transferred records and data
Identifiable data - Access to identifiable patients health records and identifiable data on
systems should be restricted to members of
     clinical teams in the delivery of the patient’s care – these should operate against
         professional standards with retrospective monitoring and audit
     services that support provision of care services, such as patient administration
     services that support systems holding identifiable data
     safe haven users, responsible for data quality and the provision/receipt of data with
         other bodies.
Secondary usage of data should be undertaken with de-identified data to meet IGT 8-324.
Wherever possible, data should be provided in aggregate or tabulated form to avoid use at
individual patient level. Access at patient level for secondary use should be restricted to staff
who have legitimate reasons for such use.
4.12 Access Controls and User Registration
Systems containing community services data should have access controls in line with meeting
the NHS Code of Confidentiality; this can be assessed by the level of conformance with the IG
Toolkit. Typically, access control will involve fine-grained access control to compartmentalise
users, the data and views of data that they should have access to. Such access controls
should operate
     at an organisational level as modified by any inter-organisational information sharing
        protocols (i.e. only see data relevant to patients within the users organisation)
     at a user role level – e.g. clinician sees their patients only to support care provision;
        support staff can see all relevant data for all patients; safe haven user can see all
        patients for data quality purposes; secondary use users can only see secondary use
User registration will depend on the types of system being used, for example whether local or
LSP supplied, and should be pursued with those responsible for user registration within the
receiving organisation. CFH have issued guidance on smart card migration for Spine systems9.
4.13 Avoiding inadvertent unauthorised data access
It is possible to conceive of situations resulting from TCS where issues will arise from not
archiving data or where information-sharing arrangements are not accompanied by adequate
access control regimes. Such a scenario might be where PCT Trust A's community services
data is processed by a Data Processor, say a LSP. Trust A’s services may be transferred to
Trusts B and C and some services may cease to be provided. The resulting data management
should lead to archiving of the data relating to the discontinued services and separate
instances of software and data for Trusts B and C. However, the result may actually be that
staff in Trusts B and C can both access the non-archived Trust A data and possibly access one
instance of a system and data being used by both Trusts B and C as there are patients in
common for the services supplied by the Trusts, but, in addition, can inadvertently access all
records for patients, not only those for which they have clinical or operational responsibility.

9 Process for User
Migration FINAL ISSUED V 1.0.docx/view?searchterm=OMS Process for User Migration

a5a029d7-2512-45ce-b7bc-51a25da56300.doc – Author: Wally Gowing
                                            Page 8
The above outline may be a worst case scenario (though adding in the complexity of some of
the data concerned being about mental health or local authority social services and it could be
worse) and should be avoided, but if this (or something similar) does arise, it is vital that
     Information sharing protocols are put in place that explicitly cover the particular
       circumstances of accessing each others data
     Non-maintained data (i.e. the data that should have been archived) is clearly identified
       as such together with the fact that it cannot be relied upon as a current clinical record
     Staff in the new service providers are aware of breadth and limitations of accessing
       data through Information Sharing Protocols and their professional obligations.
4.14 Identifying risks to records and data of individuals
As indicated in Section 3, a Privacy Impact Assessment should be undertaken to identify
potential risks to the privacy of individuals through the transfer of records, data and systems as
well as staff from PCTs to receiving organisations. This may be especially useful where new
organisations are involved or in relation to the transfer of specific services, such as Sexual
Health or Mental Health where data may well be regarded as more sensitive.
4.15 Subject Access Request and Section 10 Requests
In order to conform with the DPA and the Care Record Guarantee, NHS related organisations
that are Data Controllers and cause patient data to be processed must be able to inform at the
Data Subject’s request what data is held about the Data Subject and the purpose for
processing the data; this is a Subject Access Request (SAR). In addition, under DPA Section
10, the Data Subject can request to know who has accessed that data.
Where existing systems and processes are being transferred, then assuming that SARs and
Section 10 requests can be met, then no difficulties should arise. In any other circumstances it
will be prudent to check that SARs and Section 10 requests can be satisfactorily handled.
4.16 Modifying DPA registration and policies
Each organisation having responsibility for personal data must have a Data Protection Act
registration with the Information Commissioner; this includes any organisation taking a new
system. This identifies the purpose of the use of the data; the range and type of data etc and
changes to the detail of the registration must be notified to the ICO.
In parallel with this, any organisation should ensure that all its Data Protection and IG related
policies and procedures are modified to reflect the changes arising from implementation of
TCS. A checklist of IG related policies is shown in Appendix 5.
In addition to the changes to IG policies etc, TCS will cause changes to the range of records
and data held by organisations. Consideration should therefore be given to provision of
training for relevant staff on their IG responsibilities arising from TCS, whether it be using new
systems or operating within a new organisation if they have been transferred.
4.17 Informing patients
As TCS results in changes as to which organisations hold and process data about patients,
then patients must be informed of these changes.
Under the Data Protection Act clients (and staff) must be told:
    What information is held about them
    Who it might be passed on to
    The name of the data controller that holds the information (e.g. the Receiving Trust)
    Who they can contact if they have any queries.
For new patients/service users/clients of affected community services a Fair Processing notice
can be used. Usually this takes the form of a leaflet entitled “How we use your information”.
The Notices in place at each organisation will need to be reviewed and any gaps identified for a
new leaflet that would need to be in place when the services are taken over by the Receiving
Trust. The leaflet should be sent out with all first appointments and should be distributed at
service points throughout the organisation.

a5a029d7-2512-45ce-b7bc-51a25da56300.doc – Author: Wally Gowing
                                            Page 9
In addition, all current patients/service users/clients of affected community services must be
informed of relevant changes. Consideration should be given to do this effectively and in a
coordinated manner so that the client is not receiving several communications from e.g. the
PCT and the Receiving Trust. It is probable that there will be a wider local communications
process to inform about changes to services associated with TCS and it would be helpful if the
records, data and IG aspects were an integral part of that process.

a5a029d7-2512-45ce-b7bc-51a25da56300.doc – Author: Wally Gowing
                                           Page 10
5      Implementing change
5.1      Introduction & Implementation Examples
There appear to be a myriad of different possible combinations of organisational arrangements
that could arise in TCS. It is not feasible to work through all the combinations. Some common
issues are examined in the two scenarios below.
The examples are intended to illustrate some of the issues that may arise and what IG steps
need to be taken for organisations to remain legal in their use of patient data or risk breaking
the law and potential fines from the Information Commissioners Office (ICO). Some relevant
anecdotal evidence is provided to illustrate the issues.
5.2      Sharing systems – organisational issues
Scenario - Multiple units in different organisations share an operational/clinical system (such
as SystmOne operated across practices and community service providers)
IG requirements - an individual organisation and their staff should only have access to the
records/data that relate to patients they deal with, based on the equivalent to legitimate
relationships - so such a system needs to be capable of providing sufficient levels of access
control; providing staff from:
Practice – access to their patients only; differential access to records dependent on role within
practice, e.g. differences between GP and reception
PCT Provider/Community Provider - access to their patients only and others via Information
Sharing Protocol; differential access to records dependent on role within provider, e.g.
differences between clinician and reception
PCT Commissioner (assuming that they have access to the system) should only have access
to de-identified (pseudonymised) versions of the data for secondary use purposes (EMIS Web
operates in this way, practices can see data about their patients in identifiable form, but staff in
PCTs see the same data in pseudonymised form). A PCT Commissioner may need access to
the system for Data Quality reasons as part of their safe haven function in support of their wider
secondary use of data in their own data warehouse for contract & performance management
etc - but this only applies if the system (SystmOne in this instance) is in effect the main patient
register at PCT level for the PCT Commissioner (previously undertaken through the Exeter
System requirements to meet DPA & NHS Policy – fine-grained access controls to
distinguish between different organisations and different user types and the categories of data
that can be accessed, plus audit facilities to check on who has accessed what records.
5.3      Sharing systems – inappropriate data access issues
Scenario - Extend the use of existing ‘clinical’/service delivery systems into other organisations
in order to provide services e.g. Community Trust system used by LA or another Community
IG requirements - an individual organisation and their staff should only have access to the
records/data that relate to patients they deal with, based on the equivalent to legitimate
relationships; providing staff from:
PCT Provider/Community Providers - data access should still be restricted on basis of DPA
& Caldicott to content i.e. patients for that provider only unless Information Sharing Protocols
are in place and only allow all of record to be seen by relevant authorised staff. Anecdotal
evidence indicates that inappropriate access to records by administrative staff does occur10.
PCT Commissioner (assuming that they have access to the system) - In this case, staff of the
PCT should not have access to person level data; it may be suitable for instance for PCT staff
to have access to the system for performance indicators and similar high level reporting.
System requirements to meet DPA & NHS Policy – fine-grained access controls to
distinguish between different organisations and different user types and the categories of data
that can be accessed, plus audit facilities to check on who has accessed what records.


a5a029d7-2512-45ce-b7bc-51a25da56300.doc – Author: Wally Gowing
                                           Page 11
5.4   Offsetting potential inappropriate data access issues
If the system requirements identified to meet DPA and NHS policy are not available in the short
term, then steps must be taken to ameliorate the potential breaking of policy and laws. The
following steps are likely to be required
      Ensuring that clinical staff that they may have access to records for patients with whom
        they have no legitimate relationship and that professional ethics require them to not look
        at such records – and that such access can be audited (assuming that these basic
        facilities exist)
      Sign off by the Caldicott Guardian on behalf of the organisation that the organisation is
        aware that such access may occur
      Informing patients that for a limited period their records may be seen by clinicians who
        do not have responsibility for their care.
      Informing the ICO that such a situation exists
NB - The above assumes that non-clinical staff cannot access clinical records.

a5a029d7-2512-45ce-b7bc-51a25da56300.doc – Author: Wally Gowing
                                           Page 12
6   Key questions
The issues set out above can be restated as a set of key questions and actions that apply to
PCTs and Receiving organisations. The impact that these questions and issues have will vary
depending on the particular set of organisational changes being implemented, e.g. a Social
Enterprise being created with new systems compared with a PCT with Community services
moving to an existing Receiving Trust.
The questions need answering in the affirmative for the IG aspects of the organisational
arrangement and associated systems to be potentially considered as being suitable. There
may be other detailed points that prevent the IG arrangements being immediately sufficient and
effective, but these should be soluble in the long term.

Q1.     Are the organisations to which records and data (and responsible for it as Data
Controller) being transferred to existing legal entities? (See section 4.2)
Q2.     Are the datasets included in the formal statements on transfer of assets between
organisations? There may be issues on timing about this, but reference to the need to transfer
datasets and records should be made in the formal statements with details clearly stated
subsequently in related formal schedules. (See section 4.2)
Q3.     Which organisation owns the system in terms of hardware and software and relevant
licences? – this organisation is the System Owner. The System Owner for data from
transferred PCT provider arms may, for example, be a PCT, a LSP or Trust. (See section 4.2)
Q4.     Which organisation(s) determines the purposes for which the personal data in the
system are used (e.g. what data is held on and what reports and analyses are required to
check what is happening to Mrs Smith)? - this organisation is the Data Controller (which may
also be the System Owner); there may be more than one Data Controller acting jointly. The
Data Controllers for data from transferred PCT provider arms are expected to be the Receiving
Organisations. (See section 4.4)
Q5.     Which organisation is responsible for safeguarding and processing the data? This
organisation is the Data Processor (which may also be the Data Controller). The Data
Processors for data from transferred PCT provider arms will the organisations undertaking data
processing for the Receiving Organisations, such as the Receiving Trusts themselves, shared
health informatics services (HIS) or LSPs. (See section 4.5)
Q6.     Have Privacy Impact Assessments been undertaken for records, data and systems
been undertaken? In particular, have PIAs been undertaken in relation to sensitive services?
(See section 4.14)
Q7.     If different organisations are identified in Q1, Q2 and Q3, then are there suitable
statements and service level agreements between the organisations to define roles etc? (See
section 4.5)
Q8.     Have the PCT and the receiving organisations notified the ICO of changes to their data
controller and data processing responsibilities? (See section 4.6 & 4.16)
Q9.     Are any data ‘orphaned’ as a result of the data transfer? If yes, are there appropriate
data processing agreements in place? (See section 4.7)
Q10. If data and information are shared between organisations or accessed across
organisations, are relevant Information Sharing Protocols or Acceptable Use Policies and staff
confidentiality agreements in place? Where necessary are these supported by Subject Specific
Information Sharing Agreements? (See section 4.8)
Q11 Where there is orphaned data and information-sharing protocols are in place, have
checks been made that inadvertent unauthorised access cannot be made to orphaned data or
to records for patients for which the service provider does not have responsibility? If such
access can be made, relevant remedial steps are required. (See section 4.13)
Q12. If a social services system is to be used to process health sourced personal data, are
there appropriate safeguards on data access in place? If not, has explicit consent for the wider

a5a029d7-2512-45ce-b7bc-51a25da56300.doc – Author: Wally Gowing
                                           Page 13
use of the data been obtained from the Data Subjects? (See section 4.10)
Q13. Does the system fully support DPA requirements, Caldicott Principles and the NHS
Code of Confidentiality? In particular, can user access be restricted to only those patients that
the user should see, either on the basis of organisational responsibility or their care service
provision responsibility? (See section 4.11 & 4.12)
Q14. If the answer to Q13 is no, then are steps being taken to offset potential inappropriate
data access – e.g. only nominated social services staff can access health records and vice
versa? (See section 4.13 & 4.10)
Q15. Are relevant RA and user registration mechanisms in place? (See section 4.12)
Q16. Can the receiving organisation meet the DPA requirements of Subject Access requests
and DPA S10 enquiries? (See section 4.15)
Q17. Have patients been informed that their data has been transferred and (where
appropriate) that additional staff may now access their records? Have Fair Processing notices
been modified to reflect TCS induced changes? (See section 4.17)
Q18. Have the organisation’s IG policies and procedures been created/amended to reflect
the new responsibilities resulting from implementing TCS? (See section 4.16 and for a checklist
of policies and procedures see Appendix 5).
Q19. Is additional IG training required for staff as part of TCS implementation? (See section

a5a029d7-2512-45ce-b7bc-51a25da56300.doc – Author: Wally Gowing
                                           Page 14
                                                                                        Appendix 1
                            Key IG concepts and Examples
Data controller - A data controller is a person (recognised in law, thus can be individuals,
organisations or other corporate and unincorporated bodies of persons) who (either alone or
jointly or in common with other persons) determines the purposes for which and the manner in
which any personal data are, or are to be, processed.
In effect the data controller has full authority to decide how and why personal data is to be
“processed” (this includes using, storing and deleting the data). When a body decides that it
wishes to pass the personal data it holds to another organisation, the body is acting as a data
controller as it has the authority to take this decision.
Whether or not the receiving organisation is also a data controller will depend on whether or not
the receiving organisation will have the authority to decide how and why the data will be stored,
used and deleted. If the receiving organisation has considerable discretion in this area, it is a
data controller.
In relation to data controllers, the term jointly is used where two or more persons (usually
organisations) act together to decide the purpose and manner of any data processing. The
term in common applies where two or more persons share a pool of personal data that they
process independently of each other.
Data processor - A data processor is an organisation that “processes” personal data on behalf
of another organisation. Processing includes reading, amending, storing and deleting.
If a body passes personal data to an organisation, but retains the right to specify what should
be done with that data, then the receiving organisation is a data processor. The original body is
legally responsible for any breaches of the Data Protection Act committed by any data
processor acting on its behalf.
Examples – An Acute Trust running in-house IT and information services is both a Data
Controller and a Data Processor; whilst a similar Trust using services from a LSP is the Data
Controller whilst the LSP is a Data Processor.
Caldicott Principles
1.    Justify the purpose(s)
2.    Do not use patient identifiable information unless it is absolutely necessary
3.    Use the minimum necessary patient-identifiable information
4.    Access to patient identifiable information should be on a strict need-to-know basis
5.    Everyone with access to patient identifiable information should be aware of their
6.    Understand and comply with the law
Caldicott Guardian - is a senior person responsible for protecting the confidentiality of patient
and service-user information and enabling appropriate information sharing. Each NHS
organisation is required to have a Caldicott Guardian; this was mandated for the NHS by
Health Service Circular HSC 1999/012 and covers all organisations that have access to patient
Information Asset Owner (IAO) - will be a senior member of staff who is the nominated owner
for one or more identified information assets of the organisation. It is a core IG objective that all
Information Assets of the organisation are identified and that the business importance of those
assets is established.
The Senior Information Risk Owner (SIRO) - will be an Executive Director or Senior
Management Board Member who will take overall ownership of the Organisation’s Information
Risk Policy, act as champion for information risk on the Board and provide written advice to the
Accounting Officer on the content of the Organisation’s Statement of Internal Control in regard
to information risk.

a5a029d7-2512-45ce-b7bc-51a25da56300.doc – Author: Wally Gowing
                                           Page 15
                                                                                    Appendix 2
   Sample - Records Management Procedure for accessing records
            following the Transfer of Community Services
Active & Inactive records
All records for active patients who at the time of transfer (e.g. 1st April 2011) are receiving
treatment by a service that was formerly provided by NHS AA Community Health services and
are transferring to either BB NHS Trust or CC Community Health services will transfer to these
Receiving Organisations. Responsibility for the transferred records is also transferred to the
Receiving Organisation.
All records that are inactive (for example if the patient has been discharged from the service or
has died prior to the 1st April 2011) have been stored in an off-site document storage facility.
These archived records and responsibility associated with them remain with NHS AA
Records required when a patient is re-admitted to a transferred service
If after the transfer date a patient, who had been previously discharged from a service, is re-
referred to the community service, the receiving organisation may wish to access the patient’s
records from their previous treatment. Under these circumstances, a request for the records
must be made to the responsible department at NHS AA Commissioners who will locate the
records in the archive and transfer them securely to the Receiving Organisation. The time limit
for this process will be no longer than 14 working days.
Records requested under Subject Access
Records that have been transferred to receiving organisations
If a request for records is received by NHS AA Commissioners for records which have been
transferred to the Receiving Organisations (as per the service destination list) then the request
will be forwarded on to the Receiving Organisation and the requester will be advised that their
request has been transferred to either BB NHS Trust or CC Community Health Services.
Records that remain with NHS AA Commissioners
If a request for records is received by NHS AA Commissioners for a record that they retain in
their archive, they will be responsible for responding and processing that request.
Requests for records received by Receiving Organisation that contain NHS AA
If a request for a records is received by a Receiving Organisation and the records contain NHS
AA information e.g. podiatry record that contains information from when the service was
provided by NHS AA Community Health Services information (i.e. prior April 2011) and now
also contains records from service provided by the Receiving Organisation, then the Receiving
Organisation must ensure that any information in the record that:
      falls within any of the exemptions set out by the Data Protection Act is removed prior to
      could lead to litigation is identified to NHS AA Commissioners for their approval prior to
      contains any contentious statements are identified to NHS AA Commissioners for their
        approval prior to release.
Information must not be released without the consent of the patient or their representative
unless instructed by the courts.
Records requested for Litigation
Records that have been transferred to Receiving Organisations

a5a029d7-2512-45ce-b7bc-51a25da56300.doc – Author: Wally Gowing
                                           Page 16
If a letter of claim is received by NHS AA commissioners and relates to treatment provided to
the patient whilst the service was provided by NHS AA Community Health services but the
records have been transferred to one of the Receiving Organisations then the Receiving
Organisation must make the original records available to NHS AA Commissioners within 14
working days of request.
Requests should be directed to: BB NHS Trust: …………, (e.g. Senior Risk Manager) or CC
Community Health Services: ……….., (e.g. IG & Records Manager)
Records that are retained by NHS AA Commissioners’
If a letter of claim is received by one of the Receiving Organisations and the historic records
had not been transferred to the receiving origination or subsequently requested when the
patient is re-admitted into the service but are required for litigation then NHS AA
Commissioners’ will make the original records available to the Receiving Organisation within 14
working days of the request:
Requests should be directed to ………… at NHS AA Commissioners.
Records requested by Court or Police
Records that have been transferred to a Receiving Organisation
If records are held by a Receiving Organisation, which contains both NHS AA and the receiving
organisation information, then the Receiving Organisation is responsible for complying with the
order/request and must release historic NHS AA information that is also retained in records.
Request received by NHS AA Commissioners for records held by Receiving
When a request is received by NHS AA Commissioners that relates to records that have been
transferred to a Receiving Organisation, then NHS AA Commissioners are responsible for
ensuring the Court Order/ Police request is forwarded to the Receiving Organisation within two
working days and the requester is advised on where the information is held and that their
request has been forwarded to the appropriate organisation.
Requests should be directed to: BB NHS Trust: …………, (e.g. Medical Records Manager) or
CC Community Health Services: ……….., (e.g. IG & Records Manager)
Request for records received by Receiving Organisations for records retained by NHS AA
When a request is received by a Receiving Organisation for records that are retained by NHS
AA Commissioners, then the Receiving Organisation is responsible for ensuring the Court
Order/ Police request is forwarded to NHS AA Commissioners within two working days and the
requester is advised on where the information is held and that their request has been
forwarded to the appropriate organisation.
Requests should be directed to ………… at NHS AA Commissioners
Arrangements after abolition of PCT’s 2013
After 2013 when the PCTs are abolished responsibility for the arrangements as listed above
will continue to be carried out by the successor body that has inherited and continues the
statutory functions previously carried out by PCTs.
Signed in agreement by:

         Organisation                      Print Name             Signature          Date
NHS AA Commissioners’
BB NHS Trust
CC Community Health Services

a5a029d7-2512-45ce-b7bc-51a25da56300.doc – Author: Wally Gowing
                                           Page 17
                                                                                           Appendix 3
                         External Information Sharing Protocol
This overarching protocol comprises of a set of rules that organisations agree to comply with
when sharing personal data. It covers all manual, electronic and oral information.
This protocol is not a licence to share information but a guide that must be followed by all staff.
This overarching document is a Tier 1 document of the 3 Tier health and social care model as
approved by the Department of Health. An agreed approach to information sharing between
organisations should reduce uncertainty amongst staff, allay suspicion from the public and
lessen the frustration felt by those attempting to provide seamless services.
The overarching information sharing protocol is the highest level in the protocol structure (tier
1) and applies generally to the sharing of personal data. The protocol will set out a framework
for the sharing of information to ensure that the confidentiality and integrity of personal
identifiable information is not compromised.
The importance of information sharing
Information sharing must be in the best interests of service users, their carers and families or
the wider public interest.
The purpose of information sharing will either relate to the provision of care, including the
quality assurance of that care, for the individual concerned or will be related to non-care, or
secondary, services – e.g. service evaluation, research finance or public health work.
Caldicott and Data Protection
When sharing personal identifiable information, NHS organisations must comply with the
Caldicott principles:

1: Justify the purpose for using personally identifiable information.
2: Only use personally identifiable information if absolutely necessary.
3: Use only the minimum data needed for the specific purpose.
4: Restrict access to information only to those who need to know.
5: Individuals should be aware of their responsibilities to keep data confidential.
6: Data should be used and processed in compliance with the law

By signing this agreement, non-NHS organisations are agreeing to meet the Caldicott
requirements with regards to the agreed dataset.
All organisations have to comply with the eight principles of the Data Protection Act:

1. Personal data shall be processed fairly and lawfully
2. Personal data shall be obtained only for one or more specified and lawful purposes and shall not be
   processed in any matter incompatible with those purposes
3. Personal data shall be adequate, relevant and not excessive
4. Personal data shall be accurate and up to date
5. Personal data shall not be kept for any longer than is necessary for the purpose
6. Personal data shall be processed in accordance with the rights of data subjects
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful
   processing of personal data and against accidental loss or destruction of, or damage to, personal
8. Personal data shall not be transferred outside the EEA without adequate protections

a5a029d7-2512-45ce-b7bc-51a25da56300.doc – Author: Wally Gowing
                                           Page 18
Evidence as to how either party is meeting the requirements of the seventh principle must be
produced on reasonable notice.
If the party providing information becomes aware of inaccuracies contained within information
that has already been shared, they will inform the other party so that all records can be
Is a protocol required?
The table below sets out when a protocol is always required and when it is optional.

                              Sharing for care
                                                            Sharing for non-care purposes

Recipient organisation Sharing protocol is            Sharing protocol that focuses on the
is achieving the       optional.                      secondary uses in question, i.e. the purpose,
required level of                                     constraints on re-use of information,
information                                           retention periods and destruction policies is
governance                                            necessary.

Recipient organisation     Sharing protocol that      Sharing protocol that addresses the required
is unable to               addresses the required     information governance standards in the
demonstrate the            information                recipient organisation, the legal principles
required information       governance standards       that apply and the additional standards
governance                 in the recipient           associated with the secondary uses in
performance                organisation and the       question, (i.e. the purpose, constraints on re-
                           legal principles that      use of information, retention periods and
                           apply is necessary.        destruction) is necessary.

Responsibilities and standards for participating organisations
The signatory organisations listed below will formally adopt this information sharing protocol.
Each organisation will take responsibility for dissemination and implementation of this
In respect of any confidential information received from the other party, each party agrees to
keep the information secret and strictly confidential and will not disclose any such confidential
information to a third party, unless:
     Disclosure is authorised by the prior written consent of the discloser;
     The disclosure is required to make sure the Trust complies with the Freedom of
       Information Act 2000 (FOIA);
     The information is already in the public domain other than by breach of contract or other
       act or omissions of the recipient.
Public authorities are subject to the Freedom of Information Act 2000. Both parties will act in
line with the FOIA and assist the other with requests where necessary.
Each organisation signing this protocol shall have appointed a responsible officer who will
ensure the protection of personal identifiable information e.g. Caldicott Guardian or senior
manager responsible for data protection.
A list of information flows for this instance of data sharing is attached. NHS organisations are
required to review all transfers of personal identifiable information annually.
Each organisation is committed to ensuring staff are appropriately trained in data protection /
Caldicott procedures.

a5a029d7-2512-45ce-b7bc-51a25da56300.doc – Author: Wally Gowing
                                           Page 19
Security of information
Personal identifiable information saved to removable devices such as laptops or usb drives
must be encrypted.
Email will only be used to send sensitive information when both the sender and recipient use accounts.
Fax must only be used when the recipient has a fax machine in a secure area.
Multiple copies of the information shared should not be made as this compromises security.
Termination of this agreement
Any changes to this agreement must be agreed by both parties in writing.
If the party which is the recipient of information should use that information in any way which is
outside of the terms of this agreement or any addition confirmed by both parties, this
agreement will be terminated and information sharing will cease.
If, on review of this agreement, it is clear that the necessity to share information has ceased,
termination must be agreed in writing by both parties. Each organisation will assist in any
review carried out.

a5a029d7-2512-45ce-b7bc-51a25da56300.doc – Author: Wally Gowing
                                           Page 20
                                                                                                                   Appendix 4

              Sample - TCS Pre-transfer Information Sharing Protocol
                   Declaration of acceptance and participation
Information will be shared between: XXXX PCT and
     o    AA NHS Foundation Trust,
     o    BB Health and Social Care NHS Trust,
     o    CC Acute Hospitals NHS Trust,
     o    DD NHS Foundation Trust
Data to be shared
Before a transfer of XX PCT Community Services takes place, patient identifiable data held on
paper records and on systems detailed in the XXXX PCT Systems Catalogue v5.0 will be
accessed by a strictly limited number of staff from the above named Trusts.
Reason for sharing information
To develop an understanding of how the systems work.
The following staff will have access to the information:
    Community Services
    Choose & Book
    Human Resources
    IM&T
    Any other authorised user

Destruction details
Once the purpose for information sharing has ended, and where appropriate to do so,
information will be disposed of in accordance with NHS and legal requirements (NHS Code of
Practice and NHS Retention & Disposal Policy).

Signed by

Signed . . . . . . . . . . . . . . . . . . . . . . . Print Name . . . . . . . . . . . . . . . . . . . . Date . . . . . . .
Position . . . . . . . . . . . . . . . . . . . . . . .
On behalf of XX PCT

Signed . . . . . . . . . . . . . . . . . . . . . . . Print Name . . . . . . . . . . . . . . . . . . . . Date . . . . . . .
Position . . . . . . . . . . . . . . . . . . . . . . .
On behalf of recipient Trust

            Sample - TCS Post-transfer Information Sharing Protocol
                 Declaration of acceptance and participation
a5a029d7-2512-45ce-b7bc-51a25da56300.doc – Author: Wally Gowing
                                           Page 21
Information will be shared between:
     o    AA NHS Foundation Trust,
     o    BB Health and Social Care NHS Trust,
     o    CC Acute Hospitals NHS Trust,
     o    DD NHS Foundation Trust
Data to be shared
Following the transfer of community services, patient identifiable data held on paper records
and on systems detailed in the XX PCT Systems Catalogue v5.0 will be accessed by a strictly
limited number of staff from the above named Trusts.
Reason for sharing information
To provide community services, each of the above Trusts needs access to the above systems
formerly controlled by XX PCT.
Each Trust must ensure that staff are reminded they must only access information for work
purposes and in relation to patients they are involved in the care of.
Each Trust is responsible for the data relating to their own patients. The accuracy and security
of the information must be maintained by the individual Trust.
Staff having access to these systems must sign a confidentiality agreement.
The following staff will have access to the information:
    Community Services
    Choose & Book
    Human Resources
    IM&T
    Any other authorised user

Destruction details
Once the purpose for information sharing has ended, and where appropriate to do so,
information will be disposed of in accordance with NHS and legal requirements (NHS Code of
Practice and NHS Retention & Disposal Policy).
If a system is to be replaced this will be discussed jointly with each Trust represented.

Signed by

Signed . . . . . . . . . . . . . . . . . . . . . . . Print Name . . . . . . . . . . . . . . . . . . . . Date . . . . . . .
Position . . . . . . . . . . . . . . . . . . . . . . .
On behalf of <recipient Trust>

a5a029d7-2512-45ce-b7bc-51a25da56300.doc – Author: Wally Gowing
                                           Page 22
                Sample - TCS Project Confidentiality Agreement
The Data Protection Act 1998 requires that all organisations processing personal data keep this
information safe and secure. XXXX PCT is required to ensure that it complies fully with all its
legal obligations in this area, including data protection, and the need to respect patient and
staff’s legitimate expectations of confidentiality. Everyone with access to personal data must
accept their responsibility to uphold the requirements of data protection and confidentiality.
On this basis, I agree that any personal or other sensitive information that I receive whilst
working at XXXX PCT will be used solely for the purposes of carrying out my role as part of the
Transforming Community Services project. I will not use, store, share or disclose any
information obtained as part of this process for any other reason, unless with the express
authority of XXXX PCT. This includes any transfer of recorded information, and any verbal
I will report all potential or actual breaches of confidentiality / Data Protection Act (1998) to my
local Information Governance Lead, including the loss, theft or damage of any documents
containing personal data I obtained during my visit / work.
I will not store personal data or other sensitive information on a portable device without
encryption and unless absolutely necessary.
I will only email personal or other sensitive information with appropriate security / in accordance
with the policy of my Trust.
I understand that I owe a duty of confidentiality to any individual whose data is discussed or
referred to in any meetings, correspondence, documentation or data that I receive or handle.
I will not use any personal information that I receive or gain access to for any other purpose, or
divulge it to any third party.
I will dispose of any documents containing personal or confidential information securely as
soon as my use of them is complete, unless XXXX PCT requires me to return them.
It does not apply to any document or information that I can reasonably establish was in my
possession or known to me before the date of this agreement or which becomes public
knowledge otherwise than as a result of a breach of any of the above agreements.


 Print Name
 Job Title / Designation

a5a029d7-2512-45ce-b7bc-51a25da56300.doc – Author: Wally Gowing
                                           Page 23
                                                                  Appendix 5

    IG related policies and procedures that may be affected by TCS
IG component of Informatics Strategy
IG Strategy
IG Policies
IG Work plans
Information security policy
Network security policy
Remote access security policy
De-identification/pseudonymisation policy for secondary uses
Document storage policy
Housekeeping and anti-virus policies
Registration Authority
Acceptable Use policy
Usage policy – acceptable use of email
Usage policy - internet
Usage policy – mobile phone
Usage policy – telephone usage
Printing policy
Home-working policy
Data Controller
Data Processors
IG Toolkit - assessment
Information Asset & IA Owners Lists (IAO)
Senior Information Risk Owners Lists (SIRO)
Serious Untoward Incidents/ SUI reporting
Scope of record access (e.g. limit re MH)
Subject Access Requests (SARs) procedures
Section 10s procedures
Fair processing notices
Secure transfer of records
IG Training

a5a029d7-2512-45ce-b7bc-51a25da56300.doc – Author: Wally Gowing
                                           Page 24

To top