The Trust

Data Protection checklist

A quick 'how to comply' checklist 

This short checklist will help you comply with the Data Protection Act at the trust.

1. Keeping patient, staff and other personal information secure 

  • to keep passwords secure – to change regularly, no sharing
  • to lock (Ctrl + Alt + Delete or Windows key + L) or log off computers when away from desks
  • ensure computer screens are sited away from the view of others to prevent unlawful disclosure of sensitive information
  • dispose of confidential paper waste securely in the confidential bins provided
  • prevent virus attacks by taking care when opening email and attachment or visiting new websites
  • adopt a ‘clear desk’ policy – securely store hard copy personal information when it is not being used
  • be aware of those allowed in areas normally restricted to staff and to keep those areas secure
  • if personal or sensitive data is held on any portable storage device – eg laptop, USB (pen drive), it must be encrypted

2. Meeting the reasonable expectation of patients and staff whose data we handle

  • only collect personal information you need for a particular business purpose
  • update records promptly to ensure accuracy
  • only view patient or staff data for a legitimate business purpose
  • you may be committing an offence if you are disclosing patient or staff information without consent – this includes verbal disclosure – and which may lead to disciplinary action
  • you should inform the Information Governance team of any potential information sharing agreements
  • when transporting personal data, ensure that it is kept secure at all times
  • records in all formats should be stored, handled and retained in accordance with the Information Governance Alliance Records Management Code of Practice of Records Management?

3. Disclosing personal information over the telephone

  • be aware that there are people who will try and trick you to give out personal information
  • to prevent unauthorised disclosures, carry out identity checks before giving out personal information to anyone making an incoming call
  • ensure that sensitive conversations are not overheard by others
  • when leaving answer phone messages, do not disclose sensitive information – just leave your name and contact details

4. Notifying under The Data Protection Act

  • every year, the trust must notify the Information Commissioner of the types of data it holds and shares
  • the trust must take additional safeguards when sending information outside of the UK, particularly if outside the EEA. This includes uploading information to websites
  • we need to monitor changes in business use or personal information and notify the ICO if appropriate
  • it is a criminal offence if we do not register or fail to maintain the accuracy of the notification

5. Handling requests from patients and staff for their personal information (subject access requests)

  • patients, staff and other individuals have a right to a copy of the personal information held by the trust under the Data Protection Act, subject to certain conditions
  • Requests should be sent to the Subject Access Department
  • the trust must meet a statutory time limit of 30days

6. Information Governance breach reporting

All breaches or near misses relating to the above and other information governance issues should be reported immediately on Datix.

Information Governance contact details

The Information Governance Department
Email Address:
Telephone Number: 01625 66 36 08

Postal Address
The Information Governance Department
Macclesfield District General Hospital
2nd Floor New Alderley House
Victoria Road
Cheshire, SK10 3BL

CheshireICT Service Desk
Email Address:
Telephone Number: 0844 800 9982

7. Caldicott guardian

That the trust has an appointed Caldicott Guardian who plays a key role in ensuring that NHS and partner organisations satisfy the highest practical standards for handling patient information.  Acting as the “conscience” of an organisation, the Guardian actively supports work to facilitate and enable information sharing, and is available to advise on options for lawful and ethical processing of information as required.  

More information

  • Trust policies and procedures
  • NHS Code of Practice: Confidentiality
  • NHS Code of Practice: Records Management
  • NHS Code of Practice: Information Security Management

Information Governance (IG)

  • Head of Integrated Governance/Data Protection Officer
  • Julie Green, Director of Corporate Affairs and Governance/SIRO
  • Lorraine Jackman, Caldicott Guardian Email:
  • IT Security
  • Information Commissioners Office

Thank you for all your assistance in trying to improve our information security.

Internal Links

External Links