Tel: 0141 463 8297

UK & NI: 0141 463 8297

Free Consultation

Information Management Policy

Policy: Information Management

Diverse Diagnostics

Date Effective:	November 2021
Review Date:	April 2026
Version No:	9
Policy Owner / Author:	Dr Jagdish Basra / Dr Camila Flores M.
Target audience:	Staff/All clinical users

Version Control

Date	Author	Version/Page	Reason for change
22.06.2022	Dr Camila Flores M.	2	Expansion of the clinic
15.08.2022	Dr Camila Flores M.	3	Adult ADHD assessment
04.09.2023	Kent Chua	4	Change of responsible individual Change formatting
07.11.2023	Kent Chua	5	Aim of policy included, reference to EEA, consent, training and improvements.
18.02.2024	Angeline Martin	6	Additional consent information regarding medication release
03.04.2024	Angeline Martin	7	Additional GDPR information
24.04.2024	Angeline Martin	8	Additional information regarding patient care records required to prescribe medication
14.03.2025	Alicia May Brown	9	Additional information on patient information release on website

1. Introduction

Information management is essential to Diverse Diagnostics, and this involves confidentiality, data protection and the Caldicott Guardians Principles. Confidentiality is vital to good care, and it applies to all our patients in our institution. Patients' information will be private; however, all patients will be informed that information provided will be shared with their General Practitioner (GPs).

Diverse Diagnostics will also require access to the patient’s primary healthcare record from their general practitioner (GP) before prescribing medication. Diverse Diagnostics requires a comprehensive understanding of the patient’s medication history before prescribing a medication. This includes details about past illnesses, medications, surgeries, and any underlying health conditions. Diverse Diagnostics will request consent for access to patient care records. Obtaining this information from the patient's GP ensures that diagnostic procedures are tailored to the individual's specific health circumstances.

Diverse Diagnostics is committed to respecting patients' and relatives’/carers’ privacy, as a confidentiality agreement from the staff will be signed, and any personal information will be shared under their consent unless there is a compelling reason for not doing so.

This Information Management policy will encompass several aspects aimed at ensuring the accurate, secure, and effective management of information to support both clinical and operational decisions.

2. Purpose of Policy

This policy aims to ensure patients and their relatives/carers that any personal information given will be managed securely, following the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). This policy's purpose is to protect any personal data.

3. Policy Statement

Diverse Diagnostics is committed to following the guidelines for information management. No information about any patient will be shared with anyone outside of Diverse Diagnostics without their consent, unless in some specific situations, whereby law, we will have to share patients' information without consent. Different possible scenarios will be explained in Section 6, and it is essential to highlight that confidentiality is not an absolute duty, as any of these scenarios can happen.

The General Data Protection Regulation (GDPR) is one of the most significant pieces of legislation affecting how Diverse Diagnostics carries out its information processing activities. Under the GDPR rules, the patients have rights, such as: the right to be informed, to access the data, to rectification, to erasure, to restrict processing, to data portability, and to object. However, where appropriate, Diverse Diagnostics will obtain consent from a patient to collect and process their data (in children’s cases, a parental/carer consent). When the consent is obtained, transparent information about our personal data usage will be provided, and their rights will be explained. This information will be provided in an accessible form, written in clear language. A certificate from the Information Commissioner's Office has been acquired, supervising the information rights in the patients' interest and data privacy.

The Medical Director will be the Caldicott Guardian at Diverse Diagnostics (applying the eight Caldicott principles; Appendix A), having the authority to exercise the necessary influence on policy and strategic planning. "Responsibility for ensuring that patient-identifiable information remains confidential is both an organisational and individual one. It is the responsibility of the Caldicott Guardian to facilitate understanding and awareness of that responsibility and to ensure that all such activities within an organisation are lawful". (Scottish Government)

We do not transfer data out of the EEA (European Economic Area).

4. Scope

This policy applies to all Diverse Diagnostics staff, irrespective of job role within the Independent Clinic, who have access to Diverse Diagnostics systems.

5. Definitions

Term

Data
Protection

Definition

Involves the fair and proper use of information about people. Part of the fundamental right to privacy, and also builds trust between people and organisations.

"Good practice in data protection is vital to ensure public trust in, engagement with and support for innovative uses of data in both the public and private sectors."

The UK data protection regime is set out in the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR).

(Information Commissioner's Office)

Term

Personal Data

Definition

Information about a particular living individual (i.e. a customer, client, employee, partner, member, business contact, member of the public, etc.). It is not necessary that is "private information".

Term

Confidentiality

Definition

Keeping patients' information private.

"Confidentiality is central to the trust between doctors and patients and an essential part of good care. Without assurances about confidentiality, children and young people, as well as adults, may be reluctant to get medical attention or to give doctors the information they need to provide good care." (GMC)

Term

The Common
Law Duty of
Confidentiality

Definition

"means that it has been established that, when there is an expectation of confidentiality between two parties (in this case the Health Professional and the Patient), that confidence will not generally be broken without the explicit consent of the patient. In practice all patient information, whether held on paper, computer, video or audio tape, or even when it is simply held in the memory of a Health Professional, must not normally be disclosed to a third party without the consent of the patient.

This duty applies regardless of age, mental health or capacity. There are however four sets of circumstances in which the disclosure of confidential information to a third party is lawful:

- where the patient has given consent
- where disclosure is in the overriding public interest
- where there is a legal duty to disclose for example by court order
- where there is a statutory basis which permits disclosure

(Scottish Government)

6. Procedure

Sharing information appropriately is crucial for Diverse Diagnostics to provide safe and effective care for the patients. The Medical Director has confidence, as a doctor, to act on her concerns about the possible abuse or neglect of a child or adolescent. As the Caldicott Guardian, the Medical Director will ensure that colleagues are aware of the need to comply with the common law duty of confidentiality at all times (The common law duty of confidentiality is defined in Section 5).

All staff uses one centralised system for patient records.

The principles upon the GDPR are based, are followed to maintain patients data protected, according to Article 5(1):

Personal data shall be:

Processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency");
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes ("purpose limitation");
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimisation");
Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectifies without delay ("accuracy");
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with the Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ("storage limitation");
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ("integrity and confidentiality").
Not transferred outside of the patient's sphere without prior consent.

Keeping Data Secure
Data safety is a Diverse Diagnostics priority; therefore, steps are going to be taken to ensure that physical and digital data are secure at all times. Any physical data or paper data will be scanned and upload to patient files. These paper or physical data will be then shredded. Any physical or paper data that will be stored in a locked and password protected safe. Digital data will be backed up on an external memory, which only the Medical Director will have access to. All personal information will be stored under measures to safeguard your data physically and digitally. As mentioned above, personal data may be transferred to their General Practitioner, which will be secure and safe. Once the retention of the data period is expired (explained below "Data retention"), data will be deleted from our systems.

If any patient or carer suspects any misuse or loss or unauthorised access to their data, they will be able to contact Diverse Diagnostics immediately.

Data retention
Following the GDPR principles, Diverse Diagnostics will not keep personal data for longer than needed, depending on the purpose of holding the data.

Data regarding psychological services to a patient, such as mental health records, may include personal data from the patient, family members, or professionals linked to the patient (i.e. teachers).
Retention period children and young people: Until children are 25 years of age; in the case of a deceased patient, the retention period is 8 years from their death.
Retention period mental health records adults: 20 years after date of last contact between the patient and the mental health provider. Or 3 years after the death of a patient if sooner and the patient died while in the care of the organisation.
Minimum length of retention of GP records.
Retention period: For the patient’s lifetime and 3 years after the patient’s death. Electronic records must be kept in perpetuity.
Enquiries about Diverse Diagnostics services. Retention period: 6 months from the date of the enquiry.
Data from employees. Retention period: 6 years from their last date of work.

Note: Digital data will be deleted from the records and back up servers while physical data will be shredded and discard properly.

According to the Article 89(1), GDPR "personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes".

According to the General Medical Council, as mentioned in Section 3, there are some scenarios where confidential information can be shared without consent:

You must do so by law or in response to a court order.
The person the information relates to has given you their consent to share the information (or a person with parental responsibility has given consent if the information is about a child who does not have the capacity to give consent).
It is justified in the public interest – for example, if the benefits to a child or young person that will arise from sharing the information outweigh both the public and the individual's interest in keeping the information confidential.
When relevant personal information about a patient who lacks the capacity if it is of overall benefit to the patient. Practical guidance is also given in the Adults with Incapacity (Scotland) Act 2000 and Mental Capacity Act 2005 codes of practice.

Moreover, according to the GMC, Diverse Diagnostics may disclose information about an adult or a young person who may be at risk of harm. We will always support and encourage patients to be involved, as far as they want and are able, in decisions about disclosing their personal information.

At Diverse Diagnostics, we will document in the patient’s record our reasons for disclosing information with or without consent; this will include any steps taken to seek the patient’s consent, to inform them about the disclosure, or our reasons for not doing so.

Additionally, there are some situations where social care may be informed:

If there are concerns that a young person might have been, or are currently being, neglected.
If there are concerns that a young person might have been, or are currently being, abused – this might be sexually, physically and/or emotionally.
If there are concerns that a young person might have been, or is currently, abusing or neglecting other young people (or if they know about other people who are).
If there are concerns that a young person might have been, or is currently, at risk of serious physical or mental harm, or if they threatened to harm or injure another young person.

All patient data and information displayed on any Diverse Diagnostics website or related social media platforms are obtained with the patient's consent.

7. Responsibilities

It is the responsibility of the Practice Manager to ensure that the implementation of the information management policy is followed at all times.

In Diverse Diagnostics, keeping patients’ information confidential is one of our priorities.

8. Enforcement / Compliance

Diverse Diagnostics is committed to following the procedures described above and reviewing our policy and good practice once a year.

Diverse Diagnostics will assess and evaluate the effectiveness of information management practices, and identify areas for improvement to ensure that information management supports the strategic and operational needs of the organisation.

All employees will receive training within the first two weeks of starting with Diverse Diagnostics.

9. Related information

This policy was written according to the Scottish Government laws and under the General Medical Council guidelines, the Caldicott Principles, and the UK General Data Protection Regulation.

Contact details:
Caldicott Guardian: Dr Jagdish Basra 0141 463 8297
[email protected]