At DHU Healthcare we recognise the importance of sharing information while protecting privacy. Our commitment to data protection and good practices is outlined in this charter.
It sets guidelines for working with partners and suppliers, ensuring personal data is handled securely. We prioritise proportional data protection based on expectations, data sensitivity, and potential consequences. The charter includes an information sharing agreement template, documenting the purpose, lawful basis, and operational arrangements for utilizing personal data across organisational boundaries.
Please note, this charter provides guidance and doesn't constitute a contractual agreement.
Across DHU we recognise that the sharing and processing of information is essential for delivering services and improving outcomes for the communities and individuals we serve. We take our data protection responsibilities seriously and recognise that there is a balance between the need to use and share information and maintaining the rights and privacy of individuals.
This charter sets out our commitment to protecting personal data and ensuring good practice in our processing when working with partners, suppliers, and processors.
The level of protection for data will be proportionate to the expectations of the data subjects, the sensitivity of the data and the likely consequences of its loss or misuse.
The charter includes an information sharing agreement template which can be used to document the purpose, lawful basis, and operational arrangements for the use of personal data by partners, across traditional organisational boundaries, to achieve outcomes and deliver services.
This charter is for guidance only and does not constitute a contract between those adopting it.
This charter applies where personal data is exchanged with partners exercising joint control over the data, as well as data processing arrangements in which one party processes data on behalf of or under the instructions of the other.
Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data does not have to be confidential or private and could relate to anyone, including service users, employees etc.
Through this charter we commit to work to the data protection principles in the data protection act 2018, data protection and information governance legislation, codes of practice and good practice, unless more stringent local law applies. These principles represent the minimum standard we will work to, and we expect our delivery partners, suppliers and service providers to work to the same minimum standards. This means that in any data sharing or data processing arrangement, personal data will:
Be collected and used in ways that are lawful, fair and transparent – individuals will be told about what we do with their data and who we will disclose it to; it will only be used in ways they might reasonably expect; and nothing will be done with the data that would have an unjustifiably adverse effect on them.
Be collected and used only for specified and legitimate purposes – nothing will be done with the data that is incompatible with the purposes it is held for, unless required by law.
Be adequate, relevant, and limited to what is necessary for the purpose – an approach of data minimisation will be followed with data only collected and used that is necessary to meet the specified purpose. Wherever possible statistical, aggregated, or anonymised information will be used to reduce the risk of individuals being identified.
Be maintained to appropriate quality standards – arrangements will be in place to ensure the accuracy of data including for correcting inaccurate data and keeping it up to date if necessary.
Be kept for no longer than is necessary – data will be managed in accordance with agreed retention standards, with arrangements in place for the de-identification of data / secure and confidential disposal.
Be protected from unauthorised use and disclosure or against accidental loss, destruction and damage – appropriate technical and organisational measures will be in place to keep data protected and secure and these will be regularly tested, assessed and evaluated for continued effectiveness. Examples include access controls; audit trails; business continuity plans; network controls; robust policies and procedures; designated information governance roles and responsibilities senior information risk owner, data protection officer, Caldicott Guardian; training and awareness raising activities for employees and those acting on behalf of the organisation; the pseudonymisation and encryption of personal data.
Be handled in line with the individual’s rights – arrangements will be in place to ensure the rights of individuals are respected and can be exercised. The capacity of a individuals, including children and vulnerable adults, to exercise their rights will be considered case by case basis. Considerations of confidentiality and privacy will not automatically cease on death.
Not be transferred to other countries unless there is adequate protection for the rights of individuals in relation to their personal data – assurance of that adequate protection exists must be received before making such transfers. Shared personal data will not be transferred to other countries without first notifying the original data controller unless the transfer has already been agreed or is clearly implied by the circumstances.
Data controllers and processors are required to be able to demonstrate compliance with the principles. Partners will therefore ensure documented evidence is maintained of the steps taken to comply with the requirements of the data protection act and other data protection legislation; and co-operate with each other where required.
When engaging data processors, only processors providing sufficient guarantees to implement appropriate technical and organisational measures to meet data protection legislation requirements and ensure the rights of the data subject will be used; and a written contract must be in place.
Data breaches, complaints, exercising of data subject rights including subject access and information requests will be processed in accordance with the established procedures of the partner identifying the incident and promptly notified to other relevant partners when necessary and relevant.
If a breach is severe enough to require reporting to the IOC this must be done within 72 hours of the incident being identified.
Many partners will be subject to the provisions of the freedom of information act and environmental information regulations which gives a general right of access to the information they hold. Any requests for information in relation to the charter or information sharing agreements will be processed in accordance with legal and statutory obligations following the receiving partner’s established procedures and where appropriate, jointly with partners.
It is recognised that in certain circumstances the processing of personal data may be affected by the exemptions in the data protection act 2018 which might affect the commitments and expectations set out above. For example, the prevention of crime or the collection of taxes and duties. Where this is the case consideration will be given as to whether additional safeguards need to be put in place.
Information commissioner’s office website https://ico.org.uk/
For more information about the charter please email: information.governance@dhuhealthcare.nhs.uk
This statement was reviewed and approved on June 2023.