Principle E2: Upholding the rights of individuals

The organisation respects and supports individuals in exercising their information rights.

Description

You appropriately assess and manage information rights requests such as subject access, rectification and objections.

Expand the achievement levels to find out the requirements needed to meet each level.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework.

The approach and documentation list described below provides guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

1. Information rights request - obtain and inspect the documented process for responding to information rights request. Verify that the process includes:

1. Initial identification of an information rights requests, reflecting organisational awareness that this could include requests to access information, objections to processing information, requests to rectify inaccurate information, requests to erase information, requests to restrict processing of information, requests to transfer personal information to other organisations. (A#1)
2. Assessment and verification of the identity of the requester. (A#1)
3. Information gathering. (A#1)
4. Responding to the request and documentation of the request for record keeping. (A#1)
5. This should be completed within one month of receipt of the request, or within three months in the case of specific complex requests that are determined on a case-by-case basis. (A#1)
6. Test an example of a request for information rights, such as asking for access to patient records under the right of access or asking for information in a patient record to be amended under the right to rectification, and verify that the adequate process was followed. (A#1)

2. Delegation of staff responsibilities - assess whether staff responsibilities have been defined and documented for all steps of the information rights request process, from initial receipt (A#2) to fulfilment. (A#3)

3. Staff training - obtain evidence of the training undertaken or qualifications held by staff to ensure they have the knowledge and skills, or experience, required to fulfil their responsibilities: 

1. For staff roles likely to be the organisation’s port of entry for information rights requests, training undertaken or experience should ensure they are able to identify the different categories of information requests and know what to do when they receive one. (A#2)
2. For staff roles likely to process and fulfil information rights requests, training undertaken or qualifications held or experience should ensure they understand regulatory and legal requirements around information rights requests, including where requests might need to be refused. (A#3)

Suggested documentation includes: 

• process for responding to information rights requests
• proof of training undertaken, qualifications held, or experience acquired by staff members for responding to information rights requests

Description

You have a good understanding of requirements around consent and privacy, including the common law duty of confidentiality, and use these to manage consent.

Expand the achievement levels to find out the requirements needed to meet each level.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework.

The approach and documentation list described below provides guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

1. Public information on consent - obtain the organisation’s transparency materials and exemplar communications with the public relating to consent for information sharing. Assess whether: 

1. They cover common scenarios where consent will be asked before information sharing (A#3) 
2. Any written materials use clear and plain language, avoiding the use of technical terms and acronyms (A#3) 
3. The organisation has defined appropriate written and verbal methods for asking for consent for information sharing which staff members can refer to when needed (A#3)
4. Clear headings and sub-headings (A#3) 

2. Consent policies and procedures - inspect any documents provided by the organisation relating to their policies and procedures for managing consent and assess whether they cover:

1. The different scenarios where consent may be used as the organisation’s basis for using and sharing information under UK GDPR and the Common Law Duty of Confidentiality. (A#2)
2. The organisation’s processes for obtaining, withdrawing and maintaining a record of consent. (A#2)
3. The responsibilities of staff members for making justifiable decisions when deciding whether to seek patient consent, including when to involve Caldicott Guardian or equivalent senior staff members. (A#2)

3. Staff training - obtain documents provided by the organisation showing how it has assured that staff are aware of how to appropriately manage requirements relating to consent, and assess whether they cover:

1. The common law duty of confidentiality, tailored to the level of understanding required for a person’s job role.

For non-IG staff roles, this could be scenario-based awareness of situations where they have the implied consent of a patient, for example for direct care, and other situations where explicit consent may be needed, for example where information is being used to reasons outside of direct care. (A#1)

For IG staff roles, this could be documentation showing how the common law duty of confidentiality has been considered by IG teams in previous decisions relating to whether or not to seek a patient’s consent. (A#1)

2. How to appropriately obtain and keep records of consent where consent is needed. (A#2)

Suggested documentation includes: 

• documents showing organisation’s policies and processes relating to consent
• public materials about consent (for example privacy information)
• records of consent
• training materials
• documents from steering group meetings

A robust policy and system is in place to ensure opt-outs are correctly applied to the information being used and shared by your organisation.

Expand the achievement levels to find out the requirements needed to meet each level.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework.

The approach and documentation list described below provides guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

1. Privacy information - obtain the organisation’s privacy information and assess whether: 

1. It explains the National Data Opt-Out and links the reader to a more detailed explanation of how it works. (A#2) 
2. It is explained in an accessible way, with clear and concise text. (A#2)

2. Information asset register - obtain and inspect the information asset register and verify that data opt-out has been clearly documented against relevant information assets. Take a sample of the applications (up to 3) to test that the applications have the opt outs recorded. (A#1)

3. Data flow register - obtain and inspect the record of processing activities (RoPA)/the data flow register, and verify that data opt-outs are clearly documented as part of each flow. (A#1)

4. Process controls for opt-outs - evaluate the methodology for processing opt-outs, and the technical controls in place to ensure this methodology is applied correctly across all information systems. (A#3)

5. Training for key staff - evaluate the training provided to relevant staff to check it includes details on the procedures for opt-outs. (A#3)

Suggested documentation includes: 

• privacy information 
• information asset register
• data flow register
• methodology for processing opt-outs
• technical controls for ensuring opt-outs are consistently applied
• staff training for opt-outs