Keeping your information secure

Confidentiality affects everyone.

The Trust collects, stores and uses large amounts of personal and special category personal data every day, such as medical records, personal records and computerised information. This data is used by many people in the course of their work.

We take our duty to protect personal information and confidentiality very seriously and we are committed to comply with all relevant legislation and to take all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.

Data Protection Officer (DPO)

The Trust must have procedures in place to make sure that the DPO is consulted on all data protection matters at an early stage (as part of privacy by design and default).

The Trust must ensure that the DPO role is independent, free from conflict of interest and reports directly to the highest management level of the organisation – there are specific roles that the DPO cannot perform in conjunction with this new role.

The DPO must have expert knowledge of data protection law and practices and the ability to acquire detailed understanding of the organisation’s business, the purposes for which it processes, or intends to process personal data. The DPO’s responsibilities include:

  • Informing and advising organisations about complying with GDPR and other data protection laws
  • Monitoring compliance with GDPR and data protection laws – including staff training and internal audits
  • Advising on and monitoring data protection impact assessments.
  • Cooperating with the ICO
  • Being the first contact point for the ICO and citizens in terms of data processing

 

The Trust’s Data Protection Officer is Anita Davenport, interim Company Secretary and Performance Manager, email soh-tr.dpo@nhs.net.

Senior Information Risk Owner (SIRO)

The Senior Information Risk Owner  should be an executive director or other senior member of the board (or equivalent senior management group/committee).

The SIRO may also be the Chief Information Officer (CIO) if the latter is on the board but should not be the Caldicott Guardian, as the SIRO should be part of the organisation’s management hierarchy rather than being in an advisory role. The key responsibilities of the SIRO are to:

  • Oversee the development of an Information Risk Policy, and a strategy for implementing the policy within the existing Information Governance framework
  • Take ownership of the risk assessment process for information and cyber security risk, including review of an annual information risk
  • Review and agree action in respect of identified information risks
  • Ensure that the organisation’s approach to information risk is effective in terms of resource, commitment and execution and that this is communicated to all staff
  • Provide a focal point for the resolution and / or discussion of information risk issues
  • Ensure the board is adequately briefed on information risk issues
  • Ensure that all care systems information assets have an assigned Information Asset Owner

 

The Trust’s Senior Information Risk Owner Steve Shanahan, Director of Finance.

Caldicott Guardian

The Caldicott Guardian is a senior person within a health or social care organisation who makes sure that the personal information about those who use its services is used legally, ethically and appropriately, and that confidentiality is maintained.

Caldicott Guardians provide leadership and informed guidance on complex matters involving confidentiality and information sharing.

The Trust’s Caldicott Guardian is Terry Hankin.

Translate