Everyone, irrespective of how junior or senior their role, has key responsibilities regarding Information Governance. These responsibilities are part of the company's Information Governance Policy and they are:
- Extreme care must be taken to ensure that appropriate handling of person-identifiable data, and especially patient-identifiable data, is in accordance with Information Handling Policy and security procedures.
- Any and all data, whether that data be the Company's data or that of its clients (for example hospitals' data, especially patient data), must only be used for legitimate and appropriate business purposes that directly contributes to or supports the delivery of the Company's services and contracts to its customers.
- A legitimate business purpose means a purpose or business function that bona fide contributes to, or supports the delivery of the Company's services and contracts to its customers. For example, facilitating the transfer of patient data as part of data sharing services that we provide would be a legitimate business purpose. Using that same patient data for something else such as 'browsing' out of personal interest would be illegitimate use.
- An appropriate business purpose is a purpose or business function suited to that particular data. For example, transferring patient data from one hospital to another, in response to an appropriately authorised support request would be an appropriate use. However, using that same patient-identifiable data for testing purposes would be inappropriate, even though the testing itself was a legitimate business function to support
- Having access to data, for example via a login, does not imply authority to access, view, store, transmit or otherwise use any given data. Data must only be used for legitimate and appropriate business purposes, as defined above.
- For patient data transfers, the Company's business purposes do not include any decision to transfer patient data between hospitals. Trusts however can and do choose to transfer patient data. If operate our software to transfer studies, we are only permitted to do so on the Trust's behalf, for a decision to transfer made by the Trust.
- If, in the future, our business processes change such that seeking direct patient consent is or may be required, then this must be referred to our Head of Information Governance prior to seeking such consent.