Information Governance - FOI Response Register

FoI Number
2024-762
Subject
Information Governance
Date Received
07/03/2025
Request and Response
  1. A copy of the Organisation’s governance guidance document(s) regarding training of all employees in data protection and patient confidentiality. I understand this may have changed over time, please provide any documents showing changes or updates in the last 10 years, where that date range is not possible please provide what you can and clarify reasons why unable to provide more historical data (for example if this is due to a data retention policy then please include a copy of that data retention policy).

In accordance with FOISA s 16(1), NHS Shetland confirms that it holds the information requested but that it is exempt from disclosure under FOISA s 25(1) as the information requested is accessible without submitting a request under FOISA s 1(1). The information you have requested is available here:

https://www.nhsshetland.scot/directory-record/3506/information-governance-policy

https://www.nhsshetland.scot/directory-record/3512/patient-confidentiality-policy

https://www.nhsshetland.scot/downloads/file/205/information-security-policy

  1. Information from the Organisation detailing the titles of roles (both clinical and non-clinical) and the data protection training and patient confidentiality training. For each role can you detail:
    1. expectations on candidates for employment and
    2. the frequency of renewal/refresh of such training for that title/role. If you do not have specific data, could you provide information on the general areas of roles... such as 'Nurses', 'Consultants', 'Surgeons', 'Secretary non-clinical', 'Payroll', etc, etc. This may have changed from year to year, over time - if this has changed significantly in the last 10 years, please advise of the date when changes were brought in and any associated documents regarding the change.

All staff, regardless of role, must complete the “Information Governance: Safe Information Handling” Turas training module during induction and at least every 18 months thereafter.

  1. Information from the Organisation detailing the total number of staff and the percentage of adherence to completion of regular (annual?) renewal of data protection and patient confidentiality training. Please show as a trend over a number of years (annual aggregation is acceptable which shows the total staff and adherence/compliance data), Please provide data for the last 10 years, if unable to satisfy then provide it as far back as you can with a note on why additional historical data is not held (retention policy - then please quote the retention policy document).

Year

Average complete

Average estimated staff total

% compliant

2019

393

650

60%

2020

409

742

55%

2021

643

817

79%

2022

711

870

82%

2023

614

850

72%

2024

646

837

77%

2025

595

797

75%

Notes:

  • For data prior to 2019 and in accordance with FOISA s 17(1), NHS Shetland confirms that it does not hold the information requested.
  • The numbers of Bank/Locum staff make it difficult to obtain an accurate total number of active staff. The percent compliant figure is taken by dividing the number of staff with in-date/complete training on Turas by an estimate of average number of staff for each year.
  1. Information from the Organisation regarding the number of data breaches. Grouped by those reported to the ICO (Information Commissioners Office) and those not reported to the ICO but reported internally to the organisation. If you could also provide within that data the severity that a breach was considered to be (e.g. Low, Medium, High). Additionally if any financial fines needed to be paid by the organisation, or other sanctions/enforcement actions made by the ICO or other regulatory body as a result of the breach. Please provide data for the last 10 years, if unable to satisfy then provide it as far back as you can with a note on why additional historical data is not held (retention policy - then please quote the retention policy document)

For data prior to 2018 In accordance with FOISA s 17(1), NHS Shetland confirms that it does not hold the information requested.

For data since 2018, much of the information requested is contained within previous FOI responses.

NHS Shetland has made it easier for you to search previous FOI requests/responses. We would be grateful if you could check the register and other published sources before submitting a request to see if the information you need has already been published. This will save both time and public resources:

https://www.nhsshetland.scot/directory/2/-foi-response-register

in particular:

https://www.nhsshetland.scot/directory/search?directoryID=2&showInMap=&keywords=data+breaches&categoryId=&search=Search

The latest request containing the specific information requested had information up to 4 May 2023. Since that date the figures are as below:

Year

Total

Reported to ICO

2023 from 4 May

78

2

2024

85

2

2025 to date

7

0

Notes:

Severity – the threshold for reporting to the ICO already includes an assessment of severity so this is not included in the tables above.

Fines / sanctions / enforcement actions – no fines, sanctions or enforcement actions have applied to any incidents. For all incidents reported to the ICO and for which we have received a decision notice, the ICO has determined that no further action was necessary.

  1. Please advise if your Organisation is asked to report on compliance with data protection training / patient confidentiality to a parent body or other organisation.

It is not.