The obtaining, processing and sharing of patient/hospice data must be justified and logged. All colleagues of the Hospice must ensure that they comply with the requirements of the GDPR.
We must also follow the Data Protection guidelines in the Hospice Data Policy, which states that information must be:
• Processed fairly and lawfully and shall not be processed unless certain conditions are met
• Processed in accordance with the data subject's rights under the 1998 Act
We must be able to demonstrate compliance with GDPR by:
• Observe fully conditions regarding the fair collection and use of information
• Meet its legal obligations to specify the purposes for which information is used
• Collect and process only appropriate information, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements; and evidence processing of each activity
• Take appropriate measures to safeguard personal information
• Ensure our processes enable people to exercise their rights under the Act. (These include: the right to be informed that processing is being undertaken; the right of access to one's personal information; the right to prevent processing in certain circumstances; the right to correct, rectify, block or erase information which is regarded as wrong)
• Ensuring information is correct and accurate
• Apply audit checks to determine the length of time information is held
• Ensure personal information is not transferred abroad without suitable safeguards.
Information must not be shared with other staff or with their family, carers or other persons without the express permission of the patients/client. The only exception to this shall be where it is necessary to share information between clinicians to protect the health and wellbeing of the patients/client or of others. Such disclosure must be limited and appropriate. A note of such disclosure, the date, purpose and recipients, together with any record of consequence or response must be added to the patient/client notes within 24 hours of the disclosure. Personal information and data will not be sent to the CCGs.
Should information be passed to an authorised person, internally or externally, those sharing it must ensure the identity of the recipient and that they have a valid need for the information, are aware that it is confidential, and will deal with it appropriately and safely.