The Trust

Data Protection checklist

A quick 'how to comply' checklist 

This short checklist will help you comply with the Data Protection Act at the trust.

1. Keeping patient, staff and other personal information secure 

Do you know:

  • to keep passwords secure – to change regularly, no sharing?  
  • to lock (ctrl,alt,del) or log off computers when away from desks?
  • ensure computer screens are sited away from the view of others to prevent unlawful disclosure of sensitive information?
  • to secure of confidential paper waste securely in the confidential bins provided?
  • to prevent virus attacks by taking care when opening email and attachment or visiting new websites?
  • about working to a ‘clear desk’ basis – by securely storing hard copy personal information when it is not being used?
  • to maintain an awareness of who should be allowed in areas normally restricted to staff and to keep those areas secure?
  • that if personal or sensitive data is held on any portable storage device – eg laptop, USB pen, it must be encrypted? 

2. Meeting the reasonable expectation of patients and staff whose data we handle

Do you know:

  • to collect only the personal information you need for a particular business purpose?
  • records should be updated promptly to ensure accuracy?
  • that you should only be viewing patient or staff data for a legitimate business purpose
  • that you may be committing an offence if you are disclosing patient or staff information without consent – this includes verbal disclosure – and which may lead to disciplinary action?
  • that you should inform the Caldicott Guardian or Information Governance Manager of any potential information sharing agreements?
  • when transporting personal data, we ensure that it is kept secure at all times?
  • that records in all formats should be stored, handled and retained in accordance with the Code of Practice of Records Management?

3. Disclosing personal information over the telephone

Do you know:

  • to be aware that there are people who will try and trick you to give out personal information?
  • that to prevent these disclosures, we should carry out identity checks before giving out personal information to someone making an incoming call?
  • to ensure that sensitive conversations are not overheard by others?
  • that when leaving answer phone messages, you should not disclose sensitive information – just leave your name and contact details?

4. Notifying under The Data Protection Act

Do you know:

  • every year, the trust must notify the Information Commissioner of the types of data it holds and shares?
  • the trust must take additional safeguards when sending information outside of the UK, particularly if outside the EEA? This includes uploading information to websites?
  • we need to monitor changes in business use or personal information and notify the ICO if appropriate?
  • it is a criminal offence if we do not register or fail to maintain the accuracy of the notification?

5. Handling requests from patients and staff for their personal information (subject access requests)

Do you know:

  • that patients, staff and other individuals have a right to a copy of the personal information held by the trust under the Data Protection Act, subject to certain conditions?
  • Requests should be sent to the Information Governance Department
  • the trust must meet a statutory time limit of 40 days to complete the requests but in many cases must respond within 21 days?

6. Information Governance breach reporting

All breaches or near misses relating to the above and other Information Governance issues should be immediately reported on an incident report form and copied to the Information Governance Manager? Security related incidents need to include an email to Cheshire ICT.  Contact details are below:

Information Governance contact details

  • The Information Governance Department

    Email Address:

    Telephone Number: 01625 663608

    Postal Address:

    The Information Governance Department

    Macclesfield District General Hospital

    2nd Floor New Alderley House

    Victoria Road


    Cheshire, SK10 3BL

  • CheshireICT Service Desk, Tel: 0844 800 9982 Email:

7. Caldicott guardian

Do you know:

  • That the trust has an appointed Caldicott Guardian who plays a key role in ensuring that NHS and partner organisations satisfy the highest practical standards for handling patient information.  Acting as the “conscience” of an organisation, the Guardian actively supports work to facilitate and enable information sharing, and is available to advise on options for lawful and ethical processing of information as required.  

More information

  • Trust policies and procedures
  • NHS Code of Practice: Confidentiality
  • NHS Code of Practice: Records Management
  • NHS Code of Practice: Information Security Management

Information Governance (IG)

  • Head of Integrated Governance/Data Protection Officer – Fiona Smith Tel 01625 663934 Email:
  • Julie Green, Director of Corporate Affairs and Governance/SIRO
  • Dr John Hunter, Interim Medical Director
  • Dr Susan Knight, Caldicott Guardian Email:
  • Heather Pope Deputy Caldicot Guardian
  • IT Security
  • Information Commissioners Office

Thank you for all your assistance in trying to improve our information security.

Internal Links

External Links