Information governance policy

Consultants, contractors and volunteers (including trustees) of the charity will be required to comply with the content of this policy.

Our commitment

We are committed to the values of integrity, accountability and openness. We are also committed to ensure the safety of personal data and to enforcing the message that misuse of personal data within the organisation is not acceptable and will not be tolerated.

We will act in compliance with current guidelines and best practice to provide high quality, timely, accurate and secure information.

This policy will outline our methods of managing and ensuring the security of personal data and health information.

Purpose of the policy

Information governance is a framework for handling and managing information to ensure appropriate and reliable collection, storage, processing, access, security and confidentiality.

This policy aims to ensure that all Action Kidney Cancer consultants, contractors, volunteers and trustees are aware of their individual responsibilities in relation to the management and governance of information.

The guidelines within this policy cover all types of information retained by Action Kidney Cancer. This includes but is not limited to information held in:

  • Electronic equipment such as computers, tablets, smart phones, dictation equipment, MP3 players and cameras
  • Paper-based records.

The information/data covered by this policy includes, but is not limited to the following:

Personal data constitutes all information that:

  • Can be used to identify an individual
  • Can be combined with other information to identify an individual

Sensitive personal data relates to any identifiable information regarding the subject’s:

  • Racial or ethnic origin
  • Political opinions
  • Religious belief or similar
  • Trade union affiliation
  • Information relating to an individual’s sexual orientation
  • Commission or allegation of any offence

Action Kidney Cancer data relates to any sensitive organisational information, including:

  • Meeting schedules, agendas and minutes of trustees’ meetings
  • Financial accounts
  • Contracts
  • Policies and procedures

Failure to follow this policy could result in contractual/agreement action.

Our policy

This policy will establish a consistent approach by which we address all aspects of the management of information; including generation, collection, processing, access, use, storage and ultimately disposal. It will do this by:

  • Requiring that information is kept confidential in line with the requirements of the Data Protection Act 2018
  • Establishing mechanisms for members of the Action Kidney Cancer community to have access to their own information and can easily update this information, with clear procedures and arrangements for handling queries from members
  • Ensuring that members have given appropriate consent for the collection and processing of their personal data/information
  • Establishing a procedure for the deletion of personal data/information that is no longer of use to Action Kidney Cancer, or at the request of members of the Action Kidney Cancer community when consent is withdrawn
  • Ensuring that processing of personal data/information is stopped at the request of members of the Action Kidney Cancer community
  • Ensuring Action Kidney Cancer has clear procedures and arrangements for handling information requests from the press and broadcasting media
  • Establishing mechanisms to allow the purpose and quality of Action Kidney Cancer information to be monitored and maintained, and to ensure that it is appropriate for the purposes intended
  • Making every effort to follow the recommendations and principals set out by the National Data Guardian.

This policy applies to all consultants, contractors and volunteers working with Action Kidney Cancer, including trustees.

It is the policy of Action Kidney Cancer to ensure that:

  • Information is protected against unauthorised or unlawful access
  • Confidentiality of information is assured
  • Technical integrity of information is maintained
  • Regulatory requirements and guidelines are met
  • Information technology systems are used in a manner that prevents the release of information (by accident or deliberate/criminal act), ensures their safe use, and avoids damage to the specific system or any other system to which it is connected
  • Information that can be used to identify a person, including confidential information about that person, business information, and confidential corporate information, is restricted to authorised users only
  • All consultants, contractors, volunteers and trustees working with Action Kidney Cancer are to be made aware of this Information Governance Policy so that an assurance can be provided that they understand the policy.

All breaches of information security, actual or suspected, will be reported to and reviewed by the Board of Trustees.

Roles and responsibilities

A member of the Board of Trustees will be appointed to have overall responsibility for the information governance within Action Kidney Cancer, and advise the board on the effectiveness of information risk management across the organisation. This person will also act as the Data Protection Officer and be responsible for ensuring consultants, contractors and volunteers working for Action Kidney Cancer comply with the requirements of the Data Protection Act 2018 and other mandatory national standards and processes.

All consultants, contractors, volunteers and trustees operating on behalf of Action Kidney Cancer are required to comply with the guidelines of the Data Protection Act 2018 when dealing with sensitive personal data, and the requirements of this Information Governance Policy. They are responsible for protecting the integrity, security and confidentiality of personal data/information (both manual and electronic), and to ensure that any personal information gathered in the course of their work is only used for the stated purpose of gathering the information and kept secure.

An external IT consultancy will provide robust security measures to adequately support the Action Kidney Cancer server holding all personal data/information. The IT consultancy will also be responsible for anonymisation and pseudonymisation of personal data for transfer to external organisations for data management, analysis and reporting. The IT consultancy will provide assurances to the Board of Trustees, including the processes used for anonymisation and pseudonymisation of personal data.

Policy effect

Action Kidney Cancer will:

  • Establish and maintain policies and procedures to ensure compliance with the Data Protection Act 2018, the Common Law Duty of Confidentiality, and any other legislation that is relevant to the processing of personal information
  • Establish mechanisms to ensure that consultants, contractors, volunteers and trustees are aware of and understand their responsibilities
  • Recognise the need for an appropriate balance between openness and confidentiality in the management and use of information
  • Be publicly accountable and needs to ensure that the principles of corporate governance are fully supported
  • Regard person identifiable information relating to the members of Action Kidney Cancer and their relatives as confidential, except where there is an overriding legal requirement to share information
  • Regard person identifiable information about consultants, contractors, volunteers and trustees as being confidential, except board members that may require otherwise, and where legislation permits
  • Recognise that equal importance must be placed on the need to ensure high standards of data protection and confidentiality to safeguard both personal data/information and Action Kidney Cancer data
  • Comply with the appropriate legal and regulatory frameworks and guidelines relating to the Data Protection Act 2018 and the Common Law Duty of Confidentiality.

Protection of information

This includes the maintenance of standards associated with the Data Protection Act 2018 and the Common Law Duty of Confidentiality.

High standards within this area will be ensured by Action Kidney Cancer through:

  • Maintenance of policies to effectively incorporate the requirements of key legislation within Action Kidney Cancer’s processes for the effective and secure management of information
  • Promotion of effective confidentiality, data protection and security practice to consultants, contractors, volunteers and trustees through policies and procedures.

Data security arrangements

  • Manual paper records containing person identifiable information should be stored in locked cabinets
  • Access to any computer or tablet must be password protected, and the password must not be shared. Computers and tablets should not be on view or accessible to unauthorised persons, and password-protected screen savers should be in use
  • Personal data/information must be held on the Action Kidney Cancer server, not stored on local hard drives. Action Kidney Cancer consultants, contractors, volunteers and trustees must be aware of the high risk of storing information locally and take appropriate security measures
  • Personal data/information sent by email must be safely stored and archived. Great care should be taken in sharing personal data/information via email – it should be password protected and procedures undertaken to ensure that the correct person has received it.

Systems and applications

The following rules must apply:

  • Consultants, contractors, volunteers and trustees who require access to Action Kidney Cancer’s systems must be appropriately authorised
  • Levels of access to Action Kidney Cancer’s systems must be given based upon the role of the consultant, contractor or volunteer
  • Access to Action Kidney Cancer’s systems will be given on a need to know basis and such access will be recorded
  • Password access is given to individuals; authorised consultants, contractors and volunteers should not under any circumstances allow their access to be used by others

Anonymisation

Anonymisation is a process by which identifiable information is removed from data so that the individuals from whom the information was collected remain anonymous. If personal data is shared, either internally or externally, all identifying factors should be removed.

Pseudonymisation

Pseudonymisation is a process by which a pseudonym is applied to identifiable data for the purposes of sharing the data. If personal data is shared, either internally or externally, all identifying factors should be removed.

Sharing information with external organisations

When sharing personal data with external organisations, Action Kidney Cancer must seek assurance that these organisations have appropriate processes for receiving personal data. Action Kidney Cancer must be assured that these organisations will comply with the requirements of this policy, and meet legislative and related guidance requirements relating to the Data Protection Act 2018 and the Common Law Duty of Confidentiality.

Consultants, contractors, volunteers and trustees sharing personal data with other organisations should be aware of the agreements between Action Kidney Cancer and the organisation concerned.

Action Kidney Cancer will:

  • Be responsible for the pseudonymisation of personal data before the data are shared with external organisations
  • Support the transition processes of pseudonymised personal data back to identifiable data, if subsequently required
  • Only supply identifiable personal data to consultants, contractors, volunteers or trustees authorised to use these data
  • Be responsible for most of the inter-organisational communication and transfers of pseudonymised personal data to external organisations.

Monitoring and review

This policy will be monitored by the Action Kidney Cancer management team biennially to judge its effectiveness and will be updated in accordance with changes in the law as appropriate. We will report to the Board of Trustees on any actions or activities undertaken that are covered by this policy. Any information provided by consultants, contractors, volunteers, trustees, or members of the Action Kidney Cancer community for monitoring purposes will be used only for these purposes, and will be dealt with in accordance with the Data Protection Act 2018.

Policy Updated: January 2022

Next Review: January 2024