Personal information

By providing us with your details, you are giving your consent that your personal information may be processed for the purposes necessary to conduct and improve our services. When collecting your personal information we will explain what we intend to do with it.

Our use of cookies

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. Most web browsers allow some control of cookies through the browser settings. To find out more about cookies, including how to see what have been set and how to manage and delete them, visit www.allaboutcookies.org. We only use cookies to:

• store a temporary session number so that the server can identify where a request has come from when it receives one
• store interface settings (table filters, sort order, column order etc) to improve your experience when using the system.

Receiving communications from the Information Sharing Gateway

If you do not wish to receive any information from us please let us know at the point you first contact us or by emailing isg@mbhci.nhs.uk

If you already receive correspondence from the Information Sharing Gateway and no longer want to, please email isg@mbhci.nhs.uk. We will remove your details from any tools or products and will stop any communications updates.

---

Data Protection

All personal information is handled with the utmost care and attention - whether on paper, electronically, or other means - and safeguards are in place to ensure the Data Protection Act 1998 is adhered to.

---

Access to your personal information

You are entitled to obtain a copy of the personal information held about you by the Information Sharing Gateway. Any request to access or obtain a copy of this information will be considered under Section 7 of the Data Protection Act.

To make a request for personal information, email isg@mbhci.nhs.uk

---

Information security

There are robust security measures in place for all personal information held by the Information Sharing Gateway to protect against the loss or alteration of information under the organisation's control. If you have any questions about our privacy notice or the information we hold please contact us at isg@mbhci.nhs.uk. See the systems Security Statement for more details.

Other websites

Our privacy notice only relates to information that we obtain from you. If you visit a website operated by a third party through a link included on this website your information may be used differently by the operator of the linked website. When you are moving to another site you are advised to read the privacy notice relating to that website.

ISG Security Statement

The Information Sharing Gateway is a web-based system provided over an encrypted connection and hosted by AIMES on behalf of University Hospitals of Morecambe Bay NHS Foundation Trust (‘Support Service’). The provision of secure application hosting covers; hosting business applications, high performance computer processing and data storage and manipulation, servers and secure storage.

AIMES has exceptional security standards and regimes which they adhere to.  These can be summarised as;

• Information Security
• Data Centre Security
• Rack Security
• Staff Security

Information Security

ISO27001 Certification is one of the most widely recognized independent global standards for security an organization can achieve. Certification to the standard involves a lengthy process whereby every facet of the business is examined from a security and process standpoint. All of AIMES business systems, technologies, processes and data centres have been carefully examined to ensure they are compliant to the highest security and management standards.

NHS IG Toolkit Compliance

AIMES meets the NHS criteria for information security and governance. AIMES (Organisation Code 8J121) completes the Department of Health’s Information Governance Toolkit on an annual basis and their version 14 submission for 2016/17 has been reviewed and classed as meeting the NHS criteria for information security and governance (Level 3). Status can be viewed on the IG Toolkit website via the IGT Reports section: http://tinyurl.com/pocrc32

Data-centre Security

AIMES is located at Liverpool Innovation Park, a designated technology park which is surrounded by secure metal fencing. There is a single point of entry, with a security lodge that is manned on a 24-hour basis. Within the security lodge guards control the external CCTV and perimeter protection cameras and carry out hourly foot patrols of the park.

Access controls include;

• Two form factor authentication & anti tailgating security lobby
• Tablet based Photo ID Access Control
• CCTV Monitoring

Rack Security

AIMES provides bespoke rack based security controls appropriate to the server requirements for the ISG.

Staff Security

To ensure the security of client data, AIMES has controls in place to deal with staff security prior to, during and after employment.

 

Prior to Employment: AIMES has introduced a number policies and procedures that ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.

 

During employment: AIMES has introduced a number policies and procedures that ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support the organizational security policy.

 

After Employment: AIMES has introduced a number policies and procedures that ensure that employees, contractors and third party users exit our organization or change employment in an orderly manner.

 

Full AIMES security arrangements are detailed in the AIMES Security Overview document available from the Resources tab.

 

Support Operations Security

The system support is managed by the Innovation, Informatics and Information Service at University Hospitals of Morecambe Bay NHS Foundation Trust.

• Change Control - Support Services follow a strict formal change management processes. Any requested change to the production environment, system and configuration are tracked by a dedicated team.
• Audit - Audits are kept of access attempts to the system and changes to some data records within the system, these are stored to a SQL 2008 dedicated server provided by AIMES/
• Access Control - support access is limited to legitimate business need, including activities required to support clients' use of the system.

1. About these terms and conditions
   

   It is your responsibility to ensure that you understand and comply with these terms and conditions. It ensures that:

   1. You understand your responsibilities and what constitutes abuse of the service
   2. Computers and personal data are not put at risk

   If you have any questions about these terms and conditions, you should contact the Information Sharing Gateway Administration Team at isg@mbhci.nhs.uk

   The Information Sharing Gateway team reserves the right to update this document as necessary.

2. General information about the Information Sharing Gateway
   1. The Information Sharing Gateway has been provided to aid registered organisations with their responsibilities when sharing information outside of their organisation and this should be your main use of the system.
   2. The Information Sharing Gateway should be used in compliance with all relevant laws, regulations and guidelines, and at no point does it supersede them.
   3. Access to the Information Sharing Gateway is owned by the Information Sharing Group and is provided to member organisations for their use.
   4. The Information Sharing Group reserves the right to withdraw user access in the case of misuse or inappropriate use.
3. Your responsibilities when using the service
   1. General responsibilities:
      1. You must not use the Information Sharing Gateway to violate any laws or regulations of the United Kingdom or other countries. Use of the service for illegal activity is usually grounds for prosecution and/or legal action.
      2. You must not attempt to interfere with the technical components, both hardware and software, of the Information Sharing Gateway in any way.
      3. When you set up your user account you must identify yourself honestly, accurately and completely.
      4. You must ensure your password and answers to your security questions for the Information Sharing Gateway are kept confidential and secure at all times. You should contact the Administration Team if you become aware of any unauthorised access to your Information Sharing Gateway account.
      5. You must only access the Information Sharing Gateway with your own username and password and never share your access credentials with others.
      6. You should never input your Information Sharing Gateway password into any other website, and you will never be asked for your Information Sharing Gateway password e.g. by phone or email. Do not divulge this information to anyone, even if asked.
      7. All communication you send through the Information Sharing Gateway is assumed to be official correspondence from you acting in your official capacity on behalf of your Organisation.
      8. You must familiarise yourself with the Information Sharing Gateway security and privacy statements, as well as the systems guidance documents if required.
   2. Responsibilities when using the Information Sharing Gateway:
      1. You must not attempt to disguise your identity or that of your organisation.
      2. It is your responsibility to check that you are engaging with the correct recipient, as there may be more than one organisation with a similar name using the service or registered with the ICO.
      3. Content of the Information Sharing Gateway may be admissible as evidence in a court of law and agreements may be classified as legal documents. An organisation’s content within the Information Sharing Gateway may also need to be disclosed under the Freedom of Information Act 2000 and the Data Protection Act 1988.
      4. It is your responsibility to make sure that your details in the system are correct and up to date.
      5. You must not use the Information Sharing Gateway to identify individuals or groups of organisations to target for commercial gain, either on your behalf or on that of a third party.

4. Registering a new organisations to the Information Sharing Gateway

   To register an organisation you need to have

   • An approved email domain is required, email domains not listed are required to go through a verification process before access to the system is approved, approved email domains are
   • Where possible, an Information Commission Office (ICO) registration is needed to aid the registration process.
5. Organisational Assurance

   To provide an assurance level of either None, Limited or Significant, each organisation, whether lead or sponsored, must provide details on:

   • Whether or not they are ICO registered.
   • Their Information Governance compliance framework and level if any.
   • Whether staff are screened to work.
   • Whether staff are adequately trained.

   The system will then rate the organisation dependant on the answers to the screening questions.

   Where organisations do not meet 'Significant Assurance', organisations must provide details of improvement plans in the organisations assurance submission.

   Assurance will be reviewed by each organisational annually, if assurance levels change each partner organisation will be informed.

6. Approving new data flows, privacy assessments and data sharing agreements

   These should be approved by each of the Partner Organisations involved electronically by each organisation's Accountable Officer or their delegate (individual authorised by the Accountable Officer to approve on their behalf).

   The data contained in the data flow, privacy assessments and data sharing agreements remain the property of the organisations they relate to. Any downloads taken from the system also remain the property of the organisation and remain their responsibility.

7. Review processes

   The data sharing agreement with associated data flows and privacy assessments should be reviewed by a suitably qualified individual or committee/group within each organisation. The minimum review period should be annually, or as specified by the Partner Organisations involved ensuring the Agreement remains fit for purpose and that the information sharing is continuing to effectively achieve its objectives. This Agreement will remain in force irrespective of whether the Agreement has been officially reviewed until a notice of termination is served.

8. Archiving and disposal

   At the point where the data sharing agreement is no longer required, the agreement, associated data flows and privacy assessment will be archived. These records will not be deleted from the system until they have reached their end of their retention period and not without the prior approval of each partner organisation.

   Should a record be required to be stored longer than retention period, then the Information Sharing Gateway governance group must be consulted with a documented business reason for the retention period extension.

   The records remain the property of the partner organisations at all times, it is the responsibility of each organisation to manage the record management cycle of the agreement.

9. Dispute / issue resolution processes

   In the event of a dispute arising, authorised representatives of the each Partner Organisation involved will discuss and meet as appropriate to try to resolve the dispute within seven calendar (7) days of notification. If the dispute remains unresolved, it will then be referred to the Accountable Officer from each of the Partner Organisation who will use all reasonable endeavours to resolve the dispute within a further fourteen calendar (14) days.

   In the event of failure to resolve the dispute through the steps set out above the organisations agree to attempt to settle it by mediation from another organisation that is not privy to the dispute or the Information Sharing Gateway governance group.

10. Termination and variation

    Any Organisation may leave this Agreement by giving their Partner Organisation’s notice using the Information Sharing Gateway. The Partner Organisation can approve or reject as necessary.

    Any proposed changes, for example changes to organisations involved in the Agreement, the purposes of the information sharing, the nature or type of information shared, the manner in which the information is to be processed must be notified to the each Partner Organisation’s Accountable Officer or their delegates so the impact of the proposed changes can be assessed.

    No variation of the Agreement shall be effective unless the agreement is amended accordingly and is electronically signed by all involved organisations.

11. Subject access requests and complaints

    Each Partner Organisation is responsible for putting into place effective procedures to address complaints about data sharing and subject access requests relating directly to their information. Information about these procedures should be made available to patients via each organisation's Fair Processing / Privacy Notice.

    It is recommended that organisations where information is recorded in each organisations record should agree and record how subject access requests and complaints are managed after the agreement is signed off.

    Each Partner Organisation must have contact details recorded on the Information Sharing Gateway which show where subject access request and complaints should be directed.

12. Freedom of Information requests

    The Partner Organisations recognise that public bodies are subject to the requirements of the Freedom of Information Act 2000 ("FOIA") and the Environmental Information Regulations ("EIR"). Any such requests relating to information governed by the recorded agreements should be directed promptly to the relevant recorded individual Partner Organisation.

    The Partner Organisations shall notify the Governing Group of any such request and assist and co-operate with the Governing Group to enable compliance with any obligations under the FOIA and the EIR.

13. Key Legislation and Guidance

    The Partner Organisations are subject to a variety of legal obligations, and statutory and other guidance in relation to the sharing and disclosure of information, including (without limitation):

    • Data Protection Act 1998
    • Human Rights Act 1998
    • Common Law Duty of Confidence
    • Caldicott Principles
    • ICO Data Sharing Code of Practice
    • Confidentiality: NHS Code of Practice
    • HSCIC: A guide to confidentiality in health and social care
    • NHS England Information Governance and Risk Stratification: Advice and Options for CCGs and GPs
    • Department of Health: Information Security: NHS Code of Practice

    This is not an exhaustive list and other legislation applies in specific circumstances.

14. System Support

    System support / Super Administration is provided by University Hospitals of Morecambe Bay NHS Foundation Trust Innovation, Information and Informatics Service. The service is provided 5 working days a week 9am to 5pm.

    The support can be contacted via email only using the contact form on the system or using isg@mbhci.nhs.uk

    UHMB undertake to respond to your request within ONE working day, with an estimate of time to fix based on the following:

    • SAME DAY
    • NEXT DAY
    • ONE WEEK
    • DEVELOPMENT ISSUE / REQUEST FOR CHANGE

    The Super Administrator will have full, unrestricted access to the ISG to enable support to be carried out in a speedy and efficient manner. The Super Administrator will remind you that they are accessing the ISG in this manner. The Super Administrator will sign up to the UHMB Code of Conduct for IT administrators, a copy of which can be made available on request.

15. System Governance A sub group of the Lancashire and Cumbria Information Governance Group will provide the governance for the system. The governance will include:
    • Review and critique materials proposing new functionality
    • Evaluate and prioritise requests for system changes
    • Provide expert knowledge, guidance and skills to determine future development of the system
16. Warranties

    Neither this sub-group nor UHMB (as hosts) give any warranty as to the accuracy of the information entered into the system by organisations. It is the express responsibility of organisations to verify, by their own means, the accuracy of the information supplied by the organisation with whom they are to share information.

    No parties within this group will commercially exploit this system, without the expression permission of all the other member organisations.

17. System Decommissioning

    If the system is decommissioned the data held will be returned to the originating organisation. If a specific format is required this must be discussed with the System Support to ensure that if it feasible. The data will be transferred securely and with sent and received receipts.