Data Handling and Privacy Information Policy
How we will handle the information you provide to the Investigation
Wednesday, 28 July 2021
Introduction
- This policy sets out the approach the Independent Investigation into East Kent Maternity Services (“the Investigation”) will take in order to ensure that organisations holding relevant information (contributing organisations), the families and the public, and other individuals such as healthcare professionals, know how the Investigation is going to handle information appropriately and to comply with information legislation so that there is clear understanding about how information made available to the Investigation will be dealt with.
- This policy covers a wide range of documents gathered and created during the Investigation and anything in which information of any description is recorded, whether in paper or electronic form. This may include but not limited to – medical records, death certificates, statements, investigations, reports, recordings and transcripts of evidence sessions, internal or external letters/emails, notes of phone calls and other interactions, corporate documents, policy documents, meeting notes and minutes, information from websites, guides/codes of conduct, and articles.
- This policy may be amended, as necessary, to ensure it reflects any changes in our practices or to mention new types of information handled by the Investigation. If the policy is amended, the revised version will be published on the Investigation’s website www.iiekms.org.uk. A copy of the Investigation’s policy on the processing of special category and criminal convictions personal data is available on request.
Data Protection registration
- The Investigation will comply with the requirements of the General Data Protection Regulations and the Data Protection Act 2018 and is registered with the Information Commissioner’s Office as a data controller, because the Investigation decides how personal and ‘special category’ (i.e., sensitive) personal data are processed. Details of the Investigation’s registration, No. ZA768950 can be viewed at www.ico.org.uk.
Legal requirements for information management and privacy
- The Investigation complies with Data Protection legislation and the Public Records Act 1958. Data Protection legislation includes the Data Protection Act 2018, and the General Data Protection Regulation applicable from 25 May 2018. We also observe common law duties of confidentiality.
Lawful basis and purposes of processing personal data
- The Investigation collects and uses, and will in time destroy, personal information and sensitive personal information, for the purposes of fulfilling the investigation’s terms of reference, which will be published on our website at www.iiekms.org.uk.
- The legal basis for the Investigation’s use or ‘processing’ of personal information is as follows:
- Personal information is processed because it is necessary to enable the Investigation to carry out its work in the public interest and in the exercise of a statutory function, in this case the functions contained in The National Health Service Trust Development Authority Directions and Revocations and the Revocation of the Imperial College Healthcare National Health Service Trust Directions 2016 (article 6(1)(e) of the GDPR).
- Sensitive personal information is processed because it is necessary to enable the Investigation to carry out its work for reasons of substantial public interest and in the exercise of a statutory function (article 9(2)(g) and/or 9(2)(h) of the GDPR).
- Families engaging with the Investigation have given their explicit consent (article 6.1 (a) and 9 2(a) of the GDPR) to the use of their information for the Investigation’s purposes. In the case of personal information these purposes are:
- To read and analyse the information provided, to improve our understanding of the issues raised, and to make findings and reach conclusions, as required by our Terms of Reference:
- To use the information to develop questions or issues for other witnesses or organisations to answer or explore with the Investigation;
- To count the submission(s) as having been received by the Investigation, when describing how we carried out our work, in the final Report.
Types of personal and sensitive personal data processed
- The Investigation collects and uses personal data of various types, including contact details, family details, employment and education details, lifestyle and social circumstances.
- Some types of data fall into the class of “sensitive” or “special category” data, which require additional safeguards to be put in place. Examples include physical health and mental health details and records; outcomes and sentences; and disciplinary or regulatory breaches including alleged breaches and outcomes.
- The electronic document management system that will be used by the Investigation will follow an accreditation process, ensuring it is secure to hold documents with a protective marking up to, and including, Restricted/Official Sensitive.
Security and confidentiality
- Only members of the Investigation team will have access to personal information. All members of the Investigation team are aware of their obligations and responsibility when handling personal and confidential information. They are subject to employment, contractual or other professional obligations regarding confidential and official information, both during their engagement by the Investigation and afterwards. They will also be required to sign a confidentiality agreement.
How we store your information
- All personal and sensitive personal information is appropriately password- protected (if electronic), stored in secure, locked locations (if hardcopy) and appropriately handled to prevent loss or inappropriate access.
- All the Investigation’s IT has been sourced through government contracts, includes security measures appropriate to the sensitivity of the information held on it and has been / will be subject to appropriate accreditation processes.
- Within the Investigations’ offices, there are secure locks to prevent unauthorised access. Working outside the office is limited to the use of an electronic document and records management system (EDRMS) with appropriate access controls in place.
Sharing information
- The Investigation will hold the personal information provided by all contributors to the investigation and use it for analysis for the purpose of fulfilling its terms of reference.
- However, at times, the Investigation may need to share personal information with those outside of its team. Persons that information may be shared with in this way could include:
- Persons of interest to the Investigation, particularly those potentially subject to criticism, in order to explore issues raised by the personal information and in the interests of fairness and justice; and / or
- A relevant employer, professional or quality regulator, the police or prosecuting authorities, if the Investigation receives information that indicates a criminal or disciplinary offence by someone, or if it is ordered by a Court to disclose information.
- In the circumstances set out at (a), the Investigation will consider whether anonymised information only could be shared. If not, it will contact you (that is, the person whose personal details it is considering sharing), to seek your views on the proposed sharing. It will not share information in this way unless it is satisfied that it has either your agreement (consent), or it would still be lawful to share the information without your consent, because it is necessary for its work.
- Equally, if the Investigation wishes to share information about you with the police or regulatory authorities because it is concerned that it has received information suggesting a criminal offence or misconduct (see (b) above), it will seek your permission to do so. However, it will have to pass on your name, contact details and other relevant information without your permission, to the police or other relevant authorities, if it believes that there is a risk of serious harm to someone, where required by law, or if it is ordered by a court to do so.
Anonymity and redaction
- Documents provided to the Investigation may contain large amounts of personal information. A central purpose of redaction is to protect, where it is appropriate to do so, the identities of people and their personal information.
- Redaction may also be used to exclude information which (i) is not relevant to the Investigation’s Terms of Reference, or which (ii) is said by the provider of the information, or by any other person sufficiently affected, to be confidential or otherwise unsuitable for publication for a good and substantial reason.
- The Investigation’s wish is that documents should be supplied to it without redactions, but accompanied by a letter or email, where applicable, which sets out what information is regarded as unsuitable for publication.
- If, contrary to the above, documents are provided to the Investigation in a form that has been redacted by their provider, then the Investigation will examine the documents and any justification for withholding material that has been put forward. The Investigation may request further information from the provider, as appropriate.
Freedom of Information Act 2000 and the General Data Protection Regulations
- Subject to the operation of the Freedom of Information Act 2000 (“FOIA”) and of the General Data Protection Regulations, the personal testimonies, supporting documents and any other written statements received in evidence will remain confidential, except as described above.
- If a request for access to an individual’s statement, or documentary or other information held by the Investigation is made by any other person, whether under the Freedom of Information Act 2000 (FOIA) or otherwise, the Investigation will seek legal advice on whether or not it is subject to disclosure obligations under FOIA or under any other legal enactment.
- Certain documents in the possession of the Investigation would generally be regarded by the Investigation as exempt from disclosure under FOIA, by virtue of the confidential setting in which the information was given and received, and also by virtue of the fact that the content is likely to amount to the ‘personal data’ of the individual or others, under the General Data Protection Regulations and Data Protection Act 2018. In addition, when patients are interviewed, or the care of a living patient is discussed, information about care or treatment will amount to “special category” data (i.e., sensitive data) under these legal provisions. As a result, and subject to any legal advice that may be taken on individual cases, the Investigation believes that it would generally be in the public interest to resist requests for disclosure of the information to third parties. If the circumstances of a particular case or legal advice received suggest that an exception to that approach might be appropriate, affected individuals would be asked for their views.
- The Investigation notes, however, that decisions which it may reach on disclosing or withholding information are subject to rights of appeal and to decisions by the Information Commissioner, courts or tribunals service; these bodies may reach decisions concerning the application of FOIA and the General Data Protection Regulations which will bind the Investigation.
Retention and destruction of documents
- During the course of the Investigation, only information that is required for the purposes of fulfilling the Investigation’s terms of reference will be retained. Information will not be kept longer than necessary.
- The Investigation will publish a report of its findings and recommendations. Once it has done this, the Investigation will hand over to the NHS England and NHS Improvement a set of documents for the record. If necessary, redactions to documents will be made in accordance with Data Protection legislation and any other legal obligation of confidentiality.
- Contributing organisations must ensure that they retain original versions of all documents relevant to the Investigation’s work and that any information supplied to the Investigation is not destroyed before it has completed its work; where appropriate advice should be sought from the Investigation Secretariat.
- The Investigation will destroy digital recordings, and the Investigation ’s copy of transcripts of evidence sessions, within 3 months of publishing its final report, unless required by any ongoing litigation or legal process of investigation to retain such information.
- We will similarly destroy all other documents gathered and created during the course of the Investigation to record evidence received and heard and personal testimonies save where the Investigation has received a request to return an original document submitted in evidence, or where the document is retained for the record.
What are your rights?
- You have the right to a copy of personal information that the Investigation holds about you, or to ask for corrections or deletion of the personal information held. Requests should be made to the Investigation’s Data Protection Officer, as below. The Investigation does not charge for supplying a copy of the information held.
- If you are unhappy about the way the Investigation uses your personal information, you have the right to complain to the Investigation’s Data Protection Officer using the contact details listed below.
- You also have the right to complain to the Information Commissioner’s Office (more information is available at https://ico.org.uk/for-the-public/raising-concerns/
Further information
- To cater for those without internet access/ email we will post, on request, a copy of this policy “Data Protection and Privacy Information – How we will handle the information you provide to the Investigation.”
- Any enquiries regarding this policy or information held by the Investigation should be directed to:
- By post to: Deputy Secretary, Independent Investigation into East Kent Maternity Services, Regus-Panorama, Park Street, Ashford, TN24 8DF.
- By email: contact@iiekms.org.uk
- By telephone: 01233 227709