NHS England Cybersecurity Quiz

Richard Hammond = 300 medical staff accessed his records over a 24 hour period Ed Sheeran = Two staff were disciplined for inappropriately accessing his records

9.1 = Legal basis 9.5 = Data protection legislation 9.6 = Patients' rights of access to health records and medical reports 9.8 = Confidentiality after death

Confidentiality and Disclosure = Understanding the rights and responsibilities of sharing sensitive information Data Protection & General Data Protection Regulation (GDPR) = Legislation that regulates the use and storage of personal data Child Protection = Policies and procedures to protect children from harm Confidentiality and the Deceased Patient = Understanding the rights and responsibilities of sharing sensitive information of a deceased patient

W v Egdell = REAL risk of SERIOUS harm must be present Palmer v Tees Health Authority = Health Authority was not negligent for failing to restrict the freedom of the patient Tarasoff v Regents of the University of California = Therapist was at fault for not informing the potential victim

To prevent harm to others = A REAL risk of SERIOUS harm must be present To prevent or detect crime = Acts that may involve criminal activities should be reported Teaching, research and audit = Educational and research purposes

W v Egdell = Consideration of a REAL risk of SERIOUS harm Palmer v Tees Health Authority = Negligence in managing a psychiatric patient Tarasoff v Regents of the University of California = Failure to inform a potential victim

Data Protection Act = ICO Freedom of Information Act = ICO Environmental Information Regulations = ICO NHS Code of Practice = Department of Health

Dr DB v. General Medical Council EWCA Civ 1497 = Disclosure of information even if one party objects High risk breaches under GDPR = Need to be reported within 72 hours Data breaches or near misses = Report to senior management within 12 hours Unsupported operating systems = Not to be used within the IT estate

Carry out audits = Review an organization's data handling Impose improvement notices = Demand better data practices Issue orders to cease operations = Stop a company's data handling Issue fines = Penalize breaches or lack of systems

All staff ensure that personal confidential data is handled, stored and transmitted securely = Data protection requirement Personal confidential data is only accessible to staff who need it for their current role = Access control principle Processes are reviewed at least annually = Continuous improvement principle A continuity plan is in place to respond to threats to data security = Disaster recovery principle

Z v Finland (1997) 25 EHRR 371 = Not a violation of Z’s Article 8 rights because there were good reasons for requiring this information. Stone v South East Coast SHA EWHC 1668 = Michael Stone's right to privacy was outweighed by the public interest in knowing more about his treatment. Campbell v MGN Ltd UKHL 22 = An obligation of confidence existed because of the nature of the information about Ms Campbell’s treatment for drug addiction.

Part dealing with processing that does not fall within EU law = Related to immigration and applies GDPR standards. Part 3 = Sets out the requirements for the processing of personal data for criminal ‘law enforcement purposes’. Parts covering the Information Commissioners Office (ICO) = Detail its duties, functions and powers.

Lawful, fair and transparent = Data must be processed legally, fairly and in a transparent manner. Limited for its purpose = Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Adequate and necessary = Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Accurate = Data must be accurate and, where necessary, kept up to date.

Data controller = A person who determines the purposes for which and the manner in which any personal data are to be processed. Consent = Not regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

Caldicott Guardian = A senior person responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly. Senior Information Risk Owner (SIRO) = Provides a focal point for managing information risks and incidents. NHS England Data Security and Protection Toolkit = An online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. Cyber Essentials = A proven cyber security framework for protecting IT systems from cyber threats.

General Medical Council (GMC) = Good Medical Practice Nursing and Midwifery Council (NMC) = The Code The Health and Care Professions Council (HCPC) = The Standards The British Medical Association = A confidentiality aid

Common Law = The part of English law that is derived from custom and judicial precedent rather than statutes. Statute = A written law passed by a legislative body. Negligence = Breach of duty of care. Breach of contract = A legal cause of action in which a binding agreement or bargained-for exchange is not honored by one or more of the parties to the contract.

Explicit consent = When the patient actively agrees either orally or in writing to the information disclosure. Implied consent = This type of consent is assumed for direct patient care. Obtaining explicit consent = Satisfy yourself that Patient has not objected, Patient has access to information explaining how their information will be used and that they have a right to object. Anonymise information = If practicable, keep disclosure to the necessary minimum.

Data Processor = Any person (other than an employee of the data controller), who processes data on behalf of the data controller Processing = Obtaining, recording or holding information or data Data Protection Officer = Responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements Personal data = Data from which a living individual can be identified or identifiable (by anyone), whether directly or indirectly, by all means reasonably likely to be used

Patients with capacity = Can make a SAR without needing to provide a reason Third Party authorised by the patient = Can make a SAR on behalf of the patient Parents with parental responsibility = Can make a SAR on behalf of their child, but not all parents automatically have this right Children aged over 16 = Can make a SAR independently

Personal data = Processors must have a schedule 2 (article 6) condition Special category data = Processors must have a schedule 3 (article 9) condition Health records = Can be accessed through a subject access request 3rd party information = Must be removed from health records before access is granted

Data breach = The patient has a right to compensation if he suffers damage as a result of the breach Failure to comply with GDPR = The data processor can be fined Processing data contrary to the lawful instructions of the data controller = The data processor can be fined Unlawful access to medical records = A person describing themself as a next of kin has no right of access

Deontological reasoning = Emphasises the patient’s right to privacy and their right to control access to sensitive and personal information Consequentialist reasoning = Centers around the need to ensure patients trust healthcare professionals with their medical information and seek treatment, for the overall health of the population Common Law = A general law duty imposed on a doctor to respect the confidences of his/her/their patient Human Rights Act 1998 = Provides everyone the right to respect for his private and family life, his home and his correspondence

A-G –v- Guardian Newspapers ltd (No 2) AC 109 = A duty of confidence arises when confidential information comes to the knowledge of a person in circumstances where he has notice that the information is confidential Hunter v Mann = A doctor is under a duty not to disclose, without the consent of his patient, information which he, the doctor has gained in his professional capacity, save in very exceptional circumstances W-v- Egdell Ch359 = The fear of a real risk to public safety entitled a doctor to take reasonable steps to communicate the grounds of his concern to the appropriate authorities

8(1) = Everyone has the right to respect for his private and family life, his home and his correspondence 8(2) = There shall be no interference by a public authority with the exercise of this right except such as in accordance with the law and is necessary in a democratic society for various interests

Raanan Gillon = Maintenance of confidentiality may in some circumstances benefit others, especially in the context of transmissible diseases Lord Goff = Suggested three limiting principles on duty of confidence Boreham J = Stated in Hunter v Mann about the duty of a doctor not to disclose patient's information without consent