Common use of Term Description Clause in Contracts

Term Description. Healthcare Medical Purpose (aka “primary uses”) Includes; the uses which directly contribute to the diagnosis, care and treatment of an individual and the Audit/Assurance of the quality of healthcare provided. In these cases person identifiable data can be used, but only the minimum amount of data should be used, and appropriate safeguards should be in place. Non-Healthcare Medical Purpose (aka “secondary uses”) Includes; the Management of Health Care Services, Preventative medicine, medical research, financial audit and the management of health [and social] care services. In these cases generally “effectively anonymised” data should be used, unless consent has been gained from the patient or there are special circumstances, such as an overriding public interest, or a route such as via Section 251 of the ▇▇▇ ▇▇▇ ▇▇▇▇ or the Health Service (Control of Patient Information) Regulations 2002. However, current constraints on data quality reduces the ability to carry out such activities using effectively anonymised data, with the consequence that central NHS policy objectives cannot be realised. In the interim period therefore, where data and business processes are being refined in order to enable the use of effectively anonymised data, it may be necessary to use person identifiable data temporarily. However the amount of person identifiable data used should be minimised, and appropriate safeguards should be in place. Relevant legislation and other standards for information sharing: Data Protection ▇▇▇ ▇▇▇▇ Human Rights ▇▇▇ ▇▇▇▇ Common law duty of confidentiality Freedom of Information ▇▇▇ ▇▇▇▇ Access to Health Records ▇▇▇ ▇▇▇▇ Caldicott Guardian Manual 2010 Confidentiality NHS Code of Practice 2003 Confidentiality NHS Code of Practice – Supplementary Guidance: Public Interest Disclosures 2010 NHS Act 2006 (Section 251) NHS Information Governance Toolkit The Health Service (Control of Patient Information) Regulations 2002 AIDS (Control) ▇▇▇ ▇▇▇▇; NHS (Venereal Diseases) Regulations 1974; ▇▇▇ ▇▇▇ ▇▇▇▇, NHS Trusts and Primary Care Trusts (Sexually Transmitted Diseases) Directions 2000. [Legislative amendments are necessary to reflect organisational change.] Human Fertilisation and Embryology ▇▇▇ ▇▇▇▇: ss 31 & 33; Human Fertilisation and Embryology (Disclosure of Information) ▇▇▇ ▇▇▇▇. Information Commissioners Data Sharing Code of Practice (See Appendix 3 for checklist) Appendix 3 – Information Commissioner’s Data Sharing Guide Objective of data sharing YES/NO Data Protection Notifications exchanged between the parties YES/NO Privacy Impact Assessment or risk assessment conducted. YES/NO Potential benefits and risks for society of sharing and not sharing YES/NO Minimum necessary dataset used YES/NO Is the use of personal data necessary YES/NO Appendix 4 – Definitions AES 256 bit encryption Advanced Encryption Standard 256 bit encryption has been made mandatory for healthcare related data by the NHS. Anonymisation does not enable the linking of data to the same subject across several data records, or information systems. Consequently it is impossible to re-identify anonymised data. (source ISO/TS 25237:2008) Data Controllers in Common In relation to data controllers, the term jointly is used where two or more persons (usually organisations) act together to decide the purpose and manner of any data processing. The term in common applies where two or more persons share a pool of personal data that they process independently of each other Data Controller a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. (source Data Protection Act 1998) Data Processor in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller (source Data Protection Act 1998)